Update buildah to v1.11.0

Vendor in the latest changes for buildah to apply the implemented
features here as well.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
 	github.com/containernetworking/cni v0.7.1
 	github.com/containernetworking/plugins v0.8.1
-	github.com/containers/buildah v1.8.4-0.20190821140209-376e52ee0142
+	github.com/containers/buildah v1.11.0
 	github.com/containers/conmon v0.3.0 // indirect
 	github.com/containers/image v3.0.2+incompatible
 	github.com/containers/psgo v1.3.1
@@ -53,8 +53,7 @@ require (
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/hpcloud/tail v1.0.0
 	github.com/imdario/mergo v0.3.7 // indirect
-	github.com/json-iterator/go v1.1.6
+	github.com/json-iterator/go v1.1.7
-	github.com/kisielk/errcheck v1.2.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/magiconair/properties v1.8.1 // indirect
 	github.com/mailru/easyjson v0.0.0-20190620125010-da37f6c1e481 // indirect
@@ -107,11 +106,10 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce // indirect
 	gopkg.in/yaml.v2 v2.2.2
-	k8s.io/api v0.0.0-20190624085159-95846d7ef82a
+	k8s.io/api v0.0.0-20190813020757-36bff7324fb7
-	k8s.io/apimachinery v0.0.0-20190624085041-961b39a1baa0
+	k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010
 	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
 	k8s.io/gengo v0.0.0-20190327210449-e17681d19d3a // indirect
 	k8s.io/klog v0.3.3 // indirect
-	k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208 // indirect
 	k8s.io/utils v0.0.0-20190607212802-c55fbcfc754a // indirect
 )

go.sum

@@ -75,6 +75,8 @@ github.com/containers/buildah v1.9.2 h1:dg87r1W1poWVQE0lTmP3BzaqgEI5IRudZ3jKjNIZ
 github.com/containers/buildah v1.9.2/go.mod h1:UFq7EQtnDEEZv42AE7ZbmQMN+mSWSg1JIMwjYW1bn48=
 github.com/containers/buildah v1.10.1 h1:YBFHZkpbWCxUR/gjRAZrRzs2E0DfdUe3+/8OA9filWY=
 github.com/containers/buildah v1.10.1/go.mod h1:ZTyMFo3IQlu9tYndtnAf0Tjf2NdeUL6bY2/TpP9uIuU=
+github.com/containers/buildah v1.11.0 h1:w0jZybDBTb5lvBKmFuuncxbb3D+D68EHnngIcAXFKjg=
+github.com/containers/buildah v1.11.0/go.mod h1:vIO922hCyTe9LEUlcH/oyaMdXy6xX/YdxR6huEOAM0o=
 github.com/containers/conmon v0.3.0 h1:NDkYcQAu1BDZSVLh6xrY9jh/WmiDaUloKzRM16237XM=
 github.com/containers/conmon v0.3.0/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image v2.0.0+incompatible h1:FTr6Br7jlIKNCKMjSOMbAxKp2keQ0//jzJaYNTVhauk=
@@ -221,6 +223,8 @@ github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -301,6 +305,8 @@ github.com/json-iterator/go v1.1.5 h1:gL2yXlmiIo4+t+y32d4WGwOjKGYcGOuyrg46vadswD
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
@@ -345,9 +351,11 @@ github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfv
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/moby/moby v0.0.0-20171005181806-f8806b18b4b9/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618 h1:7InQ7/zrOh6SlFjaXFubv0xX0HsuC9qJsdqm7bNQpYM=
@@ -398,6 +406,8 @@ github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4Ft
 github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
 github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g=
 github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible h1:s55wx8JIG/CKnewev892HifTBrtKzMdvgB3rm4rxC2s=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
 github.com/openshift/imagebuilder v1.1.0 h1:oT704SkwMEzmIMU/+Uv1Wmvt+p10q3v2WuYMeFI18c4=
 github.com/openshift/imagebuilder v1.1.0/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
 github.com/opentracing/opentracing-go v0.0.0-20190218023034-25a84ff92183 h1:kwFCLTA0DYhH0JpGMBOZtVVhyRL5ec+unn4mnoJhQI0=
@@ -712,11 +722,15 @@ k8s.io/api v0.0.0-20181219151656-a146d628c217/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j
 k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
 k8s.io/api v0.0.0-20190624085159-95846d7ef82a h1:j1H0i/hUVkDK9Y0xFEc0pQpnyuJNxvdhfy5Vj2MGCXA=
 k8s.io/api v0.0.0-20190624085159-95846d7ef82a/go.mod h1:O6YAz5STgv7S1/c/XtBULGhSltH7yWEHpWvnA1mmFRg=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7 h1:4uJOjRn9kWq4AqJRE8+qzmAy+lJd9rh8TY455dNef4U=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7/go.mod h1:3Iy+myeAORNCLgjd/Xu9ebwN7Vh59Bw0vh9jhoX+V58=
 k8s.io/apimachinery v0.0.0-20181212193828-688d82452747 h1:RKdo8lJoayPIIksLUIE8/uo1rQHgj9KCPh9My5EG/A8=
 k8s.io/apimachinery v0.0.0-20181212193828-688d82452747/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
 k8s.io/apimachinery v0.0.0-20190624085041-961b39a1baa0 h1:7oql7STcnJ85hz3BIbasXHH/+lLLKwOdsG8vjkZc8Pc=
 k8s.io/apimachinery v0.0.0-20190624085041-961b39a1baa0/go.mod h1:48PVecD7ubRgJmMRGIQfsqYu6OucVH5DzFNtACHZH8k=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010 h1:pyoq062NftC1y/OcnbSvgolyZDJ8y4fmUPWMkdA6gfU=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010/go.mod h1:Waf/xTS2FGRrgXCkO5FP3XxTOWh0qLf2QhL1qFZZ/R8=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 h1:+Qf/nITucAbm09aIdxvoA+7X0BwaXmQGVoR8k7Ynk9o=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g=
@@ -732,6 +746,7 @@ k8s.io/klog v0.3.3 h1:niceAagH1tzskmaie/icWd7ci1wbG7Bf2c6YGcQv+3c=
 k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4=
+k8s.io/kube-openapi v0.0.0-20190709113604-33be087ad058/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
 k8s.io/utils v0.0.0-20190607212802-c55fbcfc754a h1:2jUDc9gJja832Ftp+QbDV0tVhQHMISFn01els+2ZAcw=
 k8s.io/utils v0.0.0-20190607212802-c55fbcfc754a/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=

vendor/github.com/containers/buildah/buildah.go

@@ -26,7 +26,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.11.0-dev"
+	Version = "1.11.0"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to

vendor/github.com/containers/buildah/changelog.txt

@@ -1,3 +1,38 @@
+- Changelog for v1.11.0 (2019-08-29)
+  * tests/bud.bats: add --signature-policy to some tests
+  * Vendor github.com/openshift/api
+  * pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES
+  * Add `--log-level` command line option and deprecate `--debug`
+  * add support for cgroupsV2
+  * Correctly detect ExitError values from Run()
+  * Disable empty logrus timestamps to reduce logger noise
+  * Remove outdated deps Makefile target
+  * Remove gofmt.sh in favor of golangci-lint
+  * Remove govet.sh in favor of golangci-lint
+  * Allow to override build date with SOURCE_DATE_EPOCH
+  * Update shebangs to take env into consideration
+  * Fix directory pull image names
+  * Add --digestfile and Re-add push statement as debug
+  * README: mention that Podman uses Buildah's API
+  * Use content digests in ADD/COPY history entries
+  * add: add a DryRun flag to AddAndCopyOptions
+  * Fix possible runtime panic on bud
+  * Add security-related volume options to validator
+  * use correct path for ginkgo
+  * Add bud 'without arguments' integration tests
+  * Update documentation about bud
+  * add: handle hard links when copying with .dockerignore
+  * add: teach copyFileWithTar() about symlinks and directories
+  * Allow buildah bud to be called without arguments
+  * imagebuilder: fix detection of referenced stage roots
+  * Touch up go mod instructions in install
+  * run_linux: fix mounting /sys in a userns
+  * Vendor Storage v1.13.2
+  * Cirrus: Update VM images
+  * Fix handling of /dev/null masked devices
+  * Update `bud`/`from` help to contain indicator for `--dns=none`
+  * Bump back to v1.11.0-dev
+
 - Changelog for v1.10.1 (2019-08-08)
   * Bump containers/image to v3.0.2 to fix keyring issue
   * Bug fix for volume minus syntax

vendor/github.com/containers/buildah/commit.go

@@ -2,15 +2,18 @@ package buildah
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"os"
 	"strings"
 	"time"
 
 	"github.com/containers/buildah/pkg/blobcache"
 	"github.com/containers/buildah/util"
 	cp "github.com/containers/image/copy"
+	"github.com/containers/image/docker"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/signature"
@@ -21,6 +24,7 @@ import (
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/stringid"
 	digest "github.com/opencontainers/go-digest"
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -107,21 +111,64 @@ type PushOptions struct {
 }
 
 var (
-	// commitPolicy bypasses any signing requirements when committing containers to images
+	// storageAllowedPolicyScopes overrides the policy for local storage
-	commitPolicy = &signature.Policy{
+	// to ensure that we can read images from it.
-		Default: []signature.PolicyRequirement{signature.NewPRReject()},
+	storageAllowedPolicyScopes = signature.PolicyTransportScopes{
-		Transports: map[string]signature.PolicyTransportScopes{
+		"": []signature.PolicyRequirement{
-			is.Transport.Name(): {
+			signature.NewPRInsecureAcceptAnything(),
-				"": []signature.PolicyRequirement{
-					signature.NewPRInsecureAcceptAnything(),
-				},
-			},
 		},
 	}
-	// pushPolicy bypasses any signing requirements when pushing (copying) images from local storage
-	pushPolicy = commitPolicy
 )
 
+// checkRegistrySourcesAllows checks the $BUILD_REGISTRY_SOURCES environment
+// variable, if it's set.  The contents are expected to be a JSON-encoded
+// github.com/openshift/api/config/v1.Image, set by an OpenShift build
+// controller that arranged for us to be run in a container.
+func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error {
+	transport := dest.Transport()
+	if transport == nil {
+		return nil
+	}
+	if transport.Name() != docker.Transport.Name() {
+		return nil
+	}
+	dref := dest.DockerReference()
+	if dref == nil || reference.Domain(dref) == "" {
+		return nil
+	}
+
+	if registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES"); ok && len(registrySources) > 0 {
+		var sources configv1.RegistrySources
+		if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
+			return errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
+		}
+		blocked := false
+		if len(sources.BlockedRegistries) > 0 {
+			for _, blockedDomain := range sources.BlockedRegistries {
+				if blockedDomain == reference.Domain(dref) {
+					blocked = true
+				}
+			}
+		}
+		if blocked {
+			return errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
+		}
+		allowed := true
+		if len(sources.AllowedRegistries) > 0 {
+			allowed = false
+			for _, allowedDomain := range sources.AllowedRegistries {
+				if allowedDomain == reference.Domain(dref) {
+					allowed = true
+				}
+			}
+		}
+		if !allowed {
+			return errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
+		}
+	}
+	return nil
+}
+
 // Commit writes the contents of the container, along with its updated
 // configuration, to a new image in the specified location, and if we know how,
 // add any additional tags that were specified. Returns the ID of the new image
@@ -157,6 +204,14 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 		return "", nil, "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
 	}
 
+	// Load the system signing policy.
+	commitPolicy, err := signature.DefaultPolicy(systemContext)
+	if err != nil {
+		return "", nil, "", errors.Wrapf(err, "error obtaining default signature policy")
+	}
+	// Override the settings for local storage to make sure that we can always read the source "image".
+	commitPolicy.Transports[is.Transport.Name()] = storageAllowedPolicyScopes
+
 	policyContext, err := signature.NewPolicyContext(commitPolicy)
 	if err != nil {
 		return imgID, nil, "", errors.Wrapf(err, "error creating new signature policy context")
@@ -166,6 +221,28 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 			logrus.Debugf("error destroying signature policy context: %v", err2)
 		}
 	}()
+
+	// Check if the commit is blocked by $BUILDER_REGISTRY_SOURCES.
+	if err := checkRegistrySourcesAllows("commit to", dest); err != nil {
+		return imgID, nil, "", err
+	}
+	if len(options.AdditionalTags) > 0 {
+		names, err := util.ExpandNames(options.AdditionalTags, "", systemContext, b.store)
+		if err != nil {
+			return imgID, nil, "", err
+		}
+		for _, name := range names {
+			additionalDest, err := docker.Transport.ParseReference(name)
+			if err != nil {
+				return imgID, nil, "", errors.Wrapf(err, "error parsing image name %q as an image reference", name)
+			}
+			if err := checkRegistrySourcesAllows("commit to", additionalDest); err != nil {
+				return imgID, nil, "", err
+			}
+		}
+	}
+	logrus.Debugf("committing image with reference %q is allowed by policy", transports.ImageName(dest))
+
 	// Check if the base image is already in the destination and it's some kind of local
 	// storage.  If so, we can skip recompressing any layers that come from the base image.
 	exportBaseLayers := true
@@ -292,10 +369,24 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 		return nil, "", errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
 	}
 
+	// Load the system signing policy.
+	pushPolicy, err := signature.DefaultPolicy(systemContext)
+	if err != nil {
+		return nil, "", errors.Wrapf(err, "error obtaining default signature policy")
+	}
+	// Override the settings for local storage to make sure that we can always read the source "image".
+	pushPolicy.Transports[is.Transport.Name()] = storageAllowedPolicyScopes
+
 	policyContext, err := signature.NewPolicyContext(pushPolicy)
 	if err != nil {
 		return nil, "", errors.Wrapf(err, "error creating new signature policy context")
 	}
+	defer func() {
+		if err2 := policyContext.Destroy(); err2 != nil {
+			logrus.Debugf("error destroying signature policy context: %v", err2)
+		}
+	}()
+
 	// Look up the image.
 	src, _, err := util.FindImage(options.Store, "", systemContext, image)
 	if err != nil {
@@ -313,6 +404,13 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 		}
 		maybeCachedSrc = cache
 	}
+
+	// Check if the push is blocked by $BUILDER_REGISTRY_SOURCES.
+	if err := checkRegistrySourcesAllows("push to", dest); err != nil {
+		return nil, "", err
+	}
+	logrus.Debugf("pushing image to reference %q is allowed by policy", transports.ImageName(dest))
+
 	// Copy everything.
 	switch options.Compression {
 	case archive.Uncompressed:

vendor/github.com/containers/buildah/go.mod

@@ -18,7 +18,6 @@ require (
 	github.com/etcd-io/bbolt v1.3.2
 	github.com/fsouza/go-dockerclient v1.3.0
 	github.com/ghodss/yaml v1.0.0
-	github.com/gogo/protobuf v1.2.0 // indirect
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -27,14 +26,15 @@ require (
 	github.com/mattn/go-shellwords v1.0.5
 	github.com/moby/moby v0.0.0-20171005181806-f8806b18b4b9 // indirect
 	github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c // indirect
-	github.com/onsi/ginkgo v1.6.0
+	github.com/onsi/ginkgo v1.8.0
-	github.com/onsi/gomega v1.4.3
+	github.com/onsi/gomega v1.5.0
 	github.com/opencontainers/go-digest v1.0.0-rc1
 	github.com/opencontainers/image-spec v1.0.1
 	github.com/opencontainers/runc v1.0.0-rc8
 	github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7
 	github.com/opencontainers/runtime-tools v0.9.0
 	github.com/opencontainers/selinux v1.2.2
+	github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible
 	github.com/openshift/imagebuilder v1.1.0
 	github.com/pkg/errors v0.8.1
 	github.com/seccomp/containers-golang v0.0.0-20180629143253-cdfdaa7543f4
@@ -49,8 +49,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.1.0 // indirect
 	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 // indirect
 	golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb
-	gopkg.in/yaml.v2 v2.2.2 // indirect
+	k8s.io/api v0.0.0-20190813020757-36bff7324fb7 // indirect
 	k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 // indirect
 )

vendor/github.com/containers/buildah/go.sum

@@ -14,8 +14,11 @@ github.com/Microsoft/hcsshim v0.8.3 h1:KWCdVGOju81E0RL4ndn9/E6I4qMBi6kuPw1W4yBYl
 github.com/Microsoft/hcsshim v0.8.3/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
 github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
 github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
 github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
@@ -53,6 +56,7 @@ github.com/containers/storage v1.13.2 h1:UXZ0Ckmk6+6+4vj2M2ywruVtH97pnRoAhTG8ctd
 github.com/containers/storage v1.13.2/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA=
 github.com/cyphar/filepath-securejoin v0.2.1 h1:5DPkzz/0MwUpvR4fxASKzgApeq2OMFY5FfYtrX28Coo=
 github.com/cyphar/filepath-securejoin v0.2.1/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65 h1:4zlOyrJUbYnrvlzChJ+jP2J3i77Jbhm336NEuCv7kZo=
@@ -73,18 +77,38 @@ github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316 h1:moehP
 github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0=
 github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsouza/go-dockerclient v1.3.0 h1:tOXkq/5++XihrAvH5YNwCTdPeQg3XVcC6WI2FVy4ZS0=
 github.com/fsouza/go-dockerclient v1.3.0/go.mod h1:IN9UPc4/w7cXiARH2Yg99XxUHbAM+6rAi9hzBVbkWRU=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
@@ -93,6 +117,7 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
@@ -101,6 +126,10 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/ishidawataru/sctp v0.0.0-20180918013207-6e2cb1366111 h1:NAAiV9ass6VReWFjuxqrMIq12WKlSULI6Gs3PxQghLA=
 github.com/ishidawataru/sctp v0.0.0-20180918013207-6e2cb1366111/go.mod h1:DM4VvS+hD/kDi1U1QsX2fnZowwBhqD0Dk3bRPKF/Oc8=
+github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1 h1:8VMb5+0wMgdBykOV96DwNwKFQ+WTI4pzYURP99CcB9E=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/compress v1.7.2 h1:liMOoeIvFpr9kEvalrZ7VVBA4wGf7zfOgwBjzz/5g2Y=
@@ -113,6 +142,10 @@ github.com/klauspost/pgzip v1.2.1 h1:oIPZROsWuPHpOdMVWLuJZXwgjhrW8r1yEX8UqMyeNHM
 github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-shellwords v1.0.3 h1:K/VxK7SZ+cvuPgFSLKi5QPI9Vr/ipOf4C1gN+ntueUk=
@@ -122,13 +155,26 @@ github.com/mattn/go-shellwords v1.0.5/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vq
 github.com/mistifyio/go-zfs v2.1.1+incompatible h1:gAMO1HM9xBRONLHHYnu5iFsOJUiJdNZo6oqSENd4eW8=
 github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
 github.com/moby/moby v0.0.0-20171005181806-f8806b18b4b9/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c h1:xa+eQWKuJ9MbB9FBL/eoNvDFvveAkz2LQoz8PzX7Q/4=
 github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
@@ -142,6 +188,9 @@ github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK
 github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
 github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4FtGEe8bFg=
 github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible h1:s55wx8JIG/CKnewev892HifTBrtKzMdvgB3rm4rxC2s=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
 github.com/openshift/imagebuilder v1.1.0 h1:oT704SkwMEzmIMU/+Uv1Wmvt+p10q3v2WuYMeFI18c4=
 github.com/openshift/imagebuilder v1.1.0/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
 github.com/ostreedev/ostree-go v0.0.0-20181112201119-9ab99253d365 h1:5DKEDlc/DLftia3h4tk5K0KBiqBXogCc6EarWTlD3fM=
@@ -151,6 +200,7 @@ github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13 h1:AUK/hm/tPsiNNASdb3J8fySVRZoI7fnK5mlOvdFD43o=
 github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
@@ -165,10 +215,12 @@ github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
@@ -202,30 +254,43 @@ golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc h1:F5tKCVGp+MUAHhKp5MZtGq
 golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0 h1:1DW40AJQ7AP4nY6ORUGUdkpXyEC9W2GAXcOPaMZK0K8=
 golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7 h1:rTIdg5QFRR7XCaK4LCjBiPbx8j4DQRpdYMnGn/bJUEU=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180824143301-4910a1d54f87/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb h1:fgwFCsaw9buMuxNd6+DQfAuSFqbNiQZpcgJQAgJsK6k=
 golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180810170437-e96c4e24768d/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
+gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
+gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -233,5 +298,16 @@ gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v0.0.0-20190624233834-05ebafbffc79/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
 gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7 h1:4uJOjRn9kWq4AqJRE8+qzmAy+lJd9rh8TY455dNef4U=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7/go.mod h1:3Iy+myeAORNCLgjd/Xu9ebwN7Vh59Bw0vh9jhoX+V58=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010 h1:pyoq062NftC1y/OcnbSvgolyZDJ8y4fmUPWMkdA6gfU=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010/go.mod h1:Waf/xTS2FGRrgXCkO5FP3XxTOWh0qLf2QhL1qFZZ/R8=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 h1:+Qf/nITucAbm09aIdxvoA+7X0BwaXmQGVoR8k7Ynk9o=
 k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/kube-openapi v0.0.0-20190709113604-33be087ad058/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4=
+sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

vendor/github.com/containers/buildah/pkg/cgroups/cgroups_supported.go

@@ -0,0 +1,31 @@
+// +build linux
+
+package cgroups
+
+import (
+	"sync"
+	"syscall"
+)
+
+const (
+	_cgroup2SuperMagic = 0x63677270
+)
+
+var (
+	isUnifiedOnce sync.Once
+	isUnified     bool
+	isUnifiedErr  error
+)
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 cgroup2 mode.
+func IsCgroup2UnifiedMode() (bool, error) {
+	isUnifiedOnce.Do(func() {
+		var st syscall.Statfs_t
+		if err := syscall.Statfs("/sys/fs/cgroup", &st); err != nil {
+			isUnified, isUnifiedErr = false, err
+		} else {
+			isUnified, isUnifiedErr = st.Type == _cgroup2SuperMagic, nil
+		}
+	})
+	return isUnified, isUnifiedErr
+}

vendor/github.com/containers/buildah/pkg/cgroups/cgroups_unsupported.go

@@ -0,0 +1,8 @@
+// +build !linux
+
+package cgroups
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 cgroup2 mode.
+func IsCgroup2UnifiedMode() (bool, error) {
+	return false, nil
+}

vendor/github.com/containers/buildah/pull.go

@@ -218,6 +218,9 @@ func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageRefer
 	if blocked {
 		return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
 	}
+	if err := checkRegistrySourcesAllows("pull from", srcRef); err != nil {
+		return nil, err
+	}
 
 	destName, err := localImageNameForReference(ctx, store, srcRef)
 	if err != nil {

vendor/github.com/containers/buildah/run_linux.go

@@ -1384,8 +1384,7 @@ func runUsingRuntimeMain() {
 		os.Exit(1)
 	}
 	// Set ourselves up to read the container's exit status.  We're doing this in a child process
-	// so that we won't mess with the setting in a caller of the library. This stubs to OS specific
+	// so that we won't mess with the setting in a caller of the library.
-	// calls
 	if err := setChildProcess(); err != nil {
 		os.Exit(1)
 	}

vendor/github.com/containers/buildah/util/util.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/containers/buildah/pkg/cgroups"
 	"github.com/containers/image/docker/reference"
 	"github.com/containers/image/pkg/sysregistriesv2"
 	"github.com/containers/image/signature"
@@ -249,6 +250,12 @@ func Runtime() string {
 	if runtime != "" {
 		return runtime
 	}
+
+	// Need to switch default until runc supports cgroups v2
+	if unified, _ := cgroups.IsCgroup2UnifiedMode(); unified {
+		return "crun"
+	}
+
 	return DefaultRuntime
 }
 

vendor/github.com/gogo/protobuf/proto/extensions.go

@@ -527,6 +527,7 @@ func ExtensionDescs(pb Message) ([]*ExtensionDesc, error) {
 // SetExtension sets the specified extension of pb to the specified value.
 func SetExtension(pb Message, extension *ExtensionDesc, value interface{}) error {
 	if epb, ok := pb.(extensionsBytes); ok {
+		ClearExtension(pb, extension)
 		newb, err := encodeExtension(extension, value)
 		if err != nil {
 			return err

vendor/github.com/gogo/protobuf/proto/extensions_gogo.go

@@ -154,6 +154,10 @@ func EncodeInternalExtension(m extendableProto, data []byte) (n int, err error)
 	return EncodeExtensionMap(m.extensionsWrite(), data)
 }
 
+func EncodeInternalExtensionBackwards(m extendableProto, data []byte) (n int, err error) {
+	return EncodeExtensionMapBackwards(m.extensionsWrite(), data)
+}
+
 func EncodeExtensionMap(m map[int32]Extension, data []byte) (n int, err error) {
 	o := 0
 	for _, e := range m {
@@ -169,6 +173,23 @@ func EncodeExtensionMap(m map[int32]Extension, data []byte) (n int, err error) {
 	return o, nil
 }
 
+func EncodeExtensionMapBackwards(m map[int32]Extension, data []byte) (n int, err error) {
+	o := 0
+	end := len(data)
+	for _, e := range m {
+		if err := e.Encode(); err != nil {
+			return 0, err
+		}
+		n := copy(data[end-len(e.enc):], e.enc)
+		if n != len(e.enc) {
+			return 0, io.ErrShortBuffer
+		}
+		end -= n
+		o += n
+	}
+	return o, nil
+}
+
 func GetRawExtension(m map[int32]Extension, id int32) ([]byte, error) {
 	e := m[id]
 	if err := e.Encode(); err != nil {

vendor/github.com/json-iterator/go/adapter.go

@@ -16,7 +16,7 @@ func Unmarshal(data []byte, v interface{}) error {
 	return ConfigDefault.Unmarshal(data, v)
 }
 
-// UnmarshalFromString convenient method to read from string instead of []byte
+// UnmarshalFromString is a convenient method to read from string instead of []byte
 func UnmarshalFromString(str string, v interface{}) error {
 	return ConfigDefault.UnmarshalFromString(str, v)
 }

vendor/github.com/json-iterator/go/go.mod

@@ -0,0 +1,11 @@
+module github.com/json-iterator/go
+
+go 1.12
+
+require (
+	github.com/davecgh/go-spew v1.1.1
+	github.com/google/gofuzz v1.0.0
+	github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421
+	github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742
+	github.com/stretchr/testify v1.3.0
+)

vendor/github.com/json-iterator/go/go.sum

@@ -0,0 +1,14 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 h1:ZqeYNhU3OHLH3mGKHDcjJRFFRrJa6eAM5H+CtDdOsPc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 h1:Esafd1046DLDQ0W1YjYsBW+p8U2u7vzgW2SQVmlNazg=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

vendor/github.com/json-iterator/go/iter_skip.go

@@ -37,17 +37,24 @@ func (iter *Iterator) SkipAndReturnBytes() []byte {
 	return iter.stopCapture()
 }
 
-type captureBuffer struct {
+// SkipAndAppendBytes skips next JSON element and appends its content to
-	startedAt int
+// buffer, returning the result.
-	captured  []byte
+func (iter *Iterator) SkipAndAppendBytes(buf []byte) []byte {
+	iter.startCaptureTo(buf, iter.head)
+	iter.Skip()
+	return iter.stopCapture()
 }
 
-func (iter *Iterator) startCapture(captureStartedAt int) {
+func (iter *Iterator) startCaptureTo(buf []byte, captureStartedAt int) {
 	if iter.captured != nil {
 		panic("already in capture mode")
 	}
 	iter.captureStartedAt = captureStartedAt
-	iter.captured = make([]byte, 0, 32)
+	iter.captured = buf
+}
+
+func (iter *Iterator) startCapture(captureStartedAt int) {
+	iter.startCaptureTo(make([]byte, 0, 32), captureStartedAt)
 }
 
 func (iter *Iterator) stopCapture() []byte {
@@ -58,13 +65,7 @@ func (iter *Iterator) stopCapture() []byte {
 	remaining := iter.buf[iter.captureStartedAt:iter.head]
 	iter.captureStartedAt = -1
 	iter.captured = nil
-	if len(captured) == 0 {
+	return append(captured, remaining...)
-		copied := make([]byte, len(remaining))
-		copy(copied, remaining)
-		return copied
-	}
-	captured = append(captured, remaining...)
-	return captured
 }
 
 // Skip skips a json object and positions to relatively the next json object

vendor/github.com/json-iterator/go/reflect_native.go

@@ -432,17 +432,19 @@ func (codec *base64Codec) Decode(ptr unsafe.Pointer, iter *Iterator) {
 }
 
 func (codec *base64Codec) Encode(ptr unsafe.Pointer, stream *Stream) {
-	src := *((*[]byte)(ptr))
+	if codec.sliceType.UnsafeIsNil(ptr) {
-	if len(src) == 0 {
 		stream.WriteNil()
 		return
 	}
+	src := *((*[]byte)(ptr))
 	encoding := base64.StdEncoding
 	stream.writeByte('"')
-	size := encoding.EncodedLen(len(src))
+	if len(src) != 0 {
-	buf := make([]byte, size)
+		size := encoding.EncodedLen(len(src))
-	encoding.Encode(buf, src)
+		buf := make([]byte, size)
-	stream.buf = append(stream.buf, buf...)
+		encoding.Encode(buf, src)
+		stream.buf = append(stream.buf, buf...)
+	}
 	stream.writeByte('"')
 }
 

vendor/github.com/json-iterator/go/reflect_struct_decoder.go

@@ -530,8 +530,8 @@ func (decoder *generalStructDecoder) decodeOneField(ptr unsafe.Pointer, iter *It
 		}
 	}
 	if fieldDecoder == nil {
-		msg := "found unknown field: " + field
 		if decoder.disallowUnknownFields {
+			msg := "found unknown field: " + field
 			iter.ReportError("ReadObject", msg)
 		}
 		c := iter.nextToken()

vendor/github.com/json-iterator/go/stream_float.go

@@ -1,6 +1,7 @@
 package jsoniter
 
 import (
+	"fmt"
 	"math"
 	"strconv"
 )
@@ -13,6 +14,10 @@ func init() {
 
 // WriteFloat32 write float32 to stream
 func (stream *Stream) WriteFloat32(val float32) {
+	if math.IsInf(float64(val), 0) || math.IsNaN(float64(val)) {
+		stream.Error = fmt.Errorf("unsupported value: %f", val)
+		return
+	}
 	abs := math.Abs(float64(val))
 	fmt := byte('f')
 	// Note: Must use float32 comparisons for underlying float32 value to get precise cutoffs right.
@@ -26,6 +31,10 @@ func (stream *Stream) WriteFloat32(val float32) {
 
 // WriteFloat32Lossy write float32 to stream with ONLY 6 digits precision although much much faster
 func (stream *Stream) WriteFloat32Lossy(val float32) {
+	if math.IsInf(float64(val), 0) || math.IsNaN(float64(val)) {
+		stream.Error = fmt.Errorf("unsupported value: %f", val)
+		return
+	}
 	if val < 0 {
 		stream.writeByte('-')
 		val = -val
@@ -54,6 +63,10 @@ func (stream *Stream) WriteFloat32Lossy(val float32) {
 
 // WriteFloat64 write float64 to stream
 func (stream *Stream) WriteFloat64(val float64) {
+	if math.IsInf(val, 0) || math.IsNaN(val) {
+		stream.Error = fmt.Errorf("unsupported value: %f", val)
+		return
+	}
 	abs := math.Abs(val)
 	fmt := byte('f')
 	// Note: Must use float32 comparisons for underlying float32 value to get precise cutoffs right.
@@ -67,6 +80,10 @@ func (stream *Stream) WriteFloat64(val float64) {
 
 // WriteFloat64Lossy write float64 to stream with ONLY 6 digits precision although much much faster
 func (stream *Stream) WriteFloat64Lossy(val float64) {
+	if math.IsInf(val, 0) || math.IsNaN(val) {
+		stream.Error = fmt.Errorf("unsupported value: %f", val)
+		return
+	}
 	if val < 0 {
 		stream.writeByte('-')
 		val = -val

vendor/github.com/openshift/api/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/openshift/api/config/v1/doc.go

@@ -0,0 +1,8 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+
+// +kubebuilder:validation:Optional
+// +groupName=config.openshift.io
+// Package v1 is the v1 version of the API.
+package v1

vendor/github.com/openshift/api/config/v1/register.go

@@ -0,0 +1,70 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "config.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(GroupVersion,
+		&APIServer{},
+		&APIServerList{},
+		&Authentication{},
+		&AuthenticationList{},
+		&Build{},
+		&BuildList{},
+		&ClusterOperator{},
+		&ClusterOperatorList{},
+		&ClusterVersion{},
+		&ClusterVersionList{},
+		&Console{},
+		&ConsoleList{},
+		&DNS{},
+		&DNSList{},
+		&FeatureGate{},
+		&FeatureGateList{},
+		&Image{},
+		&ImageList{},
+		&Infrastructure{},
+		&InfrastructureList{},
+		&Ingress{},
+		&IngressList{},
+		&Network{},
+		&NetworkList{},
+		&OAuth{},
+		&OAuthList{},
+		&OperatorHub{},
+		&OperatorHubList{},
+		&Project{},
+		&ProjectList{},
+		&Proxy{},
+		&ProxyList{},
+		&Scheduler{},
+		&SchedulerList{},
+	)
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

vendor/github.com/openshift/api/config/v1/stringsource.go

@@ -0,0 +1,31 @@
+package v1
+
+import "encoding/json"
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+// If the value is a string, it sets the Value field of the StringSource.
+// Otherwise, it is unmarshaled into the StringSourceSpec struct
+func (s *StringSource) UnmarshalJSON(value []byte) error {
+	// If we can unmarshal to a simple string, just set the value
+	var simpleValue string
+	if err := json.Unmarshal(value, &simpleValue); err == nil {
+		s.Value = simpleValue
+		return nil
+	}
+
+	// Otherwise do the full struct unmarshal
+	return json.Unmarshal(value, &s.StringSourceSpec)
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+// If the StringSource contains only a string Value (or is empty), it is marshaled as a JSON string.
+// Otherwise, the StringSourceSpec struct is marshaled as a JSON object.
+func (s *StringSource) MarshalJSON() ([]byte, error) {
+	// If we have only a cleartext value set, do a simple string marshal
+	if s.StringSourceSpec == (StringSourceSpec{Value: s.Value}) {
+		return json.Marshal(s.Value)
+	}
+
+	// Otherwise do the full struct marshal of the externalized bits
+	return json.Marshal(s.StringSourceSpec)
+}

vendor/github.com/openshift/api/config/v1/types.go

@@ -0,0 +1,310 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConfigMapFileReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
+type ConfigMapFileReference struct {
+	Name string `json:"name"`
+	// Key allows pointing to a specific key/value inside of the configmap.  This is useful for logical file references.
+	Key string `json:"key,omitempty"`
+}
+
+// ConfigMapNameReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
+type ConfigMapNameReference struct {
+	// name is the metadata.name of the referenced config map
+	// +kubebuilder:validation:Required
+	// +required
+	Name string `json:"name"`
+}
+
+// SecretNameReference references a secret in a specific namespace.
+// The namespace must be specified at the point of use.
+type SecretNameReference struct {
+	// name is the metadata.name of the referenced secret
+	// +kubebuilder:validation:Required
+	// +required
+	Name string `json:"name"`
+}
+
+// HTTPServingInfo holds configuration for serving HTTP
+type HTTPServingInfo struct {
+	// ServingInfo is the HTTP serving information
+	ServingInfo `json:",inline"`
+	// MaxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.
+	MaxRequestsInFlight int64 `json:"maxRequestsInFlight"`
+	// RequestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if
+	// -1 there is no limit on requests.
+	RequestTimeoutSeconds int64 `json:"requestTimeoutSeconds"`
+}
+
+// ServingInfo holds information about serving web pages
+type ServingInfo struct {
+	// BindAddress is the ip:port to serve on
+	BindAddress string `json:"bindAddress"`
+	// BindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp",
+	// "tcp4", and "tcp6"
+	BindNetwork string `json:"bindNetwork"`
+	// CertInfo is the TLS cert info for serving secure traffic.
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+	// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
+	// +optional
+	ClientCA string `json:"clientCA,omitempty"`
+	// NamedCertificates is a list of certificates to use to secure requests to specific hostnames
+	NamedCertificates []NamedCertificate `json:"namedCertificates,omitempty"`
+	// MinTLSVersion is the minimum TLS version supported.
+	// Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
+	MinTLSVersion string `json:"minTLSVersion,omitempty"`
+	// CipherSuites contains an overridden list of ciphers for the server to support.
+	// Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants
+	CipherSuites []string `json:"cipherSuites,omitempty"`
+}
+
+// CertInfo relates a certificate with a private key
+type CertInfo struct {
+	// CertFile is a file containing a PEM-encoded certificate
+	CertFile string `json:"certFile"`
+	// KeyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile
+	KeyFile string `json:"keyFile"`
+}
+
+// NamedCertificate specifies a certificate/key, and the names it should be served for
+type NamedCertificate struct {
+	// Names is a list of DNS names this certificate should be used to secure
+	// A name can be a normal DNS name, or can contain leading wildcard segments.
+	Names []string `json:"names,omitempty"`
+	// CertInfo is the TLS cert info for serving secure traffic
+	CertInfo `json:",inline"`
+}
+
+// LeaderElection provides information to elect a leader
+type LeaderElection struct {
+	// disable allows leader election to be suspended while allowing a fully defaulted "normal" startup case.
+	Disable bool `json:"disable,omitempty"`
+	// namespace indicates which namespace the resource is in
+	Namespace string `json:"namespace,omitempty"`
+	// name indicates what name to use for the resource
+	Name string `json:"name,omitempty"`
+
+	// leaseDuration is the duration that non-leader candidates will wait
+	// after observing a leadership renewal until attempting to acquire
+	// leadership of a led but unrenewed leader slot. This is effectively the
+	// maximum duration that a leader can be stopped before it is replaced
+	// by another candidate. This is only applicable if leader election is
+	// enabled.
+	// +nullable
+	LeaseDuration metav1.Duration `json:"leaseDuration"`
+	// renewDeadline is the interval between attempts by the acting master to
+	// renew a leadership slot before it stops leading. This must be less
+	// than or equal to the lease duration. This is only applicable if leader
+	// election is enabled.
+	// +nullable
+	RenewDeadline metav1.Duration `json:"renewDeadline"`
+	// retryPeriod is the duration the clients should wait between attempting
+	// acquisition and renewal of a leadership. This is only applicable if
+	// leader election is enabled.
+	// +nullable
+	RetryPeriod metav1.Duration `json:"retryPeriod"`
+}
+
+// StringSource allows specifying a string inline, or externally via env var or file.
+// When it contains only a string value, it marshals to a simple JSON string.
+type StringSource struct {
+	// StringSourceSpec specifies the string value, or external location
+	StringSourceSpec `json:",inline"`
+}
+
+// StringSourceSpec specifies a string value, or external location
+type StringSourceSpec struct {
+	// Value specifies the cleartext value, or an encrypted value if keyFile is specified.
+	Value string `json:"value"`
+
+	// Env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.
+	Env string `json:"env"`
+
+	// File references a file containing the cleartext value, or an encrypted value if a keyFile is specified.
+	File string `json:"file"`
+
+	// KeyFile references a file containing the key to use to decrypt the value.
+	KeyFile string `json:"keyFile"`
+}
+
+// RemoteConnectionInfo holds information necessary for establishing a remote connection
+type RemoteConnectionInfo struct {
+	// URL is the remote URL to connect to
+	URL string `json:"url"`
+	// CA is the CA for verifying TLS connections
+	CA string `json:"ca"`
+	// CertInfo is the TLS client cert information to present
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+}
+
+type AdmissionConfig struct {
+	PluginConfig map[string]AdmissionPluginConfig `json:"pluginConfig,omitempty"`
+
+	// enabledPlugins is a list of admission plugins that must be on in addition to the default list.
+	// Some admission plugins are disabled by default, but certain configurations require them.  This is fairly uncommon
+	// and can result in performance penalties and unexpected behavior.
+	EnabledAdmissionPlugins []string `json:"enabledPlugins,omitempty"`
+
+	// disabledPlugins is a list of admission plugins that must be off.  Putting something in this list
+	// is almost always a mistake and likely to result in cluster instability.
+	DisabledAdmissionPlugins []string `json:"disabledPlugins,omitempty"`
+}
+
+// AdmissionPluginConfig holds the necessary configuration options for admission plugins
+type AdmissionPluginConfig struct {
+	// Location is the path to a configuration file that contains the plugin's
+	// configuration
+	Location string `json:"location"`
+
+	// Configuration is an embedded configuration object to be used as the plugin's
+	// configuration. If present, it will be used instead of the path to the configuration file.
+	// +nullable
+	Configuration runtime.RawExtension `json:"configuration"`
+}
+
+type LogFormatType string
+
+type WebHookModeType string
+
+const (
+	// LogFormatLegacy saves event in 1-line text format.
+	LogFormatLegacy LogFormatType = "legacy"
+	// LogFormatJson saves event in structured json format.
+	LogFormatJson LogFormatType = "json"
+
+	// WebHookModeBatch indicates that the webhook should buffer audit events
+	// internally, sending batch updates either once a certain number of
+	// events have been received or a certain amount of time has passed.
+	WebHookModeBatch WebHookModeType = "batch"
+	// WebHookModeBlocking causes the webhook to block on every attempt to process
+	// a set of events. This causes requests to the API server to wait for a
+	// round trip to the external audit service before sending a response.
+	WebHookModeBlocking WebHookModeType = "blocking"
+)
+
+// AuditConfig holds configuration for the audit capabilities
+type AuditConfig struct {
+	// If this flag is set, audit log will be printed in the logs.
+	// The logs contains, method, user and a requested URL.
+	Enabled bool `json:"enabled"`
+	// All requests coming to the apiserver will be logged to this file.
+	AuditFilePath string `json:"auditFilePath"`
+	// Maximum number of days to retain old log files based on the timestamp encoded in their filename.
+	MaximumFileRetentionDays int32 `json:"maximumFileRetentionDays"`
+	// Maximum number of old log files to retain.
+	MaximumRetainedFiles int32 `json:"maximumRetainedFiles"`
+	// Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.
+	MaximumFileSizeMegabytes int32 `json:"maximumFileSizeMegabytes"`
+
+	// PolicyFile is a path to the file that defines the audit policy configuration.
+	PolicyFile string `json:"policyFile"`
+	// PolicyConfiguration is an embedded policy configuration object to be used
+	// as the audit policy configuration. If present, it will be used instead of
+	// the path to the policy file.
+	// +nullable
+	PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"`
+
+	// Format of saved audits (legacy or json).
+	LogFormat LogFormatType `json:"logFormat"`
+
+	// Path to a .kubeconfig formatted file that defines the audit webhook configuration.
+	WebHookKubeConfig string `json:"webHookKubeConfig"`
+	// Strategy for sending audit events (block or batch).
+	WebHookMode WebHookModeType `json:"webHookMode"`
+}
+
+// EtcdConnectionInfo holds information necessary for connecting to an etcd server
+type EtcdConnectionInfo struct {
+	// URLs are the URLs for etcd
+	URLs []string `json:"urls,omitempty"`
+	// CA is a file containing trusted roots for the etcd server certificates
+	CA string `json:"ca"`
+	// CertInfo is the TLS client cert information for securing communication to etcd
+	// this is anonymous so that we can inline it for serialization
+	CertInfo `json:",inline"`
+}
+
+type EtcdStorageConfig struct {
+	EtcdConnectionInfo `json:",inline"`
+
+	// StoragePrefix is the path within etcd that the OpenShift resources will
+	// be rooted under. This value, if changed, will mean existing objects in etcd will
+	// no longer be located.
+	StoragePrefix string `json:"storagePrefix"`
+}
+
+// GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd
+type GenericAPIServerConfig struct {
+	// servingInfo describes how to start serving
+	ServingInfo HTTPServingInfo `json:"servingInfo"`
+
+	// corsAllowedOrigins
+	CORSAllowedOrigins []string `json:"corsAllowedOrigins"`
+
+	// auditConfig describes how to configure audit information
+	AuditConfig AuditConfig `json:"auditConfig"`
+
+	// storageConfig contains information about how to use
+	StorageConfig EtcdStorageConfig `json:"storageConfig"`
+
+	// admissionConfig holds information about how to configure admission.
+	AdmissionConfig AdmissionConfig `json:"admission"`
+
+	KubeClientConfig KubeClientConfig `json:"kubeClientConfig"`
+}
+
+type KubeClientConfig struct {
+	// kubeConfig is a .kubeconfig filename for going to the owning kube-apiserver.  Empty uses an in-cluster-config
+	KubeConfig string `json:"kubeConfig"`
+
+	// connectionOverrides specifies client overrides for system components to loop back to this master.
+	ConnectionOverrides ClientConnectionOverrides `json:"connectionOverrides"`
+}
+
+type ClientConnectionOverrides struct {
+	// acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
+	// default value of 'application/json'. This field will control all connections to the server used by a particular
+	// client.
+	AcceptContentTypes string `json:"acceptContentTypes"`
+	// contentType is the content type used when sending data to the server from this client.
+	ContentType string `json:"contentType"`
+
+	// qps controls the number of queries per second allowed for this connection.
+	QPS float32 `json:"qps"`
+	// burst allows extra queries to accumulate when a client is exceeding its rate.
+	Burst int32 `json:"burst"`
+}
+
+// GenericControllerConfig provides information to configure a controller
+type GenericControllerConfig struct {
+	// ServingInfo is the HTTP serving information for the controller's endpoints
+	ServingInfo HTTPServingInfo `json:"servingInfo"`
+
+	// leaderElection provides information to elect a leader. Only override this if you have a specific need
+	LeaderElection LeaderElection `json:"leaderElection"`
+
+	// authentication allows configuration of authentication for the endpoints
+	Authentication DelegatedAuthentication `json:"authentication"`
+	// authorization allows configuration of authentication for the endpoints
+	Authorization DelegatedAuthorization `json:"authorization"`
+}
+
+// DelegatedAuthentication allows authentication to be disabled.
+type DelegatedAuthentication struct {
+	// disabled indicates that authentication should be disabled.  By default it will use delegated authentication.
+	Disabled bool `json:"disabled,omitempty"`
+}
+
+// DelegatedAuthorization allows authorization to be disabled.
+type DelegatedAuthorization struct {
+	// disabled indicates that authorization should be disabled.  By default it will use delegated authorization.
+	Disabled bool `json:"disabled,omitempty"`
+}

vendor/github.com/openshift/api/config/v1/types_apiserver.go

@@ -0,0 +1,75 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIServer holds configuration (like serving certificates, client CA and CORS domains)
+// shared by all API servers in the system, among them especially kube-apiserver
+// and openshift-apiserver. The canonical name of an instance is 'cluster'.
+type APIServer struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// +kubebuilder:validation:Required
+	// +required
+	Spec APIServerSpec `json:"spec"`
+	// +optional
+	Status APIServerStatus `json:"status"`
+}
+
+type APIServerSpec struct {
+	// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
+	// will be used for serving secure traffic.
+	// +optional
+	ServingCerts APIServerServingCerts `json:"servingCerts"`
+	// clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
+	// incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
+	// You usually only have to set this if you have your own PKI you wish to honor client certificates from.
+	// The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
+	// - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
+	// +optional
+	ClientCA ConfigMapNameReference `json:"clientCA"`
+	// additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
+	// API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
+	// server from JavaScript applications.
+	// The values are regular expressions that correspond to the Golang regular expression language.
+	// +optional
+	AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"`
+}
+
+type APIServerServingCerts struct {
+	// namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
+	// If no named certificates are provided, or no named certificates match the server name as understood by a client,
+	// the defaultServingCertificate will be used.
+	// +optional
+	NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"`
+}
+
+// APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate.
+type APIServerNamedServingCert struct {
+	// names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
+	// serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
+	// Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
+	// +optional
+	Names []string `json:"names,omitempty"`
+	// servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
+	// The secret must exist in the openshift-config namespace and contain the following required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	// - Secret.Data["tls.crt"] - TLS certificate.
+	ServingCertificate SecretNameReference `json:"servingCertificate"`
+}
+
+type APIServerStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type APIServerList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []APIServer `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_authentication.go

@@ -0,0 +1,120 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Authentication specifies cluster-wide settings for authentication (like OAuth and
+// webhook token authenticators). The canonical name of an instance is `cluster`.
+type Authentication struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec AuthenticationSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status AuthenticationStatus `json:"status"`
+}
+
+type AuthenticationSpec struct {
+	// type identifies the cluster managed, user facing authentication mode in use.
+	// Specifically, it manages the component that responds to login attempts.
+	// The default is IntegratedOAuth.
+	// +optional
+	Type AuthenticationType `json:"type"`
+
+	// oauthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for an external OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// If oauthMetadata.name is non-empty, this value has precedence
+	// over any metadata reference stored in status.
+	// The key "oauthMetadata" is used to locate the data.
+	// If specified and the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	OAuthMetadata ConfigMapNameReference `json:"oauthMetadata"`
+
+	// webhookTokenAuthenticators configures remote token reviewers.
+	// These remote authentication webhooks can be used to verify bearer tokens
+	// via the tokenreviews.authentication.k8s.io REST API.  This is required to
+	// honor bearer tokens that are provisioned by an external authentication service.
+	// The namespace for these secrets is openshift-config.
+	// +optional
+	WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"`
+}
+
+type AuthenticationStatus struct {
+	// integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for the in-cluster integrated OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// This contains the observed value based on cluster state.
+	// An explicitly set value in spec.oauthMetadata has precedence over this field.
+	// This field has no meaning if authentication spec.type is not set to IntegratedOAuth.
+	// The key "oauthMetadata" is used to locate the data.
+	// If the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config-managed.
+	IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"`
+
+	// TODO if we add support for an in-cluster operator managed Keycloak instance
+	// KeycloakOAuthMetadata ConfigMapNameReference `json:"keycloakOAuthMetadata"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type AuthenticationList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Authentication `json:"items"`
+}
+
+type AuthenticationType string
+
+const (
+	// None means that no cluster managed authentication system is in place.
+	// Note that user login will only work if a manually configured system is in place and
+	// referenced in authentication spec via oauthMetadata and webhookTokenAuthenticators.
+	AuthenticationTypeNone AuthenticationType = "None"
+
+	// IntegratedOAuth refers to the cluster managed OAuth server.
+	// It is configured via the top level OAuth config.
+	AuthenticationTypeIntegratedOAuth AuthenticationType = "IntegratedOAuth"
+
+	// TODO if we add support for an in-cluster operator managed Keycloak instance
+	// AuthenticationTypeKeycloak AuthenticationType = "Keycloak"
+)
+
+// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
+type WebhookTokenAuthenticator struct {
+	// kubeConfig contains kube config file data which describes how to access the remote webhook service.
+	// For further details, see:
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
+	// The namespace for this secret is determined by the point of use.
+	KubeConfig SecretNameReference `json:"kubeConfig"`
+}
+
+const (
+	// OAuthMetadataKey is the key for the oauth authorization server metadata
+	OAuthMetadataKey = "oauthMetadata"
+
+	// KubeConfigKey is the key for the kube config file data in a secret
+	KubeConfigKey = "kubeConfig"
+)

vendor/github.com/openshift/api/config/v1/types_build.go

@@ -0,0 +1,101 @@
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Build holds cluster-wide information on how to handle builds. The canonical name is `cluster`
+type Build struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// Spec holds user-settable values for the build controller configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec BuildSpec `json:"spec"`
+}
+
+type BuildSpec struct {
+	// AdditionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted for image pushes and pulls during builds.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	AdditionalTrustedCA ConfigMapNameReference `json:"additionalTrustedCA"`
+	// BuildDefaults controls the default information for Builds
+	// +optional
+	BuildDefaults BuildDefaults `json:"buildDefaults"`
+	// BuildOverrides controls override settings for builds
+	// +optional
+	BuildOverrides BuildOverrides `json:"buildOverrides"`
+}
+
+type BuildDefaults struct {
+	// DefaultProxy contains the default proxy settings for all build operations, including image pull/push
+	// and source download.
+	//
+	// Values can be overrode by setting the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables
+	// in the build config's strategy.
+	// +optional
+	DefaultProxy *ProxySpec `json:"defaultProxy,omitempty"`
+
+	// GitProxy contains the proxy settings for git operations only. If set, this will override
+	// any Proxy settings for all git commands, such as git clone.
+	//
+	// Values that are not set here will be inherited from DefaultProxy.
+	// +optional
+	GitProxy *ProxySpec `json:"gitProxy,omitempty"`
+
+	// Env is a set of default environment variables that will be applied to the
+	// build if the specified variables do not exist on the build
+	// +optional
+	Env []corev1.EnvVar `json:"env,omitempty"`
+
+	// ImageLabels is a list of docker labels that are applied to the resulting image.
+	// User can override a default label by providing a label with the same name in their
+	// Build/BuildConfig.
+	// +optional
+	ImageLabels []ImageLabel `json:"imageLabels,omitempty"`
+
+	// Resources defines resource requirements to execute the build.
+	// +optional
+	Resources corev1.ResourceRequirements `json:"resources"`
+}
+
+type ImageLabel struct {
+	// Name defines the name of the label. It must have non-zero length.
+	Name string `json:"name"`
+
+	// Value defines the literal value of the label.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
+type BuildOverrides struct {
+	// ImageLabels is a list of docker labels that are applied to the resulting image.
+	// If user provided a label in their Build/BuildConfig with the same name as one in this
+	// list, the user's label will be overwritten.
+	// +optional
+	ImageLabels []ImageLabel `json:"imageLabels,omitempty"`
+
+	// NodeSelector is a selector which must be true for the build pod to fit on a node
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+
+	// Tolerations is a list of Tolerations that will override any existing
+	// tolerations set on a build pod.
+	// +optional
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type BuildList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Build `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_cluster_operator.go

@@ -0,0 +1,150 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterOperator is the Custom Resource object which holds the current state
+// of an operator. This object is used by operators to convey their state to
+// the rest of the cluster.
+type ClusterOperator struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec hold the intent of how this operator should behave.
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ClusterOperatorSpec `json:"spec"`
+
+	// status holds the information about the state of an operator.  It is consistent with status information across
+	// the kube ecosystem.
+	// +optional
+	Status ClusterOperatorStatus `json:"status"`
+}
+
+// ClusterOperatorSpec is empty for now, but you could imagine holding information like "pause".
+type ClusterOperatorSpec struct {
+}
+
+// ClusterOperatorStatus provides information about the status of the operator.
+// +k8s:deepcopy-gen=true
+type ClusterOperatorStatus struct {
+	// conditions describes the state of the operator's reconciliation functionality.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +optional
+	Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty"  patchStrategy:"merge" patchMergeKey:"type"`
+
+	// versions is a slice of operand version tuples.  Operators which manage multiple operands will have multiple
+	// entries in the array.  If an operator is Available, it must have at least one entry.  You must report the version of
+	// the operator itself with the name "operator".
+	// +optional
+	Versions []OperandVersion `json:"versions,omitempty"`
+
+	// relatedObjects is a list of objects that are "interesting" or related to this operator.  Common uses are:
+	// 1. the detailed resource driving the operator
+	// 2. operator namespaces
+	// 3. operand namespaces
+	// +optional
+	RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"`
+
+	// extension contains any additional status information specific to the
+	// operator which owns this status object.
+	// +nullable
+	// +optional
+	Extension runtime.RawExtension `json:"extension"`
+}
+
+type OperandVersion struct {
+	// name is the name of the particular operand this version is for.  It usually matches container images, not operators.
+	Name string `json:"name"`
+
+	// version indicates which version of a particular operand is currently being manage.  It must always match the Available
+	// condition.  If 1.0.0 is Available, then this must indicate 1.0.0 even if the operator is trying to rollout
+	// 1.1.0
+	Version string `json:"version"`
+}
+
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+type ObjectReference struct {
+	// group of the referent.
+	Group string `json:"group"`
+	// resource of the referent.
+	Resource string `json:"resource"`
+	// namespace of the referent.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+	// name of the referent.
+	Name string `json:"name"`
+}
+
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// ClusterOperatorStatusCondition represents the state of the operator's
+// reconciliation functionality.
+// +k8s:deepcopy-gen=true
+type ClusterOperatorStatusCondition struct {
+	// type specifies the state of the operator's reconciliation functionality.
+	Type ClusterStatusConditionType `json:"type"`
+
+	// status of the condition, one of True, False, Unknown.
+	Status ConditionStatus `json:"status"`
+
+	// lastTransitionTime is the time of the last update to the current status object.
+	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
+
+	// reason is the reason for the condition's last transition.  Reasons are CamelCase
+	Reason string `json:"reason,omitempty"`
+
+	// message provides additional information about the current condition.
+	// This is only to be consumed by humans.
+	Message string `json:"message,omitempty"`
+}
+
+// ClusterStatusConditionType is the state of the operator's reconciliation functionality.
+type ClusterStatusConditionType string
+
+const (
+	// Available indicates that the binary maintained by the operator (eg: openshift-apiserver for the
+	// openshift-apiserver-operator), is functional and available in the cluster.
+	OperatorAvailable ClusterStatusConditionType = "Available"
+
+	// Progressing indicates that the operator is actively making changes to the binary maintained by the
+	// operator (eg: openshift-apiserver for the openshift-apiserver-operator).
+	OperatorProgressing ClusterStatusConditionType = "Progressing"
+
+	// Degraded indicates that the operand is not functioning completely. An example of a degraded state
+	// would be if there should be 5 copies of the operand running but only 4 are running. It may still be available,
+	// but it is degraded
+	OperatorDegraded ClusterStatusConditionType = "Degraded"
+
+	// Upgradeable indicates whether the operator is in a state that is safe to upgrade. When status is `False`
+	// administrators should not upgrade their cluster and the message field should contain a human readable description
+	// of what the administrator should do to allow the operator to successfully update.  A missing condition, True,
+	// and Unknown are all treated by the CVO as allowing an upgrade.
+	OperatorUpgradeable ClusterStatusConditionType = "Upgradeable"
+)
+
+// ClusterOperatorList is a list of OperatorStatus resources.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ClusterOperatorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ClusterOperator `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_cluster_version.go

@@ -0,0 +1,237 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterVersion is the configuration for the ClusterVersionOperator. This is where
+// parameters related to automatic updates can be set.
+type ClusterVersion struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec is the desired state of the cluster version - the operator will work
+	// to ensure that the desired version is applied to the cluster.
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ClusterVersionSpec `json:"spec"`
+	// status contains information about the available updates and any in-progress
+	// updates.
+	// +optional
+	Status ClusterVersionStatus `json:"status"`
+}
+
+// ClusterVersionSpec is the desired version state of the cluster. It includes
+// the version the cluster should be at, how the cluster is identified, and
+// where the cluster should look for version updates.
+// +k8s:deepcopy-gen=true
+type ClusterVersionSpec struct {
+	// clusterID uniquely identifies this cluster. This is expected to be
+	// an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in
+	// hexadecimal values). This is a required field.
+	ClusterID ClusterID `json:"clusterID"`
+
+	// desiredUpdate is an optional field that indicates the desired value of
+	// the cluster version. Setting this value will trigger an upgrade (if
+	// the current version does not match the desired version). The set of
+	// recommended update values is listed as part of available updates in
+	// status, and setting values outside that range may cause the upgrade
+	// to fail. You may specify the version field without setting image if
+	// an update exists with that version in the availableUpdates or history.
+	//
+	// If an upgrade fails the operator will halt and report status
+	// about the failing component. Setting the desired update value back to
+	// the previous version will cause a rollback to be attempted. Not all
+	// rollbacks will succeed.
+	//
+	// +optional
+	DesiredUpdate *Update `json:"desiredUpdate,omitempty"`
+
+	// upstream may be used to specify the preferred update server. By default
+	// it will use the appropriate update server for the cluster and region.
+	//
+	// +optional
+	Upstream URL `json:"upstream,omitempty"`
+	// channel is an identifier for explicitly requesting that a non-default
+	// set of updates be applied to this cluster. The default channel will be
+	// contain stable updates that are appropriate for production clusters.
+	//
+	// +optional
+	Channel string `json:"channel,omitempty"`
+
+	// overrides is list of overides for components that are managed by
+	// cluster version operator. Marking a component unmanaged will prevent
+	// the operator from creating or updating the object.
+	// +optional
+	Overrides []ComponentOverride `json:"overrides,omitempty"`
+}
+
+// ClusterVersionStatus reports the status of the cluster versioning,
+// including any upgrades that are in progress. The current field will
+// be set to whichever version the cluster is reconciling to, and the
+// conditions array will report whether the update succeeded, is in
+// progress, or is failing.
+// +k8s:deepcopy-gen=true
+type ClusterVersionStatus struct {
+	// desired is the version that the cluster is reconciling towards.
+	// If the cluster is not yet fully initialized desired will be set
+	// with the information available, which may be an image or a tag.
+	Desired Update `json:"desired"`
+
+	// history contains a list of the most recent versions applied to the cluster.
+	// This value may be empty during cluster startup, and then will be updated
+	// when a new update is being applied. The newest update is first in the
+	// list and it is ordered by recency. Updates in the history have state
+	// Completed if the rollout completed - if an update was failing or halfway
+	// applied the state will be Partial. Only a limited amount of update history
+	// is preserved.
+	// +optional
+	History []UpdateHistory `json:"history,omitempty"`
+
+	// observedGeneration reports which version of the spec is being synced.
+	// If this value is not equal to metadata.generation, then the desired
+	// and conditions fields may represent from a previous version.
+	ObservedGeneration int64 `json:"observedGeneration"`
+
+	// versionHash is a fingerprint of the content that the cluster will be
+	// updated with. It is used by the operator to avoid unnecessary work
+	// and is for internal use only.
+	VersionHash string `json:"versionHash"`
+
+	// conditions provides information about the cluster version. The condition
+	// "Available" is set to true if the desiredUpdate has been reached. The
+	// condition "Progressing" is set to true if an update is being applied.
+	// The condition "Degraded" is set to true if an update is currently blocked
+	// by a temporary or permanent error. Conditions are only valid for the
+	// current desiredUpdate when metadata.generation is equal to
+	// status.generation.
+	// +optional
+	Conditions []ClusterOperatorStatusCondition `json:"conditions,omitempty"`
+
+	// availableUpdates contains the list of updates that are appropriate
+	// for this cluster. This list may be empty if no updates are recommended,
+	// if the update service is unavailable, or if an invalid channel has
+	// been specified.
+	// +nullable
+	AvailableUpdates []Update `json:"availableUpdates"`
+}
+
+// UpdateState is a constant representing whether an update was successfully
+// applied to the cluster or not.
+type UpdateState string
+
+const (
+	// CompletedUpdate indicates an update was successfully applied
+	// to the cluster (all resource updates were successful).
+	CompletedUpdate UpdateState = "Completed"
+	// PartialUpdate indicates an update was never completely applied
+	// or is currently being applied.
+	PartialUpdate UpdateState = "Partial"
+)
+
+// UpdateHistory is a single attempted update to the cluster.
+type UpdateHistory struct {
+	// state reflects whether the update was fully applied. The Partial state
+	// indicates the update is not fully applied, while the Completed state
+	// indicates the update was successfully rolled out at least once (all
+	// parts of the update successfully applied).
+	State UpdateState `json:"state"`
+
+	// startedTime is the time at which the update was started.
+	StartedTime metav1.Time `json:"startedTime"`
+	// completionTime, if set, is when the update was fully applied. The update
+	// that is currently being applied will have a null completion time.
+	// Completion time will always be set for entries that are not the current
+	// update (usually to the started time of the next update).
+	// +nullable
+	CompletionTime *metav1.Time `json:"completionTime"`
+
+	// version is a semantic versioning identifying the update version. If the
+	// requested image does not define a version, or if a failure occurs
+	// retrieving the image, this value may be empty.
+	//
+	// +optional
+	Version string `json:"version"`
+	// image is a container image location that contains the update. This value
+	// is always populated.
+	Image string `json:"image"`
+	// verified indicates whether the provided update was properly verified
+	// before it was installed. If this is false the cluster may not be trusted.
+	Verified bool `json:"verified"`
+}
+
+// ClusterID is string RFC4122 uuid.
+type ClusterID string
+
+// ComponentOverride allows overriding cluster version operator's behavior
+// for a component.
+// +k8s:deepcopy-gen=true
+type ComponentOverride struct {
+	// kind indentifies which object to override.
+	Kind string `json:"kind"`
+	// group identifies the API group that the kind is in.
+	Group string `json:"group"`
+
+	// namespace is the component's namespace. If the resource is cluster
+	// scoped, the namespace should be empty.
+	Namespace string `json:"namespace"`
+	// name is the component's name.
+	Name string `json:"name"`
+
+	// unmanaged controls if cluster version operator should stop managing the
+	// resources in this cluster.
+	// Default: false
+	Unmanaged bool `json:"unmanaged"`
+}
+
+// URL is a thin wrapper around string that ensures the string is a valid URL.
+type URL string
+
+// Update represents a release of the ClusterVersionOperator, referenced by the
+// Image member.
+// +k8s:deepcopy-gen=true
+type Update struct {
+	// version is a semantic versioning identifying the update version. When this
+	// field is part of spec, version is optional if image is specified.
+	//
+	// +optional
+	Version string `json:"version"`
+	// image is a container image location that contains the update. When this
+	// field is part of spec, image is optional if version is specified and the
+	// availableUpdates field contains a matching version.
+	//
+	// +optional
+	Image string `json:"image"`
+	// force allows an administrator to update to an image that has failed
+	// verification, does not appear in the availableUpdates list, or otherwise
+	// would be blocked by normal protections on update. This option should only
+	// be used when the authenticity of the provided image has been verified out
+	// of band because the provided image will run with full administrative access
+	// to the cluster. Do not use this flag with images that comes from unknown
+	// or potentially malicious sources.
+	//
+	// This flag does not override other forms of consistency checking that are
+	// required before a new update is deployed.
+	//
+	// +optional
+	Force bool `json:"force"`
+}
+
+// RetrievedUpdates reports whether available updates have been retrieved from
+// the upstream update server. The condition is Unknown before retrieval, False
+// if the updates could not be retrieved or recently failed, or True if the
+// availableUpdates field is accurate and recent.
+const RetrievedUpdates ClusterStatusConditionType = "RetrievedUpdates"
+
+// ClusterVersionList is a list of ClusterVersion resources.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ClusterVersionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ClusterVersion `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_console.go

@@ -0,0 +1,63 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Console holds cluster-wide configuration for the web console, including the
+// logout URL, and reports the public URL of the console. The canonical name is
+// `cluster`.
+type Console struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ConsoleSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ConsoleStatus `json:"status"`
+}
+
+// ConsoleSpec is the specification of the desired behavior of the Console.
+type ConsoleSpec struct {
+	// +optional
+	Authentication ConsoleAuthentication `json:"authentication"`
+}
+
+// ConsoleStatus defines the observed status of the Console.
+type ConsoleStatus struct {
+	// The URL for the console. This will be derived from the host for the route that
+	// is created for the console.
+	ConsoleURL string `json:"consoleURL"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type ConsoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Console `json:"items"`
+}
+
+// ConsoleAuthentication defines a list of optional configuration for console authentication.
+type ConsoleAuthentication struct {
+	// An optional, absolute URL to redirect web browsers to after logging out of
+	// the console. If not specified, it will redirect to the default login page.
+	// This is required when using an identity provider that supports single
+	// sign-on (SSO) such as:
+	// - OpenID (Keycloak, Azure)
+	// - RequestHeader (GSSAPI, SSPI, SAML)
+	// - OAuth (GitHub, GitLab, Google)
+	// Logging out of the console will destroy the user's token. The logoutRedirect
+	// provides the user the option to perform single logout (SLO) through the identity
+	// provider to destroy their single sign-on session.
+	// +optional
+	// +kubebuilder:validation:Pattern=^$|^((https):\/\/?)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/?))$
+	LogoutRedirect string `json:"logoutRedirect,omitempty"`
+}

vendor/github.com/openshift/api/config/v1/types_dns.go

@@ -0,0 +1,88 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DNS holds cluster-wide information about DNS. The canonical name is `cluster`
+type DNS struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec DNSSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status DNSStatus `json:"status"`
+}
+
+type DNSSpec struct {
+	// baseDomain is the base domain of the cluster. All managed DNS records will
+	// be sub-domains of this base.
+	//
+	// For example, given the base domain `openshift.example.com`, an API server
+	// DNS record may be created for `cluster-api.openshift.example.com`.
+	//
+	// Once set, this field cannot be changed.
+	BaseDomain string `json:"baseDomain"`
+	// publicZone is the location where all the DNS records that are publicly accessible to
+	// the internet exist.
+	//
+	// If this field is nil, no public records should be created.
+	//
+	// Once set, this field cannot be changed.
+	//
+	// +optional
+	PublicZone *DNSZone `json:"publicZone,omitempty"`
+	// privateZone is the location where all the DNS records that are only available internally
+	// to the cluster exist.
+	//
+	// If this field is nil, no private records should be created.
+	//
+	// Once set, this field cannot be changed.
+	//
+	// +optional
+	PrivateZone *DNSZone `json:"privateZone,omitempty"`
+}
+
+// DNSZone is used to define a DNS hosted zone.
+// A zone can be identified by an ID or tags.
+type DNSZone struct {
+	// id is the identifier that can be used to find the DNS hosted zone.
+	//
+	// on AWS zone can be fetched using `ID` as id in [1]
+	// on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+	// on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+	// [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+	// [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+	// +optional
+	ID string `json:"id,omitempty"`
+
+	// tags can be used to query the DNS hosted zone.
+	//
+	// on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type DNSStatus struct {
+	// dnsSuffix (service-ca amongst others)
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type DNSList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []DNS `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_feature.go

@@ -0,0 +1,118 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Feature holds cluster-wide information about feature gates.  The canonical name is `cluster`
+type FeatureGate struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec FeatureGateSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status FeatureGateStatus `json:"status"`
+}
+
+type FeatureSet string
+
+var (
+	// Default feature set that allows upgrades.
+	Default FeatureSet = ""
+
+	// TechPreviewNoUpgrade turns on tech preview features that are not part of the normal supported platform. Turning
+	// this feature set on CANNOT BE UNDONE and PREVENTS UPGRADES.
+	TechPreviewNoUpgrade FeatureSet = "TechPreviewNoUpgrade"
+
+	// CustomNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.
+	// Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations
+	// your cluster may fail in an unrecoverable way.
+	CustomNoUpgrade FeatureSet = "CustomNoUpgrade"
+)
+
+type FeatureGateSpec struct {
+	FeatureGateSelection `json:",inline"`
+}
+
+// +union
+type FeatureGateSelection struct {
+	// featureSet changes the list of features in the cluster.  The default is empty.  Be very careful adjusting this setting.
+	// Turning on or off features may cause irreversible changes in your cluster which cannot be undone.
+	// +unionDiscriminator
+	// +optional
+	FeatureSet FeatureSet `json:"featureSet,omitempty"`
+
+	// customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.
+	// Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations
+	// your cluster may fail in an unrecoverable way.  featureSet must equal "CustomNoUpgrade" must be set to use this field.
+	// +optional
+	// +nullable
+	CustomNoUpgrade *CustomFeatureGates `json:"customNoUpgrade,omitempty"`
+}
+
+type CustomFeatureGates struct {
+	// enabled is a list of all feature gates that you want to force on
+	// +optional
+	Enabled []string `json:"enabled,omitempty"`
+	// disabled is a list of all feature gates that you want to force off
+	// +optional
+	Disabled []string `json:"disabled,omitempty"`
+}
+
+type FeatureGateStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type FeatureGateList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []FeatureGate `json:"items"`
+}
+
+type FeatureGateEnabledDisabled struct {
+	Enabled  []string
+	Disabled []string
+}
+
+// FeatureSets Contains a map of Feature names to Enabled/Disabled Feature.
+//
+// NOTE: The caller needs to make sure to check for the existence of the value
+// using golang's existence field. A possible scenario is an upgrade where new
+// FeatureSets are added and a controller has not been upgraded with a newer
+// version of this file. In this upgrade scenario the map could return nil.
+//
+// example:
+//   if featureSet, ok := FeatureSets["SomeNewFeature"]; ok { }
+//
+// If you put an item in either of these lists, put your area and name on it so we can find owners.
+var FeatureSets = map[FeatureSet]*FeatureGateEnabledDisabled{
+	Default: {
+		Enabled: []string{
+			"ExperimentalCriticalPodAnnotation", // sig-pod, sjenning
+			"RotateKubeletServerCertificate",    // sig-pod, sjenning
+			"SupportPodPidsLimit",               // sig-pod, sjenning
+		},
+		Disabled: []string{
+			"LocalStorageCapacityIsolation", // sig-pod, sjenning
+		},
+	},
+	TechPreviewNoUpgrade: {
+		Enabled: []string{
+			"ExperimentalCriticalPodAnnotation", // sig-pod, sjenning
+			"RotateKubeletServerCertificate",    // sig-pod, sjenning
+			"SupportPodPidsLimit",               // sig-pod, sjenning
+		},
+		Disabled: []string{
+			"LocalStorageCapacityIsolation", // sig-pod, sjenning
+		},
+	},
+}

vendor/github.com/openshift/api/config/v1/types_image.go

@@ -0,0 +1,111 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Image holds cluster-wide information about how to handle images.  The canonical name is `cluster`
+type Image struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ImageSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ImageStatus `json:"status"`
+}
+
+type ImageSpec struct {
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from. Users with
+	// permission to create Images or ImageStreamMappings via the API are not affected by
+	// this policy - typically only administrators or system integrations will have those
+	// permissions.
+	// +optional
+	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
+
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	// +optional
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+
+	// AdditionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted during imagestream import, pod image pull, and imageregistry
+	// pullthrough.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	AdditionalTrustedCA ConfigMapNameReference `json:"additionalTrustedCA"`
+
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images for builds+pods. (e.g.
+	// whether or not to allow insecure access).  It does not contain configuration for the
+	// internal cluster registry.
+	// +optional
+	RegistrySources RegistrySources `json:"registrySources"`
+}
+
+type ImageStatus struct {
+
+	// this value is set by the image registry operator which controls the internal registry hostname
+	// InternalRegistryHostname sets the hostname for the default internal image
+	// registry. The value must be in "hostname[:port]" format.
+	// For backward compatibility, users can still use OPENSHIFT_DEFAULT_REGISTRY
+	// environment variable but this setting overrides the environment variable.
+	// +optional
+	InternalRegistryHostname string `json:"internalRegistryHostname,omitempty"`
+
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	// +optional
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type ImageList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Image `json:"items"`
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain
+// name. The domain name might include wildcards, like '*' or '??'.
+type RegistryLocation struct {
+	// DomainName specifies a domain name for the registry
+	// In case the registry use non-standard (80 or 443) port, the port should be included
+	// in the domain name as well.
+	DomainName string `json:"domainName"`
+	// Insecure indicates whether the registry is secure (https) or insecure (http)
+	// By default (if not specified) the registry is assumed as secure.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+// RegistrySources holds cluster-wide information about how to handle the registries config.
+type RegistrySources struct {
+	// InsecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+	// +optional
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
+	// BlockedRegistries are blacklisted from image pull/push. All other registries are allowed.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	// +optional
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+	// AllowedRegistries are whitelisted for image pull/push. All other registries are blocked.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	// +optional
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+}

vendor/github.com/openshift/api/config/v1/types_infrastructure.go

@@ -0,0 +1,210 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Infrastructure holds cluster-wide information about Infrastructure.  The canonical name is `cluster`
+type Infrastructure struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec InfrastructureSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status InfrastructureStatus `json:"status"`
+}
+
+// InfrastructureSpec contains settings that apply to the cluster infrastructure.
+type InfrastructureSpec struct {
+	// cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file.
+	// This configuration file is used to configure the Kubernetes cloud provider integration
+	// when using the built-in cloud provider integration or the external cloud controller manager.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CloudConfig ConfigMapFileReference `json:"cloudConfig"`
+}
+
+// InfrastructureStatus describes the infrastructure the cluster is leveraging.
+type InfrastructureStatus struct {
+	// infrastructureName uniquely identifies a cluster with a human friendly name.
+	// Once set it should not be changed. Must be of max length 27 and must have only
+	// alphanumeric or hyphen characters.
+	InfrastructureName string `json:"infrastructureName"`
+
+	// platform is the underlying infrastructure provider for the cluster.
+	//
+	// Deprecated: Use platformStatus.type instead.
+	Platform PlatformType `json:"platform,omitempty"`
+
+	// platformStatus holds status information specific to the underlying
+	// infrastructure provider.
+	// +optional
+	PlatformStatus *PlatformStatus `json:"platformStatus,omitempty"`
+
+	// etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering
+	// etcd servers and clients.
+	// For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery
+	EtcdDiscoveryDomain string `json:"etcdDiscoveryDomain"`
+
+	// apiServerURL is a valid URI with scheme(http/https), address and
+	// port.  apiServerURL can be used by components like the web console
+	// to tell users where to find the Kubernetes API.
+	APIServerURL string `json:"apiServerURL"`
+
+	// apiServerInternalURL is a valid URI with scheme(http/https),
+	// address and port.  apiServerInternalURL can be used by components
+	// like kubelets, to contact the Kubernetes API server using the
+	// infrastructure provider rather than Kubernetes networking.
+	APIServerInternalURL string `json:"apiServerInternalURI"`
+}
+
+// PlatformType is a specific supported infrastructure provider.
+type PlatformType string
+
+const (
+	// AWSPlatformType represents Amazon Web Services infrastructure.
+	AWSPlatformType PlatformType = "AWS"
+
+	// AzurePlatformType represents Microsoft Azure infrastructure.
+	AzurePlatformType PlatformType = "Azure"
+
+	// BareMetalPlatformType represents managed bare metal infrastructure.
+	BareMetalPlatformType PlatformType = "BareMetal"
+
+	// GCPPlatformType represents Google Cloud Platform infrastructure.
+	GCPPlatformType PlatformType = "GCP"
+
+	// LibvirtPlatformType represents libvirt infrastructure.
+	LibvirtPlatformType PlatformType = "Libvirt"
+
+	// OpenStackPlatformType represents OpenStack infrastructure.
+	OpenStackPlatformType PlatformType = "OpenStack"
+
+	// NonePlatformType means there is no infrastructure provider.
+	NonePlatformType PlatformType = "None"
+
+	// VSpherePlatformType represents VMWare vSphere infrastructure.
+	VSpherePlatformType PlatformType = "VSphere"
+
+	// OvirtPlatformType represents oVirt/RHV infrastructure.
+	OvirtPlatformType PlatformType = "oVirt"
+)
+
+// PlatformStatus holds the current status specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at status-level for the underlying cluster, it
+// is supposed that only one of the status structs is set.
+type PlatformStatus struct {
+	// type is the underlying infrastructure provider for the cluster. This
+	// value controls whether infrastructure automation such as service load
+	// balancers, dynamic volume provisioning, machine creation and deletion, and
+	// other integrations are enabled. If None, no infrastructure automation is
+	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", and "None". Individual components may not support
+	// all platforms, and must handle unrecognized platforms as None if they do
+	// not support that platform.
+	Type PlatformType `json:"type"`
+
+	// AWS contains settings specific to the Amazon Web Services infrastructure provider.
+	// +optional
+	AWS *AWSPlatformStatus `json:"aws,omitempty"`
+
+	// Azure contains settings specific to the Azure infrastructure provider.
+	// +optional
+	Azure *AzurePlatformStatus `json:"azure,omitempty"`
+
+	// GCP contains settings specific to the Google Cloud Platform infrastructure provider.
+	// +optional
+	GCP *GCPPlatformStatus `json:"gcp,omitempty"`
+
+	// BareMetal contains settings specific to the BareMetal platform.
+	// +optional
+	BareMetal *BareMetalPlatformStatus `json:"baremetal,omitempty"`
+
+	// OpenStack contains settings specific to the OpenStack infrastructure provider.
+	// +optional
+	OpenStack *OpenStackPlatformStatus `json:"openstack,omitempty"`
+}
+
+// AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.
+type AWSPlatformStatus struct {
+	// region holds the default AWS region for new AWS resources created by the cluster.
+	Region string `json:"region"`
+}
+
+// AzurePlatformStatus holds the current status of the Azure infrastructure provider.
+type AzurePlatformStatus struct {
+	// resourceGroupName is the Resource Group for new Azure resources created for the cluster.
+	ResourceGroupName string `json:"resourceGroupName"`
+}
+
+// GCPPlatformStatus holds the current status of the Google Cloud Platform infrastructure provider.
+type GCPPlatformStatus struct {
+	// resourceGroupName is the Project ID for new GCP resources created for the cluster.
+	ProjectID string `json:"projectID"`
+
+	// region holds the region for new GCP resources created for the cluster.
+	Region string `json:"region"`
+}
+
+// BareMetalPlatformStatus holds the current status of the BareMetal infrastructure provider.
+type BareMetalPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// BareMetal deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+}
+
+// OpenStackPlatformStatus holds the current status of the OpenStack infrastructure provider.
+type OpenStackPlatformStatus struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	APIServerInternalIP string `json:"apiServerInternalIP,omitempty"`
+
+	// cloudName is the name of the desired OpenStack cloud in the
+	// client configuration file (`clouds.yaml`).
+	CloudName string `json:"cloudName,omitempty"`
+
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP string `json:"ingressIP,omitempty"`
+
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// OpenStack deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP string `json:"nodeDNSIP,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InfrastructureList is
+type InfrastructureList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Infrastructure `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_ingress.go

@@ -0,0 +1,42 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Ingress holds cluster-wide information about Ingress.  The canonical name is `cluster`
+// TODO this object is an example of a possible grouping and is subject to change or removal
+type Ingress struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec IngressSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status IngressStatus `json:"status"`
+}
+
+type IngressSpec struct {
+	// domain is used to generate a default host name for a route when the
+	// route's host name is empty.  The generated host name will follow this
+	// pattern: "<route-name>.<route-namespace>.<domain>".
+	Domain string `json:"domain"`
+}
+
+type IngressStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type IngressList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Ingress `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_network.go

@@ -0,0 +1,117 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Network holds cluster-wide information about Network.  The canonical name is `cluster`
+// TODO this object is an example of a possible grouping and is subject to change or removal
+type Network struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration.
+	// +kubebuilder:validation:Required
+	// +required
+	Spec NetworkSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status NetworkStatus `json:"status"`
+}
+
+// NetworkSpec is the desired network configuration.
+// As a general rule, this SHOULD NOT be read directly. Instead, you should
+// consume the NetworkStatus, as it indicates the currently deployed configuration.
+// Currently, changing ClusterNetwork, ServiceNetwork, or NetworkType after
+// installation is not supported.
+type NetworkSpec struct {
+	// IP address pool to use for pod IPs.
+	ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork"`
+
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	ServiceNetwork []string `json:"serviceNetwork"`
+
+	// NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN).
+	// This should match a value that the cluster-network-operator understands,
+	// or else no networking will be installed.
+	// Currently supported values are:
+	// - OpenShiftSDN
+	NetworkType string `json:"networkType"`
+
+	// externalIP defines configuration for controllers that
+	// affect Service.ExternalIP
+	// +optional
+	ExternalIP *ExternalIPConfig `json:"externalIP,omitempty"`
+}
+
+// NetworkStatus is the current network configuration.
+type NetworkStatus struct {
+	// IP address pool to use for pod IPs.
+	ClusterNetwork []ClusterNetworkEntry `json:"clusterNetwork,omitempty"`
+
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	ServiceNetwork []string `json:"serviceNetwork,omitempty"`
+
+	// NetworkType is the plugin that is deployed (e.g. OpenShiftSDN).
+	NetworkType string `json:"networkType,omitempty"`
+
+	// ClusterNetworkMTU is the MTU for inter-pod networking.
+	ClusterNetworkMTU int `json:"clusterNetworkMTU,omitempty"`
+}
+
+// ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs
+// are allocated.
+type ClusterNetworkEntry struct {
+	// The complete block for pod IPs.
+	CIDR string `json:"cidr"`
+
+	// The size (prefix) of block to allocate to each node.
+	HostPrefix uint32 `json:"hostPrefix"`
+}
+
+// ExternalIPConfig specifies some IP blocks relevant for the ExternalIP field
+// of a Service resource.
+type ExternalIPConfig struct {
+	// policy is a set of restrictions applied to the ExternalIP field.
+	// If nil, any value is allowed for an ExternalIP. If the empty/zero
+	// policy is supplied, then ExternalIP is not allowed to be set.
+	// +optional
+	Policy *ExternalIPPolicy `json:"policy,omitempty"`
+
+	// autoAssignCIDRs is a list of CIDRs from which to automatically assign
+	// Service.ExternalIP. These are assigned when the service is of type
+	// LoadBalancer. In general, this is only useful for bare-metal clusters.
+	// In Openshift 3.x, this was misleadingly called "IngressIPs".
+	// Automatically assigned External IPs are not affected by any
+	// ExternalIPPolicy rules.
+	// Currently, only one entry may be provided.
+	// +optional
+	AutoAssignCIDRs []string `json:"autoAssignCIDRs,omitempty"`
+}
+
+// ExternalIPPolicy configures exactly which IPs are allowed for the ExternalIP
+// field in a Service. If the zero struct is supplied, then none are permitted.
+// The policy controller always allows automatically assigned external IPs.
+type ExternalIPPolicy struct {
+	// allowedCIDRs is the list of allowed CIDRs.
+	AllowedCIDRs []string `json:"allowedCIDRs,omitempty"`
+
+	// rejectedCIDRs is the list of disallowed CIDRs. These take precedence
+	// over allowedCIDRs.
+	// +optional
+	RejectedCIDRs []string `json:"rejectedCIDRs,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type NetworkList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Network `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_oauth.go

@@ -0,0 +1,557 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// OAuth Server and Identity Provider Config
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OAuth holds cluster-wide information about OAuth.  The canonical name is `cluster`.
+// It is used to configure the integrated OAuth server.
+// This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth.
+type OAuth struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// +kubebuilder:validation:Required
+	// +required
+	Spec OAuthSpec `json:"spec"`
+	// +optional
+	Status OAuthStatus `json:"status"`
+}
+
+// OAuthSpec contains desired cluster auth configuration
+type OAuthSpec struct {
+	// identityProviders is an ordered list of ways for a user to identify themselves.
+	// When this list is empty, no identities are provisioned for users.
+	// +optional
+	IdentityProviders []IdentityProvider `json:"identityProviders,omitempty"`
+
+	// tokenConfig contains options for authorization and access tokens
+	TokenConfig TokenConfig `json:"tokenConfig"`
+
+	// templates allow you to customize pages like the login page.
+	// +optional
+	Templates OAuthTemplates `json:"templates"`
+}
+
+// OAuthStatus shows current known state of OAuth server in the cluster
+type OAuthStatus struct {
+	// TODO Fill in with status of identityProviders and templates (and maybe tokenConfig)
+}
+
+// TokenConfig holds the necessary configuration options for authorization and access tokens
+type TokenConfig struct {
+	// accessTokenMaxAgeSeconds defines the maximum age of access tokens
+	AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds"`
+
+	// accessTokenInactivityTimeoutSeconds defines the default token
+	// inactivity timeout for tokens granted by any client.
+	// The value represents the maximum amount of time that can occur between
+	// consecutive uses of the token. Tokens become invalid if they are not
+	// used within this temporal window. The user will need to acquire a new
+	// token to regain access once a token times out.
+	// Valid values are integer values:
+	//   x < 0  Tokens time out is enabled but tokens never timeout unless configured per client (e.g. `-1`)
+	//   x = 0  Tokens time out is disabled (default)
+	//   x > 0  Tokens time out if there is no activity for x seconds
+	// The current minimum allowed value for X is 300 (5 minutes)
+	// +optional
+	AccessTokenInactivityTimeoutSeconds int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
+}
+
+const (
+	// LoginTemplateKey is the key of the login template in a secret
+	LoginTemplateKey = "login.html"
+
+	// ProviderSelectionTemplateKey is the key for the provider selection template in a secret
+	ProviderSelectionTemplateKey = "providers.html"
+
+	// ErrorsTemplateKey is the key for the errors template in a secret
+	ErrorsTemplateKey = "errors.html"
+
+	// BindPasswordKey is the key for the LDAP bind password in a secret
+	BindPasswordKey = "bindPassword"
+
+	// ClientSecretKey is the key for the oauth client secret data in a secret
+	ClientSecretKey = "clientSecret"
+
+	// HTPasswdDataKey is the key for the htpasswd file data in a secret
+	HTPasswdDataKey = "htpasswd"
+)
+
+// OAuthTemplates allow for customization of pages like the login page
+type OAuthTemplates struct {
+	// login is the name of a secret that specifies a go template to use to render the login page.
+	// The key "login.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default login page is used.
+	// If the specified template is not valid, the default login page is used.
+	// If unspecified, the default login page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	Login SecretNameReference `json:"login"`
+
+	// providerSelection is the name of a secret that specifies a go template to use to render
+	// the provider selection page.
+	// The key "providers.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default provider selection page is used.
+	// If the specified template is not valid, the default provider selection page is used.
+	// If unspecified, the default provider selection page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	ProviderSelection SecretNameReference `json:"providerSelection"`
+
+	// error is the name of a secret that specifies a go template to use to render error pages
+	// during the authentication or grant flow.
+	// The key "errors.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default error page is used.
+	// If the specified template is not valid, the default error page is used.
+	// If unspecified, the default error page is used.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	Error SecretNameReference `json:"error"`
+}
+
+// IdentityProvider provides identities for users authenticating using credentials
+type IdentityProvider struct {
+	// name is used to qualify the identities returned by this provider.
+	// - It MUST be unique and not shared by any other identity provider used
+	// - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":"
+	//   Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName
+	Name string `json:"name"`
+
+	// mappingMethod determines how identities from this provider are mapped to users
+	// Defaults to "claim"
+	// +optional
+	MappingMethod MappingMethodType `json:"mappingMethod,omitempty"`
+
+	IdentityProviderConfig `json:",inline"`
+}
+
+// MappingMethodType specifies how new identities should be mapped to users when they log in
+type MappingMethodType string
+
+const (
+	// MappingMethodClaim provisions a user with the identity’s preferred user name. Fails if a user
+	// with that user name is already mapped to another identity.
+	// Default.
+	MappingMethodClaim MappingMethodType = "claim"
+
+	// MappingMethodLookup looks up existing users already mapped to an identity but does not
+	// automatically provision users or identities. Requires identities and users be set up
+	// manually or using an external process.
+	MappingMethodLookup MappingMethodType = "lookup"
+
+	// MappingMethodAdd provisions a user with the identity’s preferred user name. If a user with
+	// that user name already exists, the identity is mapped to the existing user, adding to any
+	// existing identity mappings for the user.
+	MappingMethodAdd MappingMethodType = "add"
+)
+
+type IdentityProviderType string
+
+const (
+	// IdentityProviderTypeBasicAuth provides identities for users authenticating with HTTP Basic Auth
+	IdentityProviderTypeBasicAuth IdentityProviderType = "BasicAuth"
+
+	// IdentityProviderTypeGitHub provides identities for users authenticating using GitHub credentials
+	IdentityProviderTypeGitHub IdentityProviderType = "GitHub"
+
+	// IdentityProviderTypeGitLab provides identities for users authenticating using GitLab credentials
+	IdentityProviderTypeGitLab IdentityProviderType = "GitLab"
+
+	// IdentityProviderTypeGoogle provides identities for users authenticating using Google credentials
+	IdentityProviderTypeGoogle IdentityProviderType = "Google"
+
+	// IdentityProviderTypeHTPasswd provides identities from an HTPasswd file
+	IdentityProviderTypeHTPasswd IdentityProviderType = "HTPasswd"
+
+	// IdentityProviderTypeKeystone provides identitities for users authenticating using keystone password credentials
+	IdentityProviderTypeKeystone IdentityProviderType = "Keystone"
+
+	// IdentityProviderTypeLDAP provides identities for users authenticating using LDAP credentials
+	IdentityProviderTypeLDAP IdentityProviderType = "LDAP"
+
+	// IdentityProviderTypeOpenID provides identities for users authenticating using OpenID credentials
+	IdentityProviderTypeOpenID IdentityProviderType = "OpenID"
+
+	// IdentityProviderTypeRequestHeader provides identities for users authenticating using request header credentials
+	IdentityProviderTypeRequestHeader IdentityProviderType = "RequestHeader"
+)
+
+// IdentityProviderConfig contains configuration for using a specific identity provider
+type IdentityProviderConfig struct {
+	// type identifies the identity provider type for this entry.
+	Type IdentityProviderType `json:"type"`
+
+	// Provider-specific configuration
+	// The json tag MUST match the `Type` specified above, case-insensitively
+	// e.g. For `Type: "LDAP"`, the `ldap` configuration should be provided
+
+	// basicAuth contains configuration options for the BasicAuth IdP
+	// +optional
+	BasicAuth *BasicAuthIdentityProvider `json:"basicAuth,omitempty"`
+
+	// github enables user authentication using GitHub credentials
+	// +optional
+	GitHub *GitHubIdentityProvider `json:"github,omitempty"`
+
+	// gitlab enables user authentication using GitLab credentials
+	// +optional
+	GitLab *GitLabIdentityProvider `json:"gitlab,omitempty"`
+
+	// google enables user authentication using Google credentials
+	// +optional
+	Google *GoogleIdentityProvider `json:"google,omitempty"`
+
+	// htpasswd enables user authentication using an HTPasswd file to validate credentials
+	// +optional
+	HTPasswd *HTPasswdIdentityProvider `json:"htpasswd,omitempty"`
+
+	// keystone enables user authentication using keystone password credentials
+	// +optional
+	Keystone *KeystoneIdentityProvider `json:"keystone,omitempty"`
+
+	// ldap enables user authentication using LDAP credentials
+	// +optional
+	LDAP *LDAPIdentityProvider `json:"ldap,omitempty"`
+
+	// openID enables user authentication using OpenID credentials
+	// +optional
+	OpenID *OpenIDIdentityProvider `json:"openID,omitempty"`
+
+	// requestHeader enables user authentication using request header credentials
+	// +optional
+	RequestHeader *RequestHeaderIdentityProvider `json:"requestHeader,omitempty"`
+}
+
+// BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials
+type BasicAuthIdentityProvider struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the external basic auth server
+	OAuthRemoteConnectionInfo `json:",inline"`
+}
+
+// OAuthRemoteConnectionInfo holds information necessary for establishing a remote connection
+type OAuthRemoteConnectionInfo struct {
+	// url is the remote URL to connect to
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// tlsClientCert is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS client certificate to present when connecting to the server.
+	// The key "tls.crt" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	TLSClientCert SecretNameReference `json:"tlsClientCert"`
+
+	// tlsClientKey is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS private key for the client certificate referenced in tlsClientCert.
+	// The key "tls.key" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	TLSClientKey SecretNameReference `json:"tlsClientKey"`
+}
+
+// HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials
+type HTPasswdIdentityProvider struct {
+	// fileData is a required reference to a secret by name containing the data to use as the htpasswd file.
+	// The key "htpasswd" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// If the specified htpasswd data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	FileData SecretNameReference `json:"fileData"`
+}
+
+// LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials
+type LDAPIdentityProvider struct {
+	// url is an RFC 2255 URL which specifies the LDAP search parameters to use.
+	// The syntax of the URL is:
+	// ldap://host:port/basedn?attribute?scope?filter
+	URL string `json:"url"`
+
+	// bindDN is an optional DN to bind with during the search phase.
+	// +optional
+	BindDN string `json:"bindDN"`
+
+	// bindPassword is an optional reference to a secret by name
+	// containing a password to bind with during the search phase.
+	// The key "bindPassword" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	// +optional
+	BindPassword SecretNameReference `json:"bindPassword"`
+
+	// insecure, if true, indicates the connection should not use TLS
+	// WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always
+	//          attempt to connect using TLS, even when `insecure` is set to `true`
+	// When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to
+	// a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830.
+	Insecure bool `json:"insecure"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// attributes maps LDAP attributes to identities
+	Attributes LDAPAttributeMapping `json:"attributes"`
+}
+
+// LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields
+type LDAPAttributeMapping struct {
+	// id is the list of attributes whose values should be used as the user ID. Required.
+	// First non-empty attribute is used. At least one attribute is required. If none of the listed
+	// attribute have a value, authentication fails.
+	// LDAP standard identity attribute is "dn"
+	ID []string `json:"id"`
+
+	// preferredUsername is the list of attributes whose values should be used as the preferred username.
+	// LDAP standard login attribute is "uid"
+	// +optional
+	PreferredUsername []string `json:"preferredUsername,omitempty"`
+
+	// name is the list of attributes whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	// LDAP standard display name attribute is "cn"
+	// +optional
+	Name []string `json:"name,omitempty"`
+
+	// email is the list of attributes whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	// +optional
+	Email []string `json:"email,omitempty"`
+}
+
+// KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials
+type KeystoneIdentityProvider struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the keystone server
+	OAuthRemoteConnectionInfo `json:",inline"`
+
+	// domainName is required for keystone v3
+	DomainName string `json:"domainName"`
+
+	// TODO if we ever add support for 3.11 to 4.0 upgrades, add this configuration
+	// useUsernameIdentity indicates that users should be authenticated by username, not keystone ID
+	// DEPRECATED - only use this option for legacy systems to ensure backwards compatibility
+	// +optional
+	// UseUsernameIdentity bool `json:"useUsernameIdentity"`
+}
+
+// RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials
+type RequestHeaderIdentityProvider struct {
+	// loginURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	//   https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when login is set to true.
+	LoginURL string `json:"loginURL"`
+
+	// challengeURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be
+	// redirected here.
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	//   https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	//   https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when challenge is set to true.
+	ChallengeURL string `json:"challengeURL"`
+
+	// ca is a required reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// Specifically, it allows verification of incoming requests to prevent header spoofing.
+	// The key "ca.crt" is used to locate the data.
+	// If the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// The namespace for this config map is openshift-config.
+	ClientCA ConfigMapNameReference `json:"ca"`
+
+	// clientCommonNames is an optional list of common names to require a match from. If empty, any
+	// client certificate validated against the clientCA bundle is considered authoritative.
+	// +optional
+	ClientCommonNames []string `json:"clientCommonNames,omitempty"`
+
+	// headers is the set of headers to check for identity information
+	Headers []string `json:"headers"`
+
+	// preferredUsernameHeaders is the set of headers to check for the preferred username
+	PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"`
+
+	// nameHeaders is the set of headers to check for the display name
+	NameHeaders []string `json:"nameHeaders"`
+
+	// emailHeaders is the set of headers to check for the email address
+	EmailHeaders []string `json:"emailHeaders"`
+}
+
+// GitHubIdentityProvider provides identities for users authenticating using GitHub credentials
+type GitHubIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// organizations optionally restricts which organizations are allowed to log in
+	// +optional
+	Organizations []string `json:"organizations,omitempty"`
+
+	// teams optionally restricts which teams are allowed to log in. Format is <org>/<team>.
+	// +optional
+	Teams []string `json:"teams,omitempty"`
+
+	// hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of
+	// GitHub Enterprise.
+	// It must match the GitHub Enterprise settings value configured at /setup/settings#hostname.
+	// +optional
+	Hostname string `json:"hostname"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// This can only be configured when hostname is set to a non-empty value.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}
+
+// GitLabIdentityProvider provides identities for users authenticating using GitLab credentials
+type GitLabIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// url is the oauth server base URL
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}
+
+// GoogleIdentityProvider provides identities for users authenticating using Google credentials
+type GoogleIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to
+	// +optional
+	HostedDomain string `json:"hostedDomain"`
+}
+
+// OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials
+type OpenIDIdentityProvider struct {
+	// clientID is the oauth client ID
+	ClientID string `json:"clientID"`
+
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret SecretNameReference `json:"clientSecret"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+
+	// extraScopes are any scopes to request in addition to the standard "openid" scope.
+	// +optional
+	ExtraScopes []string `json:"extraScopes,omitempty"`
+
+	// extraAuthorizeParameters are any custom parameters to add to the authorize request.
+	// +optional
+	ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters,omitempty"`
+
+	// issuer is the URL that the OpenID Provider asserts as its Issuer Identifier.
+	// It must use the https scheme with no query or fragment component.
+	Issuer string `json:"issuer"`
+
+	// claims mappings
+	Claims OpenIDClaims `json:"claims"`
+}
+
+// UserIDClaim is the claim used to provide a stable identifier for OIDC identities.
+// Per http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
+//  "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can
+//   rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique
+//   and never reassigned within the Issuer for a particular End-User, as described in Section 2.
+//   Therefore, the only guaranteed unique identifier for a given End-User is the combination of the
+//   iss Claim and the sub Claim."
+const UserIDClaim = "sub"
+
+// OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider
+type OpenIDClaims struct {
+	// preferredUsername is the list of claims whose values should be used as the preferred username.
+	// If unspecified, the preferred username is determined from the value of the sub claim
+	// +optional
+	PreferredUsername []string `json:"preferredUsername,omitempty"`
+
+	// name is the list of claims whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	// +optional
+	Name []string `json:"name,omitempty"`
+
+	// email is the list of claims whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	// +optional
+	Email []string `json:"email,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OAuthList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []OAuth `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_operatorhub.go

@@ -0,0 +1,69 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OperatorHubSpec defines the desired state of OperatorHub
+type OperatorHubSpec struct {
+	// sources is the list of default hub sources and their configuration.
+	// If the list is empty, it indicates that the default hub sources are
+	// enabled on the cluster. The list of default hub sources and their
+	// current state will always be reflected in the status block.
+	// +optional
+	Sources []HubSource `json:"sources,omitempty"`
+}
+
+// OperatorHubStatus defines the observed state of OperatorHub. The current
+// state of the default hub sources will always be reflected here.
+type OperatorHubStatus struct {
+	// sources encapsulates the result of applying the configuration for each
+	// hub source
+	Sources []HubSourceStatus `json:"sources,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHub is the Schema for the operatorhubs API. It can be used to change
+// the state of the default hub sources for OperatorHub on the cluster from
+// enabled to disabled and vice versa.
+// +kubebuilder:subresource:status
+// +genclient:nonNamespaced
+type OperatorHub struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec   OperatorHubSpec   `json:"spec"`
+	Status OperatorHubStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHubList contains a list of OperatorHub
+type OperatorHubList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []OperatorHub `json:"items"`
+}
+
+// HubSource is used to specify the hub source and its configuration
+type HubSource struct {
+	// name is the name of one of the default hub sources
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:Required
+	Name string `json:"name"`
+	// disabled is used to disable a default hub source on cluster
+	// +kubebuilder:Required
+	Disabled bool `json:"disabled"`
+}
+
+// HubSourceStatus is used to reflect the current state of applying the
+// configuration to a default source
+type HubSourceStatus struct {
+	HubSource
+	// status indicates success or failure in applying the configuration
+	Status string `json:"status"`
+	// message provides more information regarding failures
+	Message string `json:"message,omitempty"`
+}

vendor/github.com/openshift/api/config/v1/types_project.go

@@ -0,0 +1,55 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Project holds cluster-wide information about Project.  The canonical name is `cluster`
+type Project struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ProjectSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ProjectStatus `json:"status"`
+}
+
+// TemplateReference references a template in a specific namespace.
+// The namespace must be specified at the point of use.
+type TemplateReference struct {
+	// name is the metadata.name of the referenced project request template
+	Name string `json:"name"`
+}
+
+// ProjectSpec holds the project creation configuration.
+type ProjectSpec struct {
+	// projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint
+	// +optional
+	ProjectRequestMessage string `json:"projectRequestMessage"`
+
+	// projectRequestTemplate is the template to use for creating projects in response to projectrequest.
+	// This must point to a template in 'openshift-config' namespace. It is optional.
+	// If it is not specified, a default template is used.
+	//
+	// +optional
+	ProjectRequestTemplate TemplateReference `json:"projectRequestTemplate"`
+}
+
+type ProjectStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type ProjectList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Project `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_proxy.go

@@ -0,0 +1,89 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Proxy holds cluster-wide information on how to configure default proxies for the cluster. The canonical name is `cluster`
+type Proxy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// Spec holds user-settable values for the proxy configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec ProxySpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status ProxyStatus `json:"status"`
+}
+
+// ProxySpec contains cluster proxy creation configuration.
+type ProxySpec struct {
+	// httpProxy is the URL of the proxy for HTTP requests.  Empty means unset and will not result in an env var.
+	// +optional
+	HTTPProxy string `json:"httpProxy,omitempty"`
+
+	// httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.
+	// +optional
+	HTTPSProxy string `json:"httpsProxy,omitempty"`
+
+	// noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used.
+	// Empty means unset and will not result in an env var.
+	// +optional
+	NoProxy string `json:"noProxy,omitempty"`
+
+	// readinessEndpoints is a list of endpoints used to verify readiness of the proxy.
+	// +optional
+	ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"`
+
+	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle used
+	// for client egress HTTPS connections. The certificate bundle must be from the CA
+	// that signed the proxy's certificate and be signed for everything. The trustedCA
+	// field should only be consumed by a proxy validator. The validator is responsible
+	// for reading the certificate bundle from required key "ca-bundle.crt" and copying
+	// it to a ConfigMap named "trusted-ca-bundle" in the "openshift-config-managed"
+	// namespace. The namespace for the ConfigMap referenced by trustedCA is
+	// "openshift-config". Here is an example ConfigMap (in yaml):
+	//
+	// apiVersion: v1
+	// kind: ConfigMap
+	// metadata:
+	//  name: user-ca-bundle
+	//  namespace: openshift-config
+	//  data:
+	//    ca-bundle.crt: |
+	//      -----BEGIN CERTIFICATE-----
+	//      Custom CA certificate bundle.
+	//      -----END CERTIFICATE-----
+	//
+	// +optional
+	TrustedCA ConfigMapNameReference `json:"trustedCA,omitempty"`
+}
+
+// ProxyStatus shows current known state of the cluster proxy.
+type ProxyStatus struct {
+	// httpProxy is the URL of the proxy for HTTP requests.
+	// +optional
+	HTTPProxy string `json:"httpProxy,omitempty"`
+
+	// httpsProxy is the URL of the proxy for HTTPS requests.
+	// +optional
+	HTTPSProxy string `json:"httpsProxy,omitempty"`
+
+	// noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used.
+	// +optional
+	NoProxy string `json:"noProxy,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type ProxyList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Proxy `json:"items"`
+}

vendor/github.com/openshift/api/config/v1/types_scheduling.go

@@ -0,0 +1,75 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Scheduler holds cluster-wide config information to run the Kubernetes Scheduler
+// and influence its placement decisions. The canonical name for this config is `cluster`.
+type Scheduler struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec holds user settable values for configuration
+	// +kubebuilder:validation:Required
+	// +required
+	Spec SchedulerSpec `json:"spec"`
+	// status holds observed values from the cluster. They may not be overridden.
+	// +optional
+	Status SchedulerStatus `json:"status"`
+}
+
+type SchedulerSpec struct {
+	// policy is a reference to a ConfigMap containing scheduler policy which has
+	// user specified predicates and priorities. If this ConfigMap is not available
+	// scheduler will default to use DefaultAlgorithmProvider.
+	// The namespace for this configmap is openshift-config.
+	// +optional
+	Policy ConfigMapNameReference `json:"policy"`
+	// defaultNodeSelector helps set the cluster-wide default node selector to
+	// restrict pod placement to specific nodes. This is applied to the pods
+	// created in all namespaces without a specified nodeSelector value.
+	// For example,
+	// defaultNodeSelector: "type=user-node,region=east" would set nodeSelector
+	// field in pod spec to "type=user-node,region=east" to all pods created
+	// in all namespaces. Namespaces having project-wide node selectors won't be
+	// impacted even if this field is set. This adds an annotation section to
+	// the namespace.
+	// For example, if a new namespace is created with
+	// node-selector='type=user-node,region=east',
+	// the annotation openshift.io/node-selector: type=user-node,region=east
+	// gets added to the project. When the openshift.io/node-selector annotation
+	// is set on the project the value is used in preference to the value we are setting
+	// for defaultNodeSelector field.
+	// For instance,
+	// openshift.io/node-selector: "type=user-node,region=west" means
+	// that the default of "type=user-node,region=east" set in defaultNodeSelector
+	// would not be applied.
+	// +optional
+	DefaultNodeSelector string `json:"defaultNodeSelector,omitempty"`
+	// MastersSchedulable allows masters nodes to be schedulable. When this flag is
+	// turned on, all the master nodes in the cluster will be made schedulable,
+	// so that workload pods can run on them. The default value for this field is false,
+	// meaning none of the master nodes are schedulable.
+	// Important Note: Once the workload pods start running on the master nodes,
+	// extreme care must be taken to ensure that cluster-critical control plane components
+	// are not impacted.
+	// Please turn on this field after doing due diligence.
+	// +optional
+	MastersSchedulable bool `json:"mastersSchedulable"`
+}
+
+type SchedulerStatus struct {
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type SchedulerList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ListMeta `json:"metadata"`
+	Items           []Scheduler `json:"items"`
+}

vendor/k8s.io/api/core/v1/generated.proto

@@ -275,7 +275,7 @@ message Capabilities {
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 message CephFSPersistentVolumeSource {
   // Required: Monitors is a collection of Ceph monitors
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   repeated string monitors = 1;
 
   // Optional: Used as the mounted root, rather than the full Ceph tree, default is /
@@ -283,23 +283,23 @@ message CephFSPersistentVolumeSource {
   optional string path = 2;
 
   // Optional: User is the rados user name, default is admin
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional string user = 3;
 
   // Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional string secretFile = 4;
 
   // Optional: SecretRef is reference to the authentication secret for User, default is empty.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional SecretReference secretRef = 5;
 
   // Optional: Defaults to false (read/write). ReadOnly here will force
   // the ReadOnly setting in VolumeMounts.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional bool readOnly = 6;
 }
@@ -308,7 +308,7 @@ message CephFSPersistentVolumeSource {
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 message CephFSVolumeSource {
   // Required: Monitors is a collection of Ceph monitors
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   repeated string monitors = 1;
 
   // Optional: Used as the mounted root, rather than the full Ceph tree, default is /
@@ -316,23 +316,23 @@ message CephFSVolumeSource {
   optional string path = 2;
 
   // Optional: User is the rados user name, default is admin
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional string user = 3;
 
   // Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional string secretFile = 4;
 
   // Optional: SecretRef is reference to the authentication secret for User, default is empty.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional LocalObjectReference secretRef = 5;
 
   // Optional: Defaults to false (read/write). ReadOnly here will force
   // the ReadOnly setting in VolumeMounts.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
   // +optional
   optional bool readOnly = 6;
 }
@@ -342,20 +342,20 @@ message CephFSVolumeSource {
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 message CinderPersistentVolumeSource {
-  // volume id used to identify the volume in cinder
+  // volume id used to identify the volume in cinder.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   optional string volumeID = 1;
 
   // Filesystem type to mount.
   // Must be a filesystem type supported by the host operating system.
   // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional string fsType = 2;
 
   // Optional: Defaults to false (read/write). ReadOnly here will force
   // the ReadOnly setting in VolumeMounts.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional bool readOnly = 3;
 
@@ -370,20 +370,20 @@ message CinderPersistentVolumeSource {
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 message CinderVolumeSource {
-  // volume id used to identify the volume in cinder
+  // volume id used to identify the volume in cinder.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   optional string volumeID = 1;
 
   // Filesystem type to mount.
   // Must be a filesystem type supported by the host operating system.
   // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional string fsType = 2;
 
   // Optional: Defaults to false (read/write). ReadOnly here will force
   // the ReadOnly setting in VolumeMounts.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional bool readOnly = 3;
 
@@ -1141,6 +1141,179 @@ message EnvVarSource {
   optional SecretKeySelector secretKeyRef = 4;
 }
 
+// An EphemeralContainer is a special type of container which doesn't come with any resource
+// or scheduling guarantees but can be added to a pod that has already been created. They are
+// intended for user-initiated activities such as troubleshooting a running pod.
+// Ephemeral containers will not be restarted when they exit, and they will be killed if the
+// pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource
+// allocation, the pod may be evicted.
+// Ephemeral containers are added via a pod's ephemeralcontainers subresource and will appear
+// in the pod spec once added. No fields in EphemeralContainer may be changed once added.
+// This is an alpha feature enabled by the EphemeralContainers feature flag.
+message EphemeralContainer {
+  optional EphemeralContainerCommon ephemeralContainerCommon = 1;
+
+  // If set, the name of the container from PodSpec that this ephemeral container targets.
+  // The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
+  // If not set then the ephemeral container is run in whatever namespaces are shared
+  // for the pod. Note that the container runtime must support this feature.
+  // +optional
+  optional string targetContainerName = 2;
+}
+
+message EphemeralContainerCommon {
+  // Name of the ephemeral container specified as a DNS_LABEL.
+  // This name must be unique among all containers, init containers and ephemeral containers.
+  optional string name = 1;
+
+  // Docker image name.
+  // More info: https://kubernetes.io/docs/concepts/containers/images
+  optional string image = 2;
+
+  // Entrypoint array. Not executed within a shell.
+  // The docker image's ENTRYPOINT is used if this is not provided.
+  // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+  // cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+  // can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+  // regardless of whether the variable exists or not.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+  // +optional
+  repeated string command = 3;
+
+  // Arguments to the entrypoint.
+  // The docker image's CMD is used if this is not provided.
+  // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+  // cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+  // can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+  // regardless of whether the variable exists or not.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+  // +optional
+  repeated string args = 4;
+
+  // Container's working directory.
+  // If not specified, the container runtime's default will be used, which
+  // might be configured in the container image.
+  // Cannot be updated.
+  // +optional
+  optional string workingDir = 5;
+
+  // Ports are not allowed for ephemeral containers.
+  repeated ContainerPort ports = 6;
+
+  // List of sources to populate environment variables in the container.
+  // The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+  // will be reported as an event when the container is starting. When a key exists in multiple
+  // sources, the value associated with the last source will take precedence.
+  // Values defined by an Env with a duplicate key will take precedence.
+  // Cannot be updated.
+  // +optional
+  repeated EnvFromSource envFrom = 19;
+
+  // List of environment variables to set in the container.
+  // Cannot be updated.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated EnvVar env = 7;
+
+  // Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources
+  // already allocated to the pod.
+  // +optional
+  optional ResourceRequirements resources = 8;
+
+  // Pod volumes to mount into the container's filesystem.
+  // Cannot be updated.
+  // +optional
+  // +patchMergeKey=mountPath
+  // +patchStrategy=merge
+  repeated VolumeMount volumeMounts = 9;
+
+  // volumeDevices is the list of block devices to be used by the container.
+  // This is a beta feature.
+  // +patchMergeKey=devicePath
+  // +patchStrategy=merge
+  // +optional
+  repeated VolumeDevice volumeDevices = 21;
+
+  // Probes are not allowed for ephemeral containers.
+  // +optional
+  optional Probe livenessProbe = 10;
+
+  // Probes are not allowed for ephemeral containers.
+  // +optional
+  optional Probe readinessProbe = 11;
+
+  // Lifecycle is not allowed for ephemeral containers.
+  // +optional
+  optional Lifecycle lifecycle = 12;
+
+  // Optional: Path at which the file to which the container's termination message
+  // will be written is mounted into the container's filesystem.
+  // Message written is intended to be brief final status, such as an assertion failure message.
+  // Will be truncated by the node if greater than 4096 bytes. The total message length across
+  // all containers will be limited to 12kb.
+  // Defaults to /dev/termination-log.
+  // Cannot be updated.
+  // +optional
+  optional string terminationMessagePath = 13;
+
+  // Indicate how the termination message should be populated. File will use the contents of
+  // terminationMessagePath to populate the container status message on both success and failure.
+  // FallbackToLogsOnError will use the last chunk of container log output if the termination
+  // message file is empty and the container exited with an error.
+  // The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+  // Defaults to File.
+  // Cannot be updated.
+  // +optional
+  optional string terminationMessagePolicy = 20;
+
+  // Image pull policy.
+  // One of Always, Never, IfNotPresent.
+  // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+  // +optional
+  optional string imagePullPolicy = 14;
+
+  // SecurityContext is not allowed for ephemeral containers.
+  // +optional
+  optional SecurityContext securityContext = 15;
+
+  // Whether this container should allocate a buffer for stdin in the container runtime. If this
+  // is not set, reads from stdin in the container will always result in EOF.
+  // Default is false.
+  // +optional
+  optional bool stdin = 16;
+
+  // Whether the container runtime should close the stdin channel after it has been opened by
+  // a single attach. When stdin is true the stdin stream will remain open across multiple attach
+  // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+  // first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+  // at which time stdin is closed and remains closed until the container is restarted. If this
+  // flag is false, a container processes that reads from stdin will never receive an EOF.
+  // Default is false
+  // +optional
+  optional bool stdinOnce = 17;
+
+  // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+  // Default is false.
+  // +optional
+  optional bool tty = 18;
+}
+
+// A list of ephemeral containers used in API operations
+message EphemeralContainers {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The new set of ephemeral containers to use for a pod.
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated EphemeralContainer ephemeralContainers = 2;
+}
+
 // Event is a report of an event somewhere in the cluster.
 message Event {
   // Standard object's metadata.
@@ -1418,22 +1591,22 @@ message GitRepoVolumeSource {
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 message GlusterfsPersistentVolumeSource {
   // EndpointsName is the endpoint name that details Glusterfs topology.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   optional string endpoints = 1;
 
   // Path is the Glusterfs volume path.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   optional string path = 2;
 
   // ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
   // Defaults to false.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   // +optional
   optional bool readOnly = 3;
 
   // EndpointsNamespace is the namespace that contains Glusterfs endpoint.
   // If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   // +optional
   optional string endpointsNamespace = 4;
 }
@@ -1442,16 +1615,16 @@ message GlusterfsPersistentVolumeSource {
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 message GlusterfsVolumeSource {
   // EndpointsName is the endpoint name that details Glusterfs topology.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   optional string endpoints = 1;
 
   // Path is the Glusterfs volume path.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   optional string path = 2;
 
   // ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
   // Defaults to false.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
   // +optional
   optional bool readOnly = 3;
 }
@@ -2084,6 +2257,13 @@ message NodeSpec {
   // +optional
   optional string podCIDR = 1;
 
+  // podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this
+  // field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for
+  // each of IPv4 and IPv6.
+  // +optional
+  // +patchStrategy=merge
+  repeated string podCIDRs = 7;
+
   // ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
   // +optional
   optional string providerID = 3;
@@ -2136,6 +2316,9 @@ message NodeStatus {
   // List of addresses reachable to the node.
   // Queried from cloud provider, if available.
   // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses
+  // Note: This field is declared as mergeable, but the merge key is not sufficiently
+  // unique, which can cause data corruption when it is merged. Callers should instead
+  // use a full-replacement patch. See http://pr.k8s.io/79391 for an example.
   // +optional
   // +patchMergeKey=type
   // +patchStrategy=merge
@@ -2456,7 +2639,7 @@ message PersistentVolumeSource {
 
   // Glusterfs represents a Glusterfs volume that is attached to a host and
   // exposed to the pod. Provisioned by an admin.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md
   // +optional
   optional GlusterfsPersistentVolumeSource glusterfs = 4;
 
@@ -2466,7 +2649,7 @@ message PersistentVolumeSource {
   optional NFSVolumeSource nfs = 5;
 
   // RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+  // More info: https://examples.k8s.io/volumes/rbd/README.md
   // +optional
   optional RBDPersistentVolumeSource rbd = 6;
 
@@ -2475,8 +2658,8 @@ message PersistentVolumeSource {
   // +optional
   optional ISCSIPersistentVolumeSource iscsi = 7;
 
-  // Cinder represents a cinder volume attached and mounted on kubelets host machine
+  // Cinder represents a cinder volume attached and mounted on kubelets host machine.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional CinderPersistentVolumeSource cinder = 8;
 
@@ -2529,7 +2712,7 @@ message PersistentVolumeSource {
   optional LocalVolumeSource local = 20;
 
   // StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md
+  // More info: https://examples.k8s.io/volumes/storageos/README.md
   // +optional
   optional StorageOSPersistentVolumeSource storageos = 21;
 
@@ -2842,6 +3025,14 @@ message PodExecOptions {
   repeated string command = 6;
 }
 
+// IP address information for entries in the (plural) PodIPs field.
+// Each entry includes:
+//    IP: An IP address allocated to the pod. Routable at least within the cluster.
+message PodIP {
+  // ip is an IP address (IPv4 or IPv6) assigned to the pod
+  optional string ip = 1;
+}
+
 // PodList is a list of Pods.
 message PodList {
   // Standard list metadata.
@@ -2937,7 +3128,9 @@ message PodSecurityContext {
   // +optional
   optional SELinuxOptions seLinuxOptions = 1;
 
-  // Windows security options.
+  // The Windows specific settings applied to all containers.
+  // If unspecified, the options within a container's SecurityContext will be used.
+  // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
   // +optional
   optional WindowsSecurityContextOptions windowsOptions = 8;
 
@@ -3032,6 +3225,18 @@ message PodSpec {
   // +patchStrategy=merge
   repeated Container containers = 2;
 
+  // EphemeralContainers is the list of ephemeral containers that run in this pod. Ephemeral containers
+  // are added to an existing pod as a result of a user-initiated action such as troubleshooting.
+  // This list is read-only in the pod spec. It may not be specified in a create or modified in an
+  // update of a pod or pod template.
+  // To add an ephemeral container use the pod's ephemeralcontainers subresource, which allows update
+  // using the EphemeralContainers kind.
+  // This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated EphemeralContainer ephemeralContainers = 34;
+
   // Restart policy for all containers within the pod.
   // One of Always, OnFailure, Never.
   // Default to Always.
@@ -3226,6 +3431,19 @@ message PodSpec {
   // This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.
   // +optional
   map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> overhead = 32;
+
+  // TopologySpreadConstraints describes how a group of pods ought to spread across topology
+  // domains. Scheduler will schedule pods in a way which abides by the constraints.
+  // This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread
+  // feature.
+  // All topologySpreadConstraints are ANDed.
+  // +optional
+  // +patchMergeKey=topologyKey
+  // +patchStrategy=merge
+  // +listType=map
+  // +listMapKey=topologyKey
+  // +listMapKey=whenUnsatisfiable
+  repeated TopologySpreadConstraint topologySpreadConstraints = 33;
 }
 
 // PodStatus represents information about the status of a pod. Status may trail the actual
@@ -3288,6 +3506,14 @@ message PodStatus {
   // +optional
   optional string podIP = 6;
 
+  // podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must
+  // match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list
+  // is empty if no IPs have been allocated yet.
+  // +optional
+  // +patchStrategy=merge
+  // +patchMergeKey=ip
+  repeated PodIP podIPs = 12;
+
   // RFC 3339 date and time at which the object was acknowledged by the Kubelet.
   // This is before the Kubelet pulled the container image(s) for the pod.
   // +optional
@@ -3310,6 +3536,11 @@ message PodStatus {
   // More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md
   // +optional
   optional string qosClass = 9;
+
+  // Status for any ephemeral containers that running in this pod.
+  // This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
+  // +optional
+  repeated ContainerStatus ephemeralContainerStatuses = 13;
 }
 
 // PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded
@@ -3500,11 +3731,11 @@ message QuobyteVolumeSource {
 // RBD volumes support ownership management and SELinux relabeling.
 message RBDPersistentVolumeSource {
   // A collection of Ceph monitors.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   repeated string monitors = 1;
 
   // The rados image name.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   optional string image = 2;
 
   // Filesystem type of the volume that you want to mount.
@@ -3517,32 +3748,32 @@ message RBDPersistentVolumeSource {
 
   // The rados pool name.
   // Default is rbd.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string pool = 4;
 
   // The rados user name.
   // Default is admin.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string user = 5;
 
   // Keyring is the path to key ring for RBDUser.
   // Default is /etc/ceph/keyring.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string keyring = 6;
 
   // SecretRef is name of the authentication secret for RBDUser. If provided
   // overrides keyring.
   // Default is nil.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional SecretReference secretRef = 7;
 
   // ReadOnly here will force the ReadOnly setting in VolumeMounts.
   // Defaults to false.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional bool readOnly = 8;
 }
@@ -3551,11 +3782,11 @@ message RBDPersistentVolumeSource {
 // RBD volumes support ownership management and SELinux relabeling.
 message RBDVolumeSource {
   // A collection of Ceph monitors.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   repeated string monitors = 1;
 
   // The rados image name.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   optional string image = 2;
 
   // Filesystem type of the volume that you want to mount.
@@ -3568,32 +3799,32 @@ message RBDVolumeSource {
 
   // The rados pool name.
   // Default is rbd.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string pool = 4;
 
   // The rados user name.
   // Default is admin.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string user = 5;
 
   // Keyring is the path to key ring for RBDUser.
   // Default is /etc/ceph/keyring.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional string keyring = 6;
 
   // SecretRef is name of the authentication secret for RBDUser. If provided
   // overrides keyring.
   // Default is nil.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional LocalObjectReference secretRef = 7;
 
   // ReadOnly here will force the ReadOnly setting in VolumeMounts.
   // Defaults to false.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
   // +optional
   optional bool readOnly = 8;
 }
@@ -4113,7 +4344,9 @@ message SecurityContext {
   // +optional
   optional SELinuxOptions seLinuxOptions = 3;
 
-  // Windows security options.
+  // The Windows specific settings applied to all containers.
+  // If unspecified, the options from the PodSecurityContext will be used.
+  // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
   // +optional
   optional WindowsSecurityContextOptions windowsOptions = 10;
 
@@ -4612,6 +4845,59 @@ message TopologySelectorTerm {
   repeated TopologySelectorLabelRequirement matchLabelExpressions = 1;
 }
 
+// TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+message TopologySpreadConstraint {
+  // MaxSkew describes the degree to which pods may be unevenly distributed.
+  // It's the maximum permitted difference between the number of matching pods in
+  // any two topology domains of a given topology type.
+  // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+  // labelSelector spread as 1/1/0:
+  // +-------+-------+-------+
+  // | zone1 | zone2 | zone3 |
+  // +-------+-------+-------+
+  // |   P   |   P   |       |
+  // +-------+-------+-------+
+  // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1;
+  // scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2)
+  // violate MaxSkew(1).
+  // - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+  // It's a required field. Default value is 1 and 0 is not allowed.
+  optional int32 maxSkew = 1;
+
+  // TopologyKey is the key of node labels. Nodes that have a label with this key
+  // and identical values are considered to be in the same topology.
+  // We consider each <key, value> as a "bucket", and try to put balanced number
+  // of pods into each bucket.
+  // It's a required field.
+  optional string topologyKey = 2;
+
+  // WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+  // the spread constraint.
+  // - DoNotSchedule (default) tells the scheduler not to schedule it
+  // - ScheduleAnyway tells the scheduler to still schedule it
+  // It's considered as "Unsatisfiable" if and only if placing incoming pod on any
+  // topology violates "MaxSkew".
+  // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+  // labelSelector spread as 3/1/1:
+  // +-------+-------+-------+
+  // | zone1 | zone2 | zone3 |
+  // +-------+-------+-------+
+  // | P P P |   P   |   P   |
+  // +-------+-------+-------+
+  // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+  // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+  // MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+  // won't make it *more* imbalanced.
+  // It's a required field.
+  optional string whenUnsatisfiable = 3;
+
+  // LabelSelector is used to find matching pods.
+  // Pods that match this label selector are counted to determine the number of pods
+  // in their corresponding topology domain.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labelSelector = 4;
+}
+
 // TypedLocalObjectReference contains enough information to let you locate the
 // typed referenced object inside the same namespace.
 message TypedLocalObjectReference {
@@ -4760,12 +5046,12 @@ message VolumeSource {
 
   // ISCSI represents an ISCSI Disk resource that is attached to a
   // kubelet's host machine and then exposed to the pod.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md
+  // More info: https://examples.k8s.io/volumes/iscsi/README.md
   // +optional
   optional ISCSIVolumeSource iscsi = 8;
 
   // Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+  // More info: https://examples.k8s.io/volumes/glusterfs/README.md
   // +optional
   optional GlusterfsVolumeSource glusterfs = 9;
 
@@ -4776,7 +5062,7 @@ message VolumeSource {
   optional PersistentVolumeClaimVolumeSource persistentVolumeClaim = 10;
 
   // RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
-  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+  // More info: https://examples.k8s.io/volumes/rbd/README.md
   // +optional
   optional RBDVolumeSource rbd = 11;
 
@@ -4785,8 +5071,8 @@ message VolumeSource {
   // +optional
   optional FlexVolumeSource flexVolume = 12;
 
-  // Cinder represents a cinder volume attached and mounted on kubelets host machine
+  // Cinder represents a cinder volume attached and mounted on kubelets host machine.
-  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // More info: https://examples.k8s.io/mysql-cinder-pd/README.md
   // +optional
   optional CinderVolumeSource cinder = 13;
 
@@ -4892,5 +5178,13 @@ message WindowsSecurityContextOptions {
   // This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
   // +optional
   optional string gmsaCredentialSpec = 2;
+
+  // The UserName in Windows to run the entrypoint of the container process.
+  // Defaults to the user specified in image metadata if unspecified.
+  // May also be set in PodSecurityContext. If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence.
+  // This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
+  // +optional
+  optional string runAsUserName = 3;
 }
 

vendor/k8s.io/api/core/v1/register.go

@@ -88,6 +88,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&RangeAllocation{},
 		&ConfigMap{},
 		&ConfigMapList{},
+		&EphemeralContainers{},
 	)
 
 	// Add common types

vendor/k8s.io/api/core/v1/taint.go

@@ -24,8 +24,14 @@ func (t *Taint) MatchTaint(taintToMatch *Taint) bool {
 	return t.Key == taintToMatch.Key && t.Effect == taintToMatch.Effect
 }
 
-// taint.ToString() converts taint struct to string in format key=value:effect or key:effect.
+// taint.ToString() converts taint struct to string in format '<key>=<value>:<effect>', '<key>=<value>:', '<key>:<effect>', or '<key>'.
 func (t *Taint) ToString() string {
+	if len(t.Effect) == 0 {
+		if len(t.Value) == 0 {
+			return fmt.Sprintf("%v", t.Key)
+		}
+		return fmt.Sprintf("%v=%v:", t.Key, t.Value)
+	}
 	if len(t.Value) == 0 {
 		return fmt.Sprintf("%v:%v", t.Key, t.Effect)
 	}

vendor/k8s.io/api/core/v1/types.go

@@ -87,11 +87,11 @@ type VolumeSource struct {
 	NFS *NFSVolumeSource `json:"nfs,omitempty" protobuf:"bytes,7,opt,name=nfs"`
 	// ISCSI represents an ISCSI Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md
+	// More info: https://examples.k8s.io/volumes/iscsi/README.md
 	// +optional
 	ISCSI *ISCSIVolumeSource `json:"iscsi,omitempty" protobuf:"bytes,8,opt,name=iscsi"`
 	// Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md
 	// +optional
 	Glusterfs *GlusterfsVolumeSource `json:"glusterfs,omitempty" protobuf:"bytes,9,opt,name=glusterfs"`
 	// PersistentVolumeClaimVolumeSource represents a reference to a
@@ -100,15 +100,15 @@ type VolumeSource struct {
 	// +optional
 	PersistentVolumeClaim *PersistentVolumeClaimVolumeSource `json:"persistentVolumeClaim,omitempty" protobuf:"bytes,10,opt,name=persistentVolumeClaim"`
 	// RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+	// More info: https://examples.k8s.io/volumes/rbd/README.md
 	// +optional
 	RBD *RBDVolumeSource `json:"rbd,omitempty" protobuf:"bytes,11,opt,name=rbd"`
 	// FlexVolume represents a generic volume resource that is
 	// provisioned/attached using an exec based plugin.
 	// +optional
 	FlexVolume *FlexVolumeSource `json:"flexVolume,omitempty" protobuf:"bytes,12,opt,name=flexVolume"`
-	// Cinder represents a cinder volume attached and mounted on kubelets host machine
+	// Cinder represents a cinder volume attached and mounted on kubelets host machine.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	Cinder *CinderVolumeSource `json:"cinder,omitempty" protobuf:"bytes,13,opt,name=cinder"`
 	// CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
@@ -192,7 +192,7 @@ type PersistentVolumeSource struct {
 	HostPath *HostPathVolumeSource `json:"hostPath,omitempty" protobuf:"bytes,3,opt,name=hostPath"`
 	// Glusterfs represents a Glusterfs volume that is attached to a host and
 	// exposed to the pod. Provisioned by an admin.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md
 	// +optional
 	Glusterfs *GlusterfsPersistentVolumeSource `json:"glusterfs,omitempty" protobuf:"bytes,4,opt,name=glusterfs"`
 	// NFS represents an NFS mount on the host. Provisioned by an admin.
@@ -200,15 +200,15 @@ type PersistentVolumeSource struct {
 	// +optional
 	NFS *NFSVolumeSource `json:"nfs,omitempty" protobuf:"bytes,5,opt,name=nfs"`
 	// RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+	// More info: https://examples.k8s.io/volumes/rbd/README.md
 	// +optional
 	RBD *RBDPersistentVolumeSource `json:"rbd,omitempty" protobuf:"bytes,6,opt,name=rbd"`
 	// ISCSI represents an ISCSI Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
 	// +optional
 	ISCSI *ISCSIPersistentVolumeSource `json:"iscsi,omitempty" protobuf:"bytes,7,opt,name=iscsi"`
-	// Cinder represents a cinder volume attached and mounted on kubelets host machine
+	// Cinder represents a cinder volume attached and mounted on kubelets host machine.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	Cinder *CinderPersistentVolumeSource `json:"cinder,omitempty" protobuf:"bytes,8,opt,name=cinder"`
 	// CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
@@ -248,7 +248,7 @@ type PersistentVolumeSource struct {
 	// +optional
 	Local *LocalVolumeSource `json:"local,omitempty" protobuf:"bytes,20,opt,name=local"`
 	// StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md
+	// More info: https://examples.k8s.io/volumes/storageos/README.md
 	// +optional
 	StorageOS *StorageOSPersistentVolumeSource `json:"storageos,omitempty" protobuf:"bytes,21,opt,name=storageos"`
 	// CSI represents storage that is handled by an external CSI driver (Beta feature).
@@ -625,16 +625,16 @@ type EmptyDirVolumeSource struct {
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 type GlusterfsVolumeSource struct {
 	// EndpointsName is the endpoint name that details Glusterfs topology.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	EndpointsName string `json:"endpoints" protobuf:"bytes,1,opt,name=endpoints"`
 
 	// Path is the Glusterfs volume path.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
 
 	// ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
 	// Defaults to false.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
 }
@@ -643,22 +643,22 @@ type GlusterfsVolumeSource struct {
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 type GlusterfsPersistentVolumeSource struct {
 	// EndpointsName is the endpoint name that details Glusterfs topology.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	EndpointsName string `json:"endpoints" protobuf:"bytes,1,opt,name=endpoints"`
 
 	// Path is the Glusterfs volume path.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
 
 	// ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
 	// Defaults to false.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
 
 	// EndpointsNamespace is the namespace that contains Glusterfs endpoint.
 	// If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	EndpointsNamespace *string `json:"endpointsNamespace,omitempty" protobuf:"bytes,4,opt,name=endpointsNamespace"`
 }
@@ -667,10 +667,10 @@ type GlusterfsPersistentVolumeSource struct {
 // RBD volumes support ownership management and SELinux relabeling.
 type RBDVolumeSource struct {
 	// A collection of Ceph monitors.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	CephMonitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
 	// The rados image name.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	RBDImage string `json:"image" protobuf:"bytes,2,opt,name=image"`
 	// Filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
@@ -681,28 +681,28 @@ type RBDVolumeSource struct {
 	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
 	// The rados pool name.
 	// Default is rbd.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	RBDPool string `json:"pool,omitempty" protobuf:"bytes,4,opt,name=pool"`
 	// The rados user name.
 	// Default is admin.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	RadosUser string `json:"user,omitempty" protobuf:"bytes,5,opt,name=user"`
 	// Keyring is the path to key ring for RBDUser.
 	// Default is /etc/ceph/keyring.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	Keyring string `json:"keyring,omitempty" protobuf:"bytes,6,opt,name=keyring"`
 	// SecretRef is name of the authentication secret for RBDUser. If provided
 	// overrides keyring.
 	// Default is nil.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,7,opt,name=secretRef"`
 	// ReadOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,8,opt,name=readOnly"`
 }
@@ -711,10 +711,10 @@ type RBDVolumeSource struct {
 // RBD volumes support ownership management and SELinux relabeling.
 type RBDPersistentVolumeSource struct {
 	// A collection of Ceph monitors.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	CephMonitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
 	// The rados image name.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	RBDImage string `json:"image" protobuf:"bytes,2,opt,name=image"`
 	// Filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
@@ -725,28 +725,28 @@ type RBDPersistentVolumeSource struct {
 	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
 	// The rados pool name.
 	// Default is rbd.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	RBDPool string `json:"pool,omitempty" protobuf:"bytes,4,opt,name=pool"`
 	// The rados user name.
 	// Default is admin.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	RadosUser string `json:"user,omitempty" protobuf:"bytes,5,opt,name=user"`
 	// Keyring is the path to key ring for RBDUser.
 	// Default is /etc/ceph/keyring.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	Keyring string `json:"keyring,omitempty" protobuf:"bytes,6,opt,name=keyring"`
 	// SecretRef is name of the authentication secret for RBDUser. If provided
 	// overrides keyring.
 	// Default is nil.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	SecretRef *SecretReference `json:"secretRef,omitempty" protobuf:"bytes,7,opt,name=secretRef"`
 	// ReadOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,8,opt,name=readOnly"`
 }
@@ -756,18 +756,18 @@ type RBDPersistentVolumeSource struct {
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 type CinderVolumeSource struct {
-	// volume id used to identify the volume in cinder
+	// volume id used to identify the volume in cinder.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	VolumeID string `json:"volumeID" protobuf:"bytes,1,opt,name=volumeID"`
 	// Filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
 	// Optional: points to a secret object containing parameters used to connect
@@ -781,18 +781,18 @@ type CinderVolumeSource struct {
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 type CinderPersistentVolumeSource struct {
-	// volume id used to identify the volume in cinder
+	// volume id used to identify the volume in cinder.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	VolumeID string `json:"volumeID" protobuf:"bytes,1,opt,name=volumeID"`
 	// Filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
-	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
 	// Optional: points to a secret object containing parameters used to connect
@@ -805,26 +805,26 @@ type CinderPersistentVolumeSource struct {
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 type CephFSVolumeSource struct {
 	// Required: Monitors is a collection of Ceph monitors
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	Monitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
 	// Optional: Used as the mounted root, rather than the full Ceph tree, default is /
 	// +optional
 	Path string `json:"path,omitempty" protobuf:"bytes,2,opt,name=path"`
 	// Optional: User is the rados user name, default is admin
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
 	// Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	SecretFile string `json:"secretFile,omitempty" protobuf:"bytes,4,opt,name=secretFile"`
 	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,6,opt,name=readOnly"`
 }
@@ -844,26 +844,26 @@ type SecretReference struct {
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 type CephFSPersistentVolumeSource struct {
 	// Required: Monitors is a collection of Ceph monitors
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	Monitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
 	// Optional: Used as the mounted root, rather than the full Ceph tree, default is /
 	// +optional
 	Path string `json:"path,omitempty" protobuf:"bytes,2,opt,name=path"`
 	// Optional: User is the rados user name, default is admin
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
 	// Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	SecretFile string `json:"secretFile,omitempty" protobuf:"bytes,4,opt,name=secretFile"`
 	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	SecretRef *SecretReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
 	// Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
-	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,6,opt,name=readOnly"`
 }
@@ -2843,6 +2843,17 @@ type PodSpec struct {
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	Containers []Container `json:"containers" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=containers"`
+	// EphemeralContainers is the list of ephemeral containers that run in this pod. Ephemeral containers
+	// are added to an existing pod as a result of a user-initiated action such as troubleshooting.
+	// This list is read-only in the pod spec. It may not be specified in a create or modified in an
+	// update of a pod or pod template.
+	// To add an ephemeral container use the pod's ephemeralcontainers subresource, which allows update
+	// using the EphemeralContainers kind.
+	// This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	EphemeralContainers []EphemeralContainer `json:"ephemeralContainers,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,34,rep,name=ephemeralContainers"`
 	// Restart policy for all containers within the pod.
 	// One of Always, OnFailure, Never.
 	// Default to Always.
@@ -3011,6 +3022,79 @@ type PodSpec struct {
 	// This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.
 	// +optional
 	Overhead ResourceList `json:"overhead,omitempty" protobuf:"bytes,32,opt,name=overhead"`
+	// TopologySpreadConstraints describes how a group of pods ought to spread across topology
+	// domains. Scheduler will schedule pods in a way which abides by the constraints.
+	// This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread
+	// feature.
+	// All topologySpreadConstraints are ANDed.
+	// +optional
+	// +patchMergeKey=topologyKey
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=topologyKey
+	// +listMapKey=whenUnsatisfiable
+	TopologySpreadConstraints []TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty" patchStrategy:"merge" patchMergeKey:"topologyKey" protobuf:"bytes,33,opt,name=topologySpreadConstraints"`
+}
+
+type UnsatisfiableConstraintAction string
+
+const (
+	// DoNotSchedule instructs the scheduler not to schedule the pod
+	// when constraints are not satisfied.
+	DoNotSchedule UnsatisfiableConstraintAction = "DoNotSchedule"
+	// ScheduleAnyway instructs the scheduler to schedule the pod
+	// even if constraints are not satisfied.
+	ScheduleAnyway UnsatisfiableConstraintAction = "ScheduleAnyway"
+)
+
+// TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+type TopologySpreadConstraint struct {
+	// MaxSkew describes the degree to which pods may be unevenly distributed.
+	// It's the maximum permitted difference between the number of matching pods in
+	// any two topology domains of a given topology type.
+	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+	// labelSelector spread as 1/1/0:
+	// +-------+-------+-------+
+	// | zone1 | zone2 | zone3 |
+	// +-------+-------+-------+
+	// |   P   |   P   |       |
+	// +-------+-------+-------+
+	// - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1;
+	// scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2)
+	// violate MaxSkew(1).
+	// - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+	// It's a required field. Default value is 1 and 0 is not allowed.
+	MaxSkew int32 `json:"maxSkew" protobuf:"varint,1,opt,name=maxSkew"`
+	// TopologyKey is the key of node labels. Nodes that have a label with this key
+	// and identical values are considered to be in the same topology.
+	// We consider each <key, value> as a "bucket", and try to put balanced number
+	// of pods into each bucket.
+	// It's a required field.
+	TopologyKey string `json:"topologyKey" protobuf:"bytes,2,opt,name=topologyKey"`
+	// WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+	// the spread constraint.
+	// - DoNotSchedule (default) tells the scheduler not to schedule it
+	// - ScheduleAnyway tells the scheduler to still schedule it
+	// It's considered as "Unsatisfiable" if and only if placing incoming pod on any
+	// topology violates "MaxSkew".
+	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+	// labelSelector spread as 3/1/1:
+	// +-------+-------+-------+
+	// | zone1 | zone2 | zone3 |
+	// +-------+-------+-------+
+	// | P P P |   P   |   P   |
+	// +-------+-------+-------+
+	// If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+	// to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+	// MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+	// won't make it *more* imbalanced.
+	// It's a required field.
+	WhenUnsatisfiable UnsatisfiableConstraintAction `json:"whenUnsatisfiable" protobuf:"bytes,3,opt,name=whenUnsatisfiable,casttype=UnsatisfiableConstraintAction"`
+	// LabelSelector is used to find matching pods.
+	// Pods that match this label selector are counted to determine the number of pods
+	// in their corresponding topology domain.
+	// +optional
+	LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty" protobuf:"bytes,4,opt,name=labelSelector"`
 }
 
 const (
@@ -3038,7 +3122,9 @@ type PodSecurityContext struct {
 	// takes precedence for that container.
 	// +optional
 	SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
-	// Windows security options.
+	// The Windows specific settings applied to all containers.
+	// If unspecified, the options within a container's SecurityContext will be used.
+	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"`
 	// The UID to run the entrypoint of the container process.
@@ -3126,6 +3212,164 @@ type PodDNSConfigOption struct {
 	Value *string `json:"value,omitempty" protobuf:"bytes,2,opt,name=value"`
 }
 
+// IP address information for entries in the (plural) PodIPs field.
+// Each entry includes:
+//    IP: An IP address allocated to the pod. Routable at least within the cluster.
+type PodIP struct {
+	// ip is an IP address (IPv4 or IPv6) assigned to the pod
+	IP string `json:"ip,omitempty" protobuf:"bytes,1,opt,name=ip"`
+}
+
+type EphemeralContainerCommon struct {
+	// Name of the ephemeral container specified as a DNS_LABEL.
+	// This name must be unique among all containers, init containers and ephemeral containers.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Docker image name.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	Image string `json:"image,omitempty" protobuf:"bytes,2,opt,name=image"`
+	// Entrypoint array. Not executed within a shell.
+	// The docker image's ENTRYPOINT is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+	// can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+	// regardless of whether the variable exists or not.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	// +optional
+	Command []string `json:"command,omitempty" protobuf:"bytes,3,rep,name=command"`
+	// Arguments to the entrypoint.
+	// The docker image's CMD is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+	// can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+	// regardless of whether the variable exists or not.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	// +optional
+	Args []string `json:"args,omitempty" protobuf:"bytes,4,rep,name=args"`
+	// Container's working directory.
+	// If not specified, the container runtime's default will be used, which
+	// might be configured in the container image.
+	// Cannot be updated.
+	// +optional
+	WorkingDir string `json:"workingDir,omitempty" protobuf:"bytes,5,opt,name=workingDir"`
+	// Ports are not allowed for ephemeral containers.
+	Ports []ContainerPort `json:"ports,omitempty" protobuf:"bytes,6,rep,name=ports"`
+	// List of sources to populate environment variables in the container.
+	// The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+	// will be reported as an event when the container is starting. When a key exists in multiple
+	// sources, the value associated with the last source will take precedence.
+	// Values defined by an Env with a duplicate key will take precedence.
+	// Cannot be updated.
+	// +optional
+	EnvFrom []EnvFromSource `json:"envFrom,omitempty" protobuf:"bytes,19,rep,name=envFrom"`
+	// List of environment variables to set in the container.
+	// Cannot be updated.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Env []EnvVar `json:"env,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,7,rep,name=env"`
+	// Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources
+	// already allocated to the pod.
+	// +optional
+	Resources ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,8,opt,name=resources"`
+	// Pod volumes to mount into the container's filesystem.
+	// Cannot be updated.
+	// +optional
+	// +patchMergeKey=mountPath
+	// +patchStrategy=merge
+	VolumeMounts []VolumeMount `json:"volumeMounts,omitempty" patchStrategy:"merge" patchMergeKey:"mountPath" protobuf:"bytes,9,rep,name=volumeMounts"`
+	// volumeDevices is the list of block devices to be used by the container.
+	// This is a beta feature.
+	// +patchMergeKey=devicePath
+	// +patchStrategy=merge
+	// +optional
+	VolumeDevices []VolumeDevice `json:"volumeDevices,omitempty" patchStrategy:"merge" patchMergeKey:"devicePath" protobuf:"bytes,21,rep,name=volumeDevices"`
+	// Probes are not allowed for ephemeral containers.
+	// +optional
+	LivenessProbe *Probe `json:"livenessProbe,omitempty" protobuf:"bytes,10,opt,name=livenessProbe"`
+	// Probes are not allowed for ephemeral containers.
+	// +optional
+	ReadinessProbe *Probe `json:"readinessProbe,omitempty" protobuf:"bytes,11,opt,name=readinessProbe"`
+	// Lifecycle is not allowed for ephemeral containers.
+	// +optional
+	Lifecycle *Lifecycle `json:"lifecycle,omitempty" protobuf:"bytes,12,opt,name=lifecycle"`
+	// Optional: Path at which the file to which the container's termination message
+	// will be written is mounted into the container's filesystem.
+	// Message written is intended to be brief final status, such as an assertion failure message.
+	// Will be truncated by the node if greater than 4096 bytes. The total message length across
+	// all containers will be limited to 12kb.
+	// Defaults to /dev/termination-log.
+	// Cannot be updated.
+	// +optional
+	TerminationMessagePath string `json:"terminationMessagePath,omitempty" protobuf:"bytes,13,opt,name=terminationMessagePath"`
+	// Indicate how the termination message should be populated. File will use the contents of
+	// terminationMessagePath to populate the container status message on both success and failure.
+	// FallbackToLogsOnError will use the last chunk of container log output if the termination
+	// message file is empty and the container exited with an error.
+	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+	// Defaults to File.
+	// Cannot be updated.
+	// +optional
+	TerminationMessagePolicy TerminationMessagePolicy `json:"terminationMessagePolicy,omitempty" protobuf:"bytes,20,opt,name=terminationMessagePolicy,casttype=TerminationMessagePolicy"`
+	// Image pull policy.
+	// One of Always, Never, IfNotPresent.
+	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+	// +optional
+	ImagePullPolicy PullPolicy `json:"imagePullPolicy,omitempty" protobuf:"bytes,14,opt,name=imagePullPolicy,casttype=PullPolicy"`
+	// SecurityContext is not allowed for ephemeral containers.
+	// +optional
+	SecurityContext *SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"`
+
+	// Variables for interactive containers, these have very specialized use-cases (e.g. debugging)
+	// and shouldn't be used for general purpose containers.
+
+	// Whether this container should allocate a buffer for stdin in the container runtime. If this
+	// is not set, reads from stdin in the container will always result in EOF.
+	// Default is false.
+	// +optional
+	Stdin bool `json:"stdin,omitempty" protobuf:"varint,16,opt,name=stdin"`
+	// Whether the container runtime should close the stdin channel after it has been opened by
+	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
+	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+	// at which time stdin is closed and remains closed until the container is restarted. If this
+	// flag is false, a container processes that reads from stdin will never receive an EOF.
+	// Default is false
+	// +optional
+	StdinOnce bool `json:"stdinOnce,omitempty" protobuf:"varint,17,opt,name=stdinOnce"`
+	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+	// Default is false.
+	// +optional
+	TTY bool `json:"tty,omitempty" protobuf:"varint,18,opt,name=tty"`
+}
+
+// EphemeralContainerCommon converts to Container. All fields must be kept in sync between
+// these two types.
+var _ = Container(EphemeralContainerCommon{})
+
+// An EphemeralContainer is a special type of container which doesn't come with any resource
+// or scheduling guarantees but can be added to a pod that has already been created. They are
+// intended for user-initiated activities such as troubleshooting a running pod.
+// Ephemeral containers will not be restarted when they exit, and they will be killed if the
+// pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource
+// allocation, the pod may be evicted.
+// Ephemeral containers are added via a pod's ephemeralcontainers subresource and will appear
+// in the pod spec once added. No fields in EphemeralContainer may be changed once added.
+// This is an alpha feature enabled by the EphemeralContainers feature flag.
+type EphemeralContainer struct {
+	EphemeralContainerCommon `json:",inline" protobuf:"bytes,1,req"`
+
+	// If set, the name of the container from PodSpec that this ephemeral container targets.
+	// The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
+	// If not set then the ephemeral container is run in whatever namespaces are shared
+	// for the pod. Note that the container runtime must support this feature.
+	// +optional
+	TargetContainerName string `json:"targetContainerName,omitempty" protobuf:"bytes,2,opt,name=targetContainerName"`
+}
+
 // PodStatus represents information about the status of a pod. Status may trail the actual
 // state of a system, especially if the node that hosts the pod cannot contact the control
 // plane.
@@ -3181,6 +3425,14 @@ type PodStatus struct {
 	// +optional
 	PodIP string `json:"podIP,omitempty" protobuf:"bytes,6,opt,name=podIP"`
 
+	// podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must
+	// match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list
+	// is empty if no IPs have been allocated yet.
+	// +optional
+	// +patchStrategy=merge
+	// +patchMergeKey=ip
+	PodIPs []PodIP `json:"podIPs,omitempty" protobuf:"bytes,12,rep,name=podIPs" patchStrategy:"merge" patchMergeKey:"ip"`
+
 	// RFC 3339 date and time at which the object was acknowledged by the Kubelet.
 	// This is before the Kubelet pulled the container image(s) for the pod.
 	// +optional
@@ -3202,6 +3454,10 @@ type PodStatus struct {
 	// More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md
 	// +optional
 	QOSClass PodQOSClass `json:"qosClass,omitempty" protobuf:"bytes,9,rep,name=qosClass"`
+	// Status for any ephemeral containers that running in this pod.
+	// This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
+	// +optional
+	EphemeralContainerStatuses []ContainerStatus `json:"ephemeralContainerStatuses,omitempty" protobuf:"bytes,13,rep,name=ephemeralContainerStatuses"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -3223,6 +3479,8 @@ type PodStatusResult struct {
 }
 
 // +genclient
+// +genclient:method=GetEphemeralContainers,verb=get,subresource=ephemeralcontainers,result=EphemeralContainers
+// +genclient:method=UpdateEphemeralContainers,verb=update,subresource=ephemeralcontainers,input=EphemeralContainers,result=EphemeralContainers
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Pod is a collection of containers that can run on a host. This resource is created
@@ -3901,6 +4159,14 @@ type NodeSpec struct {
 	// PodCIDR represents the pod IP range assigned to the node.
 	// +optional
 	PodCIDR string `json:"podCIDR,omitempty" protobuf:"bytes,1,opt,name=podCIDR"`
+
+	// podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this
+	// field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for
+	// each of IPv4 and IPv6.
+	// +optional
+	// +patchStrategy=merge
+	PodCIDRs []string `json:"podCIDRs,omitempty" protobuf:"bytes,7,opt,name=podCIDRs" patchStrategy:"merge"`
+
 	// ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
 	// +optional
 	ProviderID string `json:"providerID,omitempty" protobuf:"bytes,3,opt,name=providerID"`
@@ -4082,6 +4348,9 @@ type NodeStatus struct {
 	// List of addresses reachable to the node.
 	// Queried from cloud provider, if available.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses
+	// Note: This field is declared as mergeable, but the merge key is not sufficiently
+	// unique, which can cause data corruption when it is merged. Callers should instead
+	// use a full-replacement patch. See http://pr.k8s.io/79391 for an example.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
@@ -4181,9 +4450,6 @@ type NodeConditionType string
 const (
 	// NodeReady means kubelet is healthy and ready to accept pods.
 	NodeReady NodeConditionType = "Ready"
-	// NodeOutOfDisk means the kubelet will not accept new pods due to insufficient free disk
-	// space on the node.
-	NodeOutOfDisk NodeConditionType = "OutOfDisk"
 	// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory.
 	NodeMemoryPressure NodeConditionType = "MemoryPressure"
 	// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk.
@@ -4395,6 +4661,20 @@ type Binding struct {
 	Target ObjectReference `json:"target" protobuf:"bytes,2,opt,name=target"`
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// A list of ephemeral containers used in API operations
+type EphemeralContainers struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The new set of ephemeral containers to use for a pod.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	EphemeralContainers []EphemeralContainer `json:"ephemeralContainers" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=ephemeralContainers"`
+}
+
 // Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
 // +k8s:openapi-gen=false
 type Preconditions struct {
@@ -5309,7 +5589,9 @@ type SecurityContext struct {
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
-	// Windows security options.
+	// The Windows specific settings applied to all containers.
+	// If unspecified, the options from the PodSecurityContext will be used.
+	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"`
 	// The UID to run the entrypoint of the container process.
@@ -5395,6 +5677,14 @@ type WindowsSecurityContextOptions struct {
 	// This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
 	// +optional
 	GMSACredentialSpec *string `json:"gmsaCredentialSpec,omitempty" protobuf:"bytes,2,opt,name=gmsaCredentialSpec"`
+
+	// The UserName in Windows to run the entrypoint of the container process.
+	// Defaults to the user specified in image metadata if unspecified.
+	// May also be set in PodSecurityContext. If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
+	// +optional
+	RunAsUserName *string `json:"runAsUserName,omitempty" protobuf:"bytes,3,opt,name=runAsUserName"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go

@@ -158,12 +158,12 @@ func (Capabilities) SwaggerDoc() map[string]string {
 
 var map_CephFSPersistentVolumeSource = map[string]string{
 	"":           "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.",
-	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
 	"path":       "Optional: Used as the mounted root, rather than the full Ceph tree, default is /",
-	"user":       "Optional: User is the rados user name, default is admin More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"user":       "Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
 }
 
 func (CephFSPersistentVolumeSource) SwaggerDoc() map[string]string {
@@ -172,12 +172,12 @@ func (CephFSPersistentVolumeSource) SwaggerDoc() map[string]string {
 
 var map_CephFSVolumeSource = map[string]string{
 	"":           "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.",
-	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
 	"path":       "Optional: Used as the mounted root, rather than the full Ceph tree, default is /",
-	"user":       "Optional: User is the rados user name, default is admin More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"user":       "Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
 }
 
 func (CephFSVolumeSource) SwaggerDoc() map[string]string {
@@ -186,9 +186,9 @@ func (CephFSVolumeSource) SwaggerDoc() map[string]string {
 
 var map_CinderPersistentVolumeSource = map[string]string{
 	"":          "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.",
-	"volumeID":  "volume id used to identify the volume in cinder More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"volumeID":  "volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
 	"secretRef": "Optional: points to a secret object containing parameters used to connect to OpenStack.",
 }
 
@@ -198,9 +198,9 @@ func (CinderPersistentVolumeSource) SwaggerDoc() map[string]string {
 
 var map_CinderVolumeSource = map[string]string{
 	"":          "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.",
-	"volumeID":  "volume id used to identify the volume in cinder More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"volumeID":  "volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
 	"secretRef": "Optional: points to a secret object containing parameters used to connect to OpenStack.",
 }
 
@@ -574,6 +574,52 @@ func (EnvVarSource) SwaggerDoc() map[string]string {
 	return map_EnvVarSource
 }
 
+var map_EphemeralContainer = map[string]string{
+	"":                    "An EphemeralContainer is a special type of container which doesn't come with any resource or scheduling guarantees but can be added to a pod that has already been created. They are intended for user-initiated activities such as troubleshooting a running pod. Ephemeral containers will not be restarted when they exit, and they will be killed if the pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers are added via a pod's ephemeralcontainers subresource and will appear in the pod spec once added. No fields in EphemeralContainer may be changed once added. This is an alpha feature enabled by the EphemeralContainers feature flag.",
+	"targetContainerName": "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature.",
+}
+
+func (EphemeralContainer) SwaggerDoc() map[string]string {
+	return map_EphemeralContainer
+}
+
+var map_EphemeralContainerCommon = map[string]string{
+	"name":                     "Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.",
+	"image":                    "Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images",
+	"command":                  "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell",
+	"args":                     "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell",
+	"workingDir":               "Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.",
+	"ports":                    "Ports are not allowed for ephemeral containers.",
+	"envFrom":                  "List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.",
+	"env":                      "List of environment variables to set in the container. Cannot be updated.",
+	"resources":                "Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.",
+	"volumeMounts":             "Pod volumes to mount into the container's filesystem. Cannot be updated.",
+	"volumeDevices":            "volumeDevices is the list of block devices to be used by the container. This is a beta feature.",
+	"livenessProbe":            "Probes are not allowed for ephemeral containers.",
+	"readinessProbe":           "Probes are not allowed for ephemeral containers.",
+	"lifecycle":                "Lifecycle is not allowed for ephemeral containers.",
+	"terminationMessagePath":   "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.",
+	"terminationMessagePolicy": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.",
+	"imagePullPolicy":          "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images",
+	"securityContext":          "SecurityContext is not allowed for ephemeral containers.",
+	"stdin":                    "Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.",
+	"stdinOnce":                "Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false",
+	"tty":                      "Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.",
+}
+
+func (EphemeralContainerCommon) SwaggerDoc() map[string]string {
+	return map_EphemeralContainerCommon
+}
+
+var map_EphemeralContainers = map[string]string{
+	"":                    "A list of ephemeral containers used in API operations",
+	"ephemeralContainers": "The new set of ephemeral containers to use for a pod.",
+}
+
+func (EphemeralContainers) SwaggerDoc() map[string]string {
+	return map_EphemeralContainers
+}
+
 var map_Event = map[string]string{
 	"":                   "Event is a report of an event somewhere in the cluster.",
 	"metadata":           "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
@@ -711,10 +757,10 @@ func (GitRepoVolumeSource) SwaggerDoc() map[string]string {
 
 var map_GlusterfsPersistentVolumeSource = map[string]string{
 	"":                   "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.",
-	"endpoints":          "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"endpoints":          "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
-	"path":               "Path is the Glusterfs volume path. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"path":               "Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
-	"readOnly":           "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"readOnly":           "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
-	"endpointsNamespace": "EndpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"endpointsNamespace": "EndpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
 }
 
 func (GlusterfsPersistentVolumeSource) SwaggerDoc() map[string]string {
@@ -723,9 +769,9 @@ func (GlusterfsPersistentVolumeSource) SwaggerDoc() map[string]string {
 
 var map_GlusterfsVolumeSource = map[string]string{
 	"":          "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.",
-	"endpoints": "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"endpoints": "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
-	"path":      "Path is the Glusterfs volume path. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"path":      "Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
-	"readOnly":  "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"readOnly":  "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod",
 }
 
 func (GlusterfsVolumeSource) SwaggerDoc() map[string]string {
@@ -1112,6 +1158,7 @@ func (NodeSelectorTerm) SwaggerDoc() map[string]string {
 var map_NodeSpec = map[string]string{
 	"":              "NodeSpec describes the attributes that a node is created with.",
 	"podCIDR":       "PodCIDR represents the pod IP range assigned to the node.",
+	"podCIDRs":      "podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.",
 	"providerID":    "ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>",
 	"unschedulable": "Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration",
 	"taints":        "If specified, the node's taints.",
@@ -1129,7 +1176,7 @@ var map_NodeStatus = map[string]string{
 	"allocatable":     "Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.",
 	"phase":           "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
 	"conditions":      "Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition",
-	"addresses":       "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses",
+	"addresses":       "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See http://pr.k8s.io/79391 for an example.",
 	"daemonEndpoints": "Endpoints of daemons running on the Node.",
 	"nodeInfo":        "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info",
 	"images":          "List of container images on this node",
@@ -1281,11 +1328,11 @@ var map_PersistentVolumeSource = map[string]string{
 	"gcePersistentDisk":    "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
 	"awsElasticBlockStore": "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
 	"hostPath":             "HostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
-	"glusterfs":            "Glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md",
+	"glusterfs":            "Glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md",
 	"nfs":                  "NFS represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-	"rbd":                  "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md",
+	"rbd":                  "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md",
 	"iscsi":                "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.",
-	"cinder":               "Cinder represents a cinder volume attached and mounted on kubelets host machine More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"cinder":               "Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
 	"cephfs":               "CephFS represents a Ceph FS mount on the host that shares a pod's lifetime",
 	"fc":                   "FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
 	"flocker":              "Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running",
@@ -1298,7 +1345,7 @@ var map_PersistentVolumeSource = map[string]string{
 	"portworxVolume":       "PortworxVolume represents a portworx volume attached and mounted on kubelets host machine",
 	"scaleIO":              "ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.",
 	"local":                "Local represents directly-attached storage with node affinity",
-	"storageos":            "StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md",
+	"storageos":            "StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md",
 	"csi":                  "CSI represents storage that is handled by an external CSI driver (Beta feature).",
 }
 
@@ -1446,6 +1493,15 @@ func (PodExecOptions) SwaggerDoc() map[string]string {
 	return map_PodExecOptions
 }
 
+var map_PodIP = map[string]string{
+	"":   "IP address information for entries in the (plural) PodIPs field. Each entry includes:\n   IP: An IP address allocated to the pod. Routable at least within the cluster.",
+	"ip": "ip is an IP address (IPv4 or IPv6) assigned to the pod",
+}
+
+func (PodIP) SwaggerDoc() map[string]string {
+	return map_PodIP
+}
+
 var map_PodList = map[string]string{
 	"":         "PodList is a list of Pods.",
 	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
@@ -1502,7 +1558,7 @@ func (PodReadinessGate) SwaggerDoc() map[string]string {
 var map_PodSecurityContext = map[string]string{
 	"":                   "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
 	"seLinuxOptions":     "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
-	"windowsOptions":     "Windows security options.",
+	"windowsOptions":     "The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
 	"runAsUser":          "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
 	"runAsGroup":         "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
 	"runAsNonRoot":       "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
@@ -1529,6 +1585,7 @@ var map_PodSpec = map[string]string{
 	"volumes":                       "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes",
 	"initContainers":                "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, or Liveness probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/",
 	"containers":                    "List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.",
+	"ephemeralContainers":           "EphemeralContainers is the list of ephemeral containers that run in this pod. Ephemeral containers are added to an existing pod as a result of a user-initiated action such as troubleshooting. This list is read-only in the pod spec. It may not be specified in a create or modified in an update of a pod or pod template. To add an ephemeral container use the pod's ephemeralcontainers subresource, which allows update using the EphemeralContainers kind. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.",
 	"restartPolicy":                 "Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy",
 	"terminationGracePeriodSeconds": "Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.",
 	"activeDeadlineSeconds":         "Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.",
@@ -1558,6 +1615,7 @@ var map_PodSpec = map[string]string{
 	"enableServiceLinks":            "EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.",
 	"preemptionPolicy":              "PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature.",
 	"overhead":                      "Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.",
+	"topologySpreadConstraints":     "TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread feature. All topologySpreadConstraints are ANDed.",
 }
 
 func (PodSpec) SwaggerDoc() map[string]string {
@@ -1565,18 +1623,20 @@ func (PodSpec) SwaggerDoc() map[string]string {
 }
 
 var map_PodStatus = map[string]string{
-	"":                      "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.",
+	"":                           "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.",
-	"phase":                 "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase",
+	"phase":                      "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase",
-	"conditions":            "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
+	"conditions":                 "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
-	"message":               "A human readable message indicating details about why the pod is in this condition.",
+	"message":                    "A human readable message indicating details about why the pod is in this condition.",
-	"reason":                "A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'",
+	"reason":                     "A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'",
-	"nominatedNodeName":     "nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.",
+	"nominatedNodeName":          "nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.",
-	"hostIP":                "IP address of the host to which the pod is assigned. Empty if not yet scheduled.",
+	"hostIP":                     "IP address of the host to which the pod is assigned. Empty if not yet scheduled.",
-	"podIP":                 "IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.",
+	"podIP":                      "IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.",
-	"startTime":             "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.",
+	"podIPs":                     "podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.",
-	"initContainerStatuses": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
+	"startTime":                  "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.",
-	"containerStatuses":     "The list has one entry per container in the manifest. Each entry is currently the output of `docker inspect`. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
+	"initContainerStatuses":      "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
-	"qosClass":              "The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md",
+	"containerStatuses":          "The list has one entry per container in the manifest. Each entry is currently the output of `docker inspect`. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
+	"qosClass":                   "The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md",
+	"ephemeralContainerStatuses": "Status for any ephemeral containers that running in this pod. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.",
 }
 
 func (PodStatus) SwaggerDoc() map[string]string {
@@ -1704,14 +1764,14 @@ func (QuobyteVolumeSource) SwaggerDoc() map[string]string {
 
 var map_RBDPersistentVolumeSource = map[string]string{
 	"":          "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.",
-	"monitors":  "A collection of Ceph monitors. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"monitors":  "A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"image":     "The rados image name. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"image":     "The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
 	"fsType":    "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd",
-	"pool":      "The rados pool name. Default is rbd. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"pool":      "The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"user":      "The rados user name. Default is admin. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"user":      "The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"keyring":   "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"keyring":   "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"secretRef": "SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"secretRef": "SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
 }
 
 func (RBDPersistentVolumeSource) SwaggerDoc() map[string]string {
@@ -1720,14 +1780,14 @@ func (RBDPersistentVolumeSource) SwaggerDoc() map[string]string {
 
 var map_RBDVolumeSource = map[string]string{
 	"":          "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.",
-	"monitors":  "A collection of Ceph monitors. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"monitors":  "A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"image":     "The rados image name. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"image":     "The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
 	"fsType":    "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd",
-	"pool":      "The rados pool name. Default is rbd. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"pool":      "The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"user":      "The rados user name. Default is admin. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"user":      "The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"keyring":   "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"keyring":   "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"secretRef": "SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"secretRef": "SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
 }
 
 func (RBDVolumeSource) SwaggerDoc() map[string]string {
@@ -2014,7 +2074,7 @@ var map_SecurityContext = map[string]string{
 	"capabilities":             "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
 	"privileged":               "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
 	"seLinuxOptions":           "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
-	"windowsOptions":           "Windows security options.",
+	"windowsOptions":           "The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
 	"runAsUser":                "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
 	"runAsGroup":               "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
 	"runAsNonRoot":             "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
@@ -2241,6 +2301,18 @@ func (TopologySelectorTerm) SwaggerDoc() map[string]string {
 	return map_TopologySelectorTerm
 }
 
+var map_TopologySpreadConstraint = map[string]string{
+	"":                  "TopologySpreadConstraint specifies how to spread matching pods among the given topology.",
+	"maxSkew":           "MaxSkew describes the degree to which pods may be unevenly distributed. It's the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: ",
+	"topologyKey":       "TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a \"bucket\", and try to put balanced number of pods into each bucket. It's a required field.",
+	"whenUnsatisfiable": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It's considered as \"Unsatisfiable\" if and only if placing incoming pod on any topology violates \"MaxSkew\". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: ",
+	"labelSelector":     "LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.",
+}
+
+func (TopologySpreadConstraint) SwaggerDoc() map[string]string {
+	return map_TopologySpreadConstraint
+}
+
 var map_TypedLocalObjectReference = map[string]string{
 	"":         "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.",
 	"apiGroup": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.",
@@ -2315,12 +2387,12 @@ var map_VolumeSource = map[string]string{
 	"gitRepo":               "GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.",
 	"secret":                "Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret",
 	"nfs":                   "NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-	"iscsi":                 "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md",
+	"iscsi":                 "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md",
-	"glusterfs":             "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md",
+	"glusterfs":             "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md",
 	"persistentVolumeClaim": "PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
-	"rbd":                   "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md",
+	"rbd":                   "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md",
 	"flexVolume":            "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.",
-	"cinder":                "Cinder represents a cinder volume attached and mounted on kubelets host machine More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"cinder":                "Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
 	"cephfs":                "CephFS represents a Ceph FS mount on the host that shares a pod's lifetime",
 	"flocker":               "Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running",
 	"downwardAPI":           "DownwardAPI represents downward API about the pod that should populate this volume",
@@ -2368,6 +2440,7 @@ var map_WindowsSecurityContextOptions = map[string]string{
 	"":                       "WindowsSecurityContextOptions contain Windows-specific options and credentials.",
 	"gmsaCredentialSpecName": "GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.",
 	"gmsaCredentialSpec":     "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.",
+	"runAsUserName":          "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.",
 }
 
 func (WindowsSecurityContextOptions) SwaggerDoc() map[string]string {

vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go

@@ -1278,6 +1278,134 @@ func (in *EnvVarSource) DeepCopy() *EnvVarSource {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralContainer) DeepCopyInto(out *EphemeralContainer) {
+	*out = *in
+	in.EphemeralContainerCommon.DeepCopyInto(&out.EphemeralContainerCommon)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralContainer.
+func (in *EphemeralContainer) DeepCopy() *EphemeralContainer {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralContainer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralContainerCommon) DeepCopyInto(out *EphemeralContainerCommon) {
+	*out = *in
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Args != nil {
+		in, out := &in.Args, &out.Args
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]ContainerPort, len(*in))
+		copy(*out, *in)
+	}
+	if in.EnvFrom != nil {
+		in, out := &in.EnvFrom, &out.EnvFrom
+		*out = make([]EnvFromSource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]EnvVar, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Resources.DeepCopyInto(&out.Resources)
+	if in.VolumeMounts != nil {
+		in, out := &in.VolumeMounts, &out.VolumeMounts
+		*out = make([]VolumeMount, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VolumeDevices != nil {
+		in, out := &in.VolumeDevices, &out.VolumeDevices
+		*out = make([]VolumeDevice, len(*in))
+		copy(*out, *in)
+	}
+	if in.LivenessProbe != nil {
+		in, out := &in.LivenessProbe, &out.LivenessProbe
+		*out = new(Probe)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ReadinessProbe != nil {
+		in, out := &in.ReadinessProbe, &out.ReadinessProbe
+		*out = new(Probe)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Lifecycle != nil {
+		in, out := &in.Lifecycle, &out.Lifecycle
+		*out = new(Lifecycle)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		*out = new(SecurityContext)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralContainerCommon.
+func (in *EphemeralContainerCommon) DeepCopy() *EphemeralContainerCommon {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralContainerCommon)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralContainers) DeepCopyInto(out *EphemeralContainers) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.EphemeralContainers != nil {
+		in, out := &in.EphemeralContainers, &out.EphemeralContainers
+		*out = make([]EphemeralContainer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralContainers.
+func (in *EphemeralContainers) DeepCopy() *EphemeralContainers {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralContainers)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EphemeralContainers) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Event) DeepCopyInto(out *Event) {
 	*out = *in
@@ -2470,6 +2598,11 @@ func (in *NodeSelectorTerm) DeepCopy() *NodeSelectorTerm {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeSpec) DeepCopyInto(out *NodeSpec) {
 	*out = *in
+	if in.PodCIDRs != nil {
+		in, out := &in.PodCIDRs, &out.PodCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Taints != nil {
 		in, out := &in.Taints, &out.Taints
 		*out = make([]Taint, len(*in))
@@ -3298,6 +3431,22 @@ func (in *PodExecOptions) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodIP) DeepCopyInto(out *PodIP) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodIP.
+func (in *PodIP) DeepCopy() *PodIP {
+	if in == nil {
+		return nil
+	}
+	out := new(PodIP)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PodList) DeepCopyInto(out *PodList) {
 	*out = *in
@@ -3547,6 +3696,13 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.EphemeralContainers != nil {
+		in, out := &in.EphemeralContainers, &out.EphemeralContainers
+		*out = make([]EphemeralContainer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.TerminationGracePeriodSeconds != nil {
 		in, out := &in.TerminationGracePeriodSeconds, &out.TerminationGracePeriodSeconds
 		*out = new(int64)
@@ -3640,6 +3796,13 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) {
 			(*out)[key] = val.DeepCopy()
 		}
 	}
+	if in.TopologySpreadConstraints != nil {
+		in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints
+		*out = make([]TopologySpreadConstraint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -3663,6 +3826,11 @@ func (in *PodStatus) DeepCopyInto(out *PodStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.PodIPs != nil {
+		in, out := &in.PodIPs, &out.PodIPs
+		*out = make([]PodIP, len(*in))
+		copy(*out, *in)
+	}
 	if in.StartTime != nil {
 		in, out := &in.StartTime, &out.StartTime
 		*out = (*in).DeepCopy()
@@ -3681,6 +3849,13 @@ func (in *PodStatus) DeepCopyInto(out *PodStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.EphemeralContainerStatuses != nil {
+		in, out := &in.EphemeralContainerStatuses, &out.EphemeralContainerStatuses
+		*out = make([]ContainerStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -5178,6 +5353,27 @@ func (in *TopologySelectorTerm) DeepCopy() *TopologySelectorTerm {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TopologySpreadConstraint) DeepCopyInto(out *TopologySpreadConstraint) {
+	*out = *in
+	if in.LabelSelector != nil {
+		in, out := &in.LabelSelector, &out.LabelSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopologySpreadConstraint.
+func (in *TopologySpreadConstraint) DeepCopy() *TopologySpreadConstraint {
+	if in == nil {
+		return nil
+	}
+	out := new(TopologySpreadConstraint)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TypedLocalObjectReference) DeepCopyInto(out *TypedLocalObjectReference) {
 	*out = *in
@@ -5512,6 +5708,11 @@ func (in *WindowsSecurityContextOptions) DeepCopyInto(out *WindowsSecurityContex
 		*out = new(string)
 		**out = **in
 	}
+	if in.RunAsUserName != nil {
+		in, out := &in.RunAsUserName, &out.RunAsUserName
+		*out = new(string)
+		**out = **in
+	}
 	return
 }
 

vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go

@@ -17,20 +17,15 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
 
-/*
-Package resource is a generated protocol buffer package.
-
-It is generated from these files:
-	k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
-
-It has these top-level messages:
-	Quantity
-*/
 package resource
 
-import proto "github.com/gogo/protobuf/proto"
+import (
-import fmt "fmt"
+	fmt "fmt"
-import math "math"
+
+	math "math"
+
+	proto "github.com/gogo/protobuf/proto"
+)
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
@@ -43,19 +38,38 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
-func (m *Quantity) Reset()                    { *m = Quantity{} }
+func (m *Quantity) Reset()      { *m = Quantity{} }
-func (*Quantity) ProtoMessage()               {}
+func (*Quantity) ProtoMessage() {}
-func (*Quantity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+func (*Quantity) Descriptor() ([]byte, []int) {
+	return fileDescriptor_612bba87bd70906c, []int{0}
+}
+func (m *Quantity) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Quantity.Unmarshal(m, b)
+}
+func (m *Quantity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Quantity.Marshal(b, m, deterministic)
+}
+func (m *Quantity) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Quantity.Merge(m, src)
+}
+func (m *Quantity) XXX_Size() int {
+	return xxx_messageInfo_Quantity.Size(m)
+}
+func (m *Quantity) XXX_DiscardUnknown() {
+	xxx_messageInfo_Quantity.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Quantity proto.InternalMessageInfo
 
 func init() {
 	proto.RegisterType((*Quantity)(nil), "k8s.io.apimachinery.pkg.api.resource.Quantity")
 }
 
 func init() {
-	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto", fileDescriptorGenerated)
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto", fileDescriptor_612bba87bd70906c)
 }
 
-var fileDescriptorGenerated = []byte{
+var fileDescriptor_612bba87bd70906c = []byte{
 	// 237 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0x8e, 0xb1, 0x4e, 0xc3, 0x30,
 	0x10, 0x40, 0xcf, 0x0b, 0x2a, 0x19, 0x2b, 0x84, 0x10, 0xc3, 0xa5, 0x42, 0x0c, 0x2c, 0xd8, 0x6b,

vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go

@@ -697,7 +697,9 @@ func (q *Quantity) MilliValue() int64 {
 	return q.ScaledValue(Milli)
 }
 
-// ScaledValue returns the value of ceil(q * 10^scale); this could overflow an int64.
+// ScaledValue returns the value of ceil(q / 10^scale).
+// For example, NewQuantity(1, DecimalSI).ScaledValue(Milli) returns 1000.
+// This could overflow an int64.
 // To detect overflow, call Value() first and verify the expected magnitude.
 func (q *Quantity) ScaledValue(scale Scale) int64 {
 	if q.d.Dec == nil {

vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go

@@ -19,6 +19,7 @@ package resource
 import (
 	"fmt"
 	"io"
+	"math/bits"
 
 	"github.com/gogo/protobuf/proto"
 )
@@ -28,7 +29,7 @@ var _ proto.Sizer = &Quantity{}
 func (m *Quantity) Marshal() (data []byte, err error) {
 	size := m.Size()
 	data = make([]byte, size)
-	n, err := m.MarshalTo(data)
+	n, err := m.MarshalToSizedBuffer(data[:size])
 	if err != nil {
 		return nil, err
 	}
@@ -38,30 +39,40 @@ func (m *Quantity) Marshal() (data []byte, err error) {
 // MarshalTo is a customized version of the generated Protobuf unmarshaler for a struct
 // with a single string field.
 func (m *Quantity) MarshalTo(data []byte) (int, error) {
-	var i int
+	size := m.Size()
+	return m.MarshalToSizedBuffer(data[:size])
+}
+
+// MarshalToSizedBuffer is a customized version of the generated
+// Protobuf unmarshaler for a struct with a single string field.
+func (m *Quantity) MarshalToSizedBuffer(data []byte) (int, error) {
+	i := len(data)
 	_ = i
 	var l int
 	_ = l
 
-	data[i] = 0xa
-	i++
 	// BEGIN CUSTOM MARSHAL
 	out := m.String()
+	i -= len(out)
+	copy(data[i:], out)
 	i = encodeVarintGenerated(data, i, uint64(len(out)))
-	i += copy(data[i:], out)
 	// END CUSTOM MARSHAL
+	i--
+	data[i] = 0xa
 
-	return i, nil
+	return len(data) - i, nil
 }
 
 func encodeVarintGenerated(data []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
 	for v >= 1<<7 {
 		data[offset] = uint8(v&0x7f | 0x80)
 		v >>= 7
 		offset++
 	}
 	data[offset] = uint8(v)
-	return offset + 1
+	return base
 }
 
 func (m *Quantity) Size() (n int) {
@@ -77,14 +88,7 @@ func (m *Quantity) Size() (n int) {
 }
 
 func sovGenerated(x uint64) (n int) {
-	for {
+	return (bits.Len64(x|1) + 6) / 7
-		n++
-		x >>= 7
-		if x == 0 {
-			break
-		}
-	}
-	return n
 }
 
 // Unmarshal is a customized version of the generated Protobuf unmarshaler for a struct

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/fields_proto.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+)
+
+// Fields is declared in types.go
+
+// ProtoFields is a struct that is equivalent to Fields, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Fields. Do not use in Go structs.
+type ProtoFields struct {
+	// Map is the representation used in the alpha version of this API
+	Map map[string]Fields `json:"-" protobuf:"bytes,1,rep,name=map"`
+
+	// Raw is the underlying serialization of this object.
+	Raw []byte `json:"-" protobuf:"bytes,2,opt,name=raw"`
+}
+
+// ProtoFields returns the Fields as a new ProtoFields value.
+func (m *Fields) ProtoFields() *ProtoFields {
+	if m == nil {
+		return &ProtoFields{}
+	}
+	return &ProtoFields{
+		Raw: m.Raw,
+	}
+}
+
+// Size implements the protobuf marshalling interface.
+func (m *Fields) Size() (n int) {
+	return m.ProtoFields().Size()
+}
+
+// Unmarshal implements the protobuf marshalling interface.
+func (m *Fields) Unmarshal(data []byte) error {
+	if len(data) == 0 {
+		return nil
+	}
+	p := ProtoFields{}
+	if err := p.Unmarshal(data); err != nil {
+		return err
+	}
+	if len(p.Map) == 0 {
+		return json.Unmarshal(p.Raw, &m)
+	}
+	b, err := json.Marshal(&p.Map)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(b, &m)
+}
+
+// Marshal implements the protobuf marshaling interface.
+func (m *Fields) Marshal() (data []byte, err error) {
+	return m.ProtoFields().Marshal()
+}
+
+// MarshalTo implements the protobuf marshaling interface.
+func (m *Fields) MarshalTo(data []byte) (int, error) {
+	return m.ProtoFields().MarshalTo(data)
+}
+
+// MarshalToSizedBuffer implements the protobuf reverse marshaling interface.
+func (m *Fields) MarshalToSizedBuffer(data []byte) (int, error) {
+	return m.ProtoFields().MarshalToSizedBuffer(data)
+}
+
+// String implements the protobuf goproto_stringer interface.
+func (m *Fields) String() string {
+	return m.ProtoFields().String()
+}

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto

@@ -213,20 +213,25 @@ message ExportOptions {
 }
 
 // Fields stores a set of fields in a data structure like a Trie.
-// To understand how this is used, see: https://github.com/kubernetes-sigs/structured-merge-diff
+//
+// Each key is either a '.' representing the field itself, and will always map to an empty set,
+// or a string representing a sub-field or item. The string will follow one of these four formats:
+// 'f:<name>', where <name> is the name of a field in a struct, or key in a map
+// 'v:<value>', where <value> is the exact json formatted value of a list item
+// 'i:<index>', where <index> is position of a item in a list
+// 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
+// If a key maps to an empty Fields value, the field that key represents is part of the set.
+//
+// The exact format is defined in sigs.k8s.io/structured-merge-diff
+// +protobuf.options.marshal=false
+// +protobuf.as=ProtoFields
+// +protobuf.options.(gogoproto.goproto_stringer)=false
 message Fields {
-  // Map stores a set of fields in a data structure like a Trie.
+  // Map is the representation used in the alpha version of this API
-  //
-  // Each key is either a '.' representing the field itself, and will always map to an empty set,
-  // or a string representing a sub-field or item. The string will follow one of these four formats:
-  // 'f:<name>', where <name> is the name of a field in a struct, or key in a map
-  // 'v:<value>', where <value> is the exact json formatted value of a list item
-  // 'i:<index>', where <index> is position of a item in a list
-  // 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
-  // If a key maps to an empty Fields value, the field that key represents is part of the set.
-  //
-  // The exact format is defined in k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal
   map<string, Fields> map = 1;
+
+  // Raw is the underlying serialization of this object.
+  optional bytes raw = 2;
 }
 
 // GetOptions is the standard query options to the standard REST get call.
@@ -302,27 +307,6 @@ message GroupVersionResource {
   optional string resource = 3;
 }
 
-// Initializer is information about an initializer that has not yet completed.
-message Initializer {
-  // name of the process that is responsible for initializing this object.
-  optional string name = 1;
-}
-
-// Initializers tracks the progress of initialization.
-message Initializers {
-  // Pending is a list of initializers that must execute in order before this object is visible.
-  // When the last pending initializer is removed, and no failing result is set, the initializers
-  // struct will be set to nil and the object is considered as initialized and visible to all
-  // clients.
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated Initializer pending = 1;
-
-  // If result is set with the Failure field, the object will be persisted to storage and then deleted,
-  // ensuring that other clients can observe the deletion.
-  optional Status result = 2;
-}
-
 // A label selector is a label query over a set of resources. The result of matchLabels and
 // matchExpressions are ANDed. An empty label selector matches all objects. A null
 // label selector matches no objects.
@@ -375,6 +359,10 @@ message ListMeta {
   // selfLink is a URL representing this object.
   // Populated by the system.
   // Read-only.
+  //
+  // DEPRECATED
+  // Kubernetes will stop propagating this field in 1.20 release and the field is planned
+  // to be removed in 1.21 release.
   // +optional
   optional string selfLink = 1;
 
@@ -438,7 +426,7 @@ message ListOptions {
   // If the feature gate WatchBookmarks is not enabled in apiserver,
   // this field is ignored.
   //
-  // This field is alpha and can be changed or removed without notice.
+  // This field is beta.
   //
   // +optional
   optional bool allowWatchBookmarks = 9;
@@ -579,6 +567,10 @@ message ObjectMeta {
   // SelfLink is a URL representing this object.
   // Populated by the system.
   // Read-only.
+  //
+  // DEPRECATED
+  // Kubernetes will stop propagating this field in 1.20 release and the field is planned
+  // to be removed in 1.21 release.
   // +optional
   optional string selfLink = 4;
 
@@ -672,19 +664,6 @@ message ObjectMeta {
   // +patchStrategy=merge
   repeated OwnerReference ownerReferences = 13;
 
-  // An initializer is a controller which enforces some system invariant at object creation time.
-  // This field is a list of initializers that have not yet acted on this object. If nil or empty,
-  // this object has been completely initialized. Otherwise, the object is considered uninitialized
-  // and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
-  // observe uninitialized objects.
-  //
-  // When an object is created, the system will populate this list with the current set of initializers.
-  // Only privileged users may set or modify this list. Once it is empty, it may not be modified further
-  // by any user.
-  //
-  // DEPRECATED - initializers are an alpha field and will be removed in v1.15.
-  optional Initializers initializers = 16;
-
   // Must be empty before the object is deleted from the registry. Each entry
   // is an identifier for the responsible component that will remove the entry
   // from the list. If the deletionTimestamp of the object is non-nil, entries
@@ -811,6 +790,17 @@ message Preconditions {
   optional string resourceVersion = 2;
 }
 
+// ProtoFields is a struct that is equivalent to Fields, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Fields. Do not use in Go structs.
+message ProtoFields {
+  // Map is the representation used in the alpha version of this API
+  map<string, Fields> map = 1;
+
+  // Raw is the underlying serialization of this object.
+  optional bytes raw = 2;
+}
+
 // RootPaths lists the paths available at root.
 // For example: "/healthz", "/apis".
 message RootPaths {

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go

@@ -17,7 +17,9 @@ limitations under the License.
 package v1
 
 import (
+	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/fields"
@@ -254,13 +256,24 @@ func ResetObjectMetaForStatus(meta, existingMeta Object) {
 }
 
 // MarshalJSON implements json.Marshaler
+// MarshalJSON may get called on pointers or values, so implement MarshalJSON on value.
+// http://stackoverflow.com/questions/21390979/custom-marshaljson-never-gets-called-in-go
 func (f Fields) MarshalJSON() ([]byte, error) {
-	return json.Marshal(&f.Map)
+	if f.Raw == nil {
+		return []byte("null"), nil
+	}
+	return f.Raw, nil
 }
 
 // UnmarshalJSON implements json.Unmarshaler
 func (f *Fields) UnmarshalJSON(b []byte) error {
-	return json.Unmarshal(b, &f.Map)
+	if f == nil {
+		return errors.New("metav1.Fields: UnmarshalJSON on nil pointer")
+	}
+	if !bytes.Equal(b, []byte("null")) {
+		f.Raw = append(f.Raw[0:0], b...)
+	}
+	return nil
 }
 
 var _ json.Marshaler = Fields{}

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go

@@ -55,8 +55,6 @@ type Object interface {
 	SetLabels(labels map[string]string)
 	GetAnnotations() map[string]string
 	SetAnnotations(annotations map[string]string)
-	GetInitializers() *Initializers
-	SetInitializers(initializers *Initializers)
 	GetFinalizers() []string
 	SetFinalizers(finalizers []string)
 	GetOwnerReferences() []OwnerReference
@@ -166,8 +164,6 @@ func (meta *ObjectMeta) GetLabels() map[string]string                 { return m
 func (meta *ObjectMeta) SetLabels(labels map[string]string)           { meta.Labels = labels }
 func (meta *ObjectMeta) GetAnnotations() map[string]string            { return meta.Annotations }
 func (meta *ObjectMeta) SetAnnotations(annotations map[string]string) { meta.Annotations = annotations }
-func (meta *ObjectMeta) GetInitializers() *Initializers               { return meta.Initializers }
-func (meta *ObjectMeta) SetInitializers(initializers *Initializers)   { meta.Initializers = initializers }
 func (meta *ObjectMeta) GetFinalizers() []string                      { return meta.Finalizers }
 func (meta *ObjectMeta) SetFinalizers(finalizers []string)            { meta.Finalizers = finalizers }
 func (meta *ObjectMeta) GetOwnerReferences() []OwnerReference         { return meta.OwnerReferences }

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_proto.go

@@ -70,3 +70,11 @@ func (m *MicroTime) MarshalTo(data []byte) (int, error) {
 	}
 	return m.ProtoMicroTime().MarshalTo(data)
 }
+
+// MarshalToSizedBuffer implements the protobuf marshalling interface.
+func (m *MicroTime) MarshalToSizedBuffer(data []byte) (int, error) {
+	if m == nil || m.Time.IsZero() {
+		return 0, nil
+	}
+	return m.ProtoMicroTime().MarshalToSizedBuffer(data)
+}

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto.go

@@ -75,7 +75,7 @@ func (m *Time) Unmarshal(data []byte) error {
 	return nil
 }
 
-// Marshal implements the protobuf marshalling interface.
+// Marshal implements the protobuf marshaling interface.
 func (m *Time) Marshal() (data []byte, err error) {
 	if m == nil || m.Time.IsZero() {
 		return nil, nil
@@ -83,10 +83,18 @@ func (m *Time) Marshal() (data []byte, err error) {
 	return m.ProtoTime().Marshal()
 }
 
-// MarshalTo implements the protobuf marshalling interface.
+// MarshalTo implements the protobuf marshaling interface.
 func (m *Time) MarshalTo(data []byte) (int, error) {
 	if m == nil || m.Time.IsZero() {
 		return 0, nil
 	}
 	return m.ProtoTime().MarshalTo(data)
 }
+
+// MarshalToSizedBuffer implements the protobuf reverse marshaling interface.
+func (m *Time) MarshalToSizedBuffer(data []byte) (int, error) {
+	if m == nil || m.Time.IsZero() {
+		return 0, nil
+	}
+	return m.ProtoTime().MarshalToSizedBuffer(data)
+}

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go

@@ -61,6 +61,10 @@ type ListMeta struct {
 	// selfLink is a URL representing this object.
 	// Populated by the system.
 	// Read-only.
+	//
+	// DEPRECATED
+	// Kubernetes will stop propagating this field in 1.20 release and the field is planned
+	// to be removed in 1.21 release.
 	// +optional
 	SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,1,opt,name=selfLink"`
 
@@ -148,6 +152,10 @@ type ObjectMeta struct {
 	// SelfLink is a URL representing this object.
 	// Populated by the system.
 	// Read-only.
+	//
+	// DEPRECATED
+	// Kubernetes will stop propagating this field in 1.20 release and the field is planned
+	// to be removed in 1.21 release.
 	// +optional
 	SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,4,opt,name=selfLink"`
 
@@ -241,19 +249,6 @@ type ObjectMeta struct {
 	// +patchStrategy=merge
 	OwnerReferences []OwnerReference `json:"ownerReferences,omitempty" patchStrategy:"merge" patchMergeKey:"uid" protobuf:"bytes,13,rep,name=ownerReferences"`
 
-	// An initializer is a controller which enforces some system invariant at object creation time.
-	// This field is a list of initializers that have not yet acted on this object. If nil or empty,
-	// this object has been completely initialized. Otherwise, the object is considered uninitialized
-	// and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
-	// observe uninitialized objects.
-	//
-	// When an object is created, the system will populate this list with the current set of initializers.
-	// Only privileged users may set or modify this list. Once it is empty, it may not be modified further
-	// by any user.
-	//
-	// DEPRECATED - initializers are an alpha field and will be removed in v1.15.
-	Initializers *Initializers `json:"initializers,omitempty" protobuf:"bytes,16,opt,name=initializers"`
-
 	// Must be empty before the object is deleted from the registry. Each entry
 	// is an identifier for the responsible component that will remove the entry
 	// from the list. If the deletionTimestamp of the object is non-nil, entries
@@ -282,26 +277,6 @@ type ObjectMeta struct {
 	ManagedFields []ManagedFieldsEntry `json:"managedFields,omitempty" protobuf:"bytes,17,rep,name=managedFields"`
 }
 
-// Initializers tracks the progress of initialization.
-type Initializers struct {
-	// Pending is a list of initializers that must execute in order before this object is visible.
-	// When the last pending initializer is removed, and no failing result is set, the initializers
-	// struct will be set to nil and the object is considered as initialized and visible to all
-	// clients.
-	// +patchMergeKey=name
-	// +patchStrategy=merge
-	Pending []Initializer `json:"pending" protobuf:"bytes,1,rep,name=pending" patchStrategy:"merge" patchMergeKey:"name"`
-	// If result is set with the Failure field, the object will be persisted to storage and then deleted,
-	// ensuring that other clients can observe the deletion.
-	Result *Status `json:"result,omitempty" protobuf:"bytes,2,opt,name=result"`
-}
-
-// Initializer is information about an initializer that has not yet completed.
-type Initializer struct {
-	// name of the process that is responsible for initializing this object.
-	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
-}
-
 const (
 	// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients
 	NamespaceDefault string = "default"
@@ -373,7 +348,7 @@ type ListOptions struct {
 	// If the feature gate WatchBookmarks is not enabled in apiserver,
 	// this field is ignored.
 	//
-	// This field is alpha and can be changed or removed without notice.
+	// This field is beta.
 	//
 	// +optional
 	AllowWatchBookmarks bool `json:"allowWatchBookmarks,omitempty" protobuf:"varint,9,opt,name=allowWatchBookmarks"`
@@ -1142,20 +1117,22 @@ const (
 )
 
 // Fields stores a set of fields in a data structure like a Trie.
-// To understand how this is used, see: https://github.com/kubernetes-sigs/structured-merge-diff
+//
+// Each key is either a '.' representing the field itself, and will always map to an empty set,
+// or a string representing a sub-field or item. The string will follow one of these four formats:
+// 'f:<name>', where <name> is the name of a field in a struct, or key in a map
+// 'v:<value>', where <value> is the exact json formatted value of a list item
+// 'i:<index>', where <index> is position of a item in a list
+// 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
+// If a key maps to an empty Fields value, the field that key represents is part of the set.
+//
+// The exact format is defined in sigs.k8s.io/structured-merge-diff
+// +protobuf.options.marshal=false
+// +protobuf.as=ProtoFields
+// +protobuf.options.(gogoproto.goproto_stringer)=false
 type Fields struct {
-	// Map stores a set of fields in a data structure like a Trie.
+	// Raw is the underlying serialization of this object.
-	//
+	Raw []byte `json:"-" protobuf:"-"`
-	// Each key is either a '.' representing the field itself, and will always map to an empty set,
-	// or a string representing a sub-field or item. The string will follow one of these four formats:
-	// 'f:<name>', where <name> is the name of a field in a struct, or key in a map
-	// 'v:<value>', where <value> is the exact json formatted value of a list item
-	// 'i:<index>', where <index> is position of a item in a list
-	// 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
-	// If a key maps to an empty Fields value, the field that key represents is part of the set.
-	//
-	// The exact format is defined in k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal
-	Map map[string]Fields `json:",inline" protobuf:"bytes,1,rep,name=map"`
 }
 
 // TODO: Table does not generate to protobuf because of the interface{} - fix protobuf

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go

@@ -120,7 +120,7 @@ func (ExportOptions) SwaggerDoc() map[string]string {
 }
 
 var map_Fields = map[string]string{
-	"": "Fields stores a set of fields in a data structure like a Trie. To understand how this is used, see: https://github.com/kubernetes-sigs/structured-merge-diff",
+	"": "Fields stores a set of fields in a data structure like a Trie.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
 }
 
 func (Fields) SwaggerDoc() map[string]string {
@@ -146,25 +146,6 @@ func (GroupVersionForDiscovery) SwaggerDoc() map[string]string {
 	return map_GroupVersionForDiscovery
 }
 
-var map_Initializer = map[string]string{
-	"":     "Initializer is information about an initializer that has not yet completed.",
-	"name": "name of the process that is responsible for initializing this object.",
-}
-
-func (Initializer) SwaggerDoc() map[string]string {
-	return map_Initializer
-}
-
-var map_Initializers = map[string]string{
-	"":        "Initializers tracks the progress of initialization.",
-	"pending": "Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.",
-	"result":  "If result is set with the Failure field, the object will be persisted to storage and then deleted, ensuring that other clients can observe the deletion.",
-}
-
-func (Initializers) SwaggerDoc() map[string]string {
-	return map_Initializers
-}
-
 var map_LabelSelector = map[string]string{
 	"":                 "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.",
 	"matchLabels":      "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
@@ -198,7 +179,7 @@ func (List) SwaggerDoc() map[string]string {
 
 var map_ListMeta = map[string]string{
 	"":                   "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
-	"selfLink":           "selfLink is a URL representing this object. Populated by the system. Read-only.",
+	"selfLink":           "selfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.",
 	"resourceVersion":    "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
 	"continue":           "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.",
 	"remainingItemCount": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.\n\nThis field is alpha and can be changed or removed without notice.",
@@ -213,7 +194,7 @@ var map_ListOptions = map[string]string{
 	"labelSelector":       "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
 	"fieldSelector":       "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
 	"watch":               "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-	"allowWatchBookmarks": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.\n\nThis field is alpha and can be changed or removed without notice.",
+	"allowWatchBookmarks": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.\n\nThis field is beta.",
 	"resourceVersion":     "When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history. When specified for list: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.",
 	"timeoutSeconds":      "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
 	"limit":               "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
@@ -242,7 +223,7 @@ var map_ObjectMeta = map[string]string{
 	"name":                       "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
 	"generateName":               "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency",
 	"namespace":                  "Namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces",
-	"selfLink":                   "SelfLink is a URL representing this object. Populated by the system. Read-only.",
+	"selfLink":                   "SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.",
 	"uid":                        "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
 	"resourceVersion":            "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
 	"generation":                 "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
@@ -252,7 +233,6 @@ var map_ObjectMeta = map[string]string{
 	"labels":                     "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels",
 	"annotations":                "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations",
 	"ownerReferences":            "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
-	"initializers":               "An initializer is a controller which enforces some system invariant at object creation time. This field is a list of initializers that have not yet acted on this object. If nil or empty, this object has been completely initialized. Otherwise, the object is considered uninitialized and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to observe uninitialized objects.\n\nWhen an object is created, the system will populate this list with the current set of initializers. Only privileged users may set or modify this list. Once it is empty, it may not be modified further by any user.\n\nDEPRECATED - initializers are an alpha field and will be removed in v1.15.",
 	"finalizers":                 "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.",
 	"clusterName":                "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.",
 	"managedFields":              "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.\n\nThis field is alpha and can be changed or removed without notice.",

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go

@@ -431,31 +431,6 @@ func (u *Unstructured) GroupVersionKind() schema.GroupVersionKind {
 	return gvk
 }
 
-func (u *Unstructured) GetInitializers() *metav1.Initializers {
-	m, found, err := nestedMapNoCopy(u.Object, "metadata", "initializers")
-	if !found || err != nil {
-		return nil
-	}
-	out := &metav1.Initializers{}
-	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(m, out); err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to retrieve initializers for object: %v", err))
-		return nil
-	}
-	return out
-}
-
-func (u *Unstructured) SetInitializers(initializers *metav1.Initializers) {
-	if initializers == nil {
-		RemoveNestedField(u.Object, "metadata", "initializers")
-		return
-	}
-	out, err := runtime.DefaultUnstructuredConverter.ToUnstructured(initializers)
-	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to retrieve initializers for object: %v", err))
-	}
-	u.setNestedField(out, "metadata", "initializers")
-}
-
 func (u *Unstructured) GetFinalizers() []string {
 	val, _, _ := NestedStringSlice(u.Object, "metadata", "finalizers")
 	return val

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go

@@ -315,12 +315,10 @@ func (in *ExportOptions) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Fields) DeepCopyInto(out *Fields) {
 	*out = *in
-	if in.Map != nil {
+	if in.Raw != nil {
-		in, out := &in.Map, &out.Map
+		in, out := &in.Raw, &out.Raw
-		*out = make(map[string]Fields, len(*in))
+		*out = make([]byte, len(*in))
-		for key, val := range *in {
+		copy(*out, *in)
-			(*out)[key] = *val.DeepCopy()
-		}
 	}
 	return
 }
@@ -456,48 +454,6 @@ func (in *GroupVersionResource) DeepCopy() *GroupVersionResource {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Initializer) DeepCopyInto(out *Initializer) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Initializer.
-func (in *Initializer) DeepCopy() *Initializer {
-	if in == nil {
-		return nil
-	}
-	out := new(Initializer)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Initializers) DeepCopyInto(out *Initializers) {
-	*out = *in
-	if in.Pending != nil {
-		in, out := &in.Pending, &out.Pending
-		*out = make([]Initializer, len(*in))
-		copy(*out, *in)
-	}
-	if in.Result != nil {
-		in, out := &in.Result, &out.Result
-		*out = new(Status)
-		(*in).DeepCopyInto(*out)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Initializers.
-func (in *Initializers) DeepCopy() *Initializers {
-	if in == nil {
-		return nil
-	}
-	out := new(Initializers)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InternalEvent) DeepCopyInto(out *InternalEvent) {
 	*out = *in
@@ -721,11 +677,6 @@ func (in *ObjectMeta) DeepCopyInto(out *ObjectMeta) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Initializers != nil {
-		in, out := &in.Initializers, &out.Initializers
-		*out = new(Initializers)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.Finalizers != nil {
 		in, out := &in.Finalizers, &out.Finalizers
 		*out = make([]string, len(*in))
@@ -913,6 +864,34 @@ func (in *Preconditions) DeepCopy() *Preconditions {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProtoFields) DeepCopyInto(out *ProtoFields) {
+	*out = *in
+	if in.Map != nil {
+		in, out := &in.Map, &out.Map
+		*out = make(map[string]Fields, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.Raw != nil {
+		in, out := &in.Raw, &out.Raw
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProtoFields.
+func (in *ProtoFields) DeepCopy() *ProtoFields {
+	if in == nil {
+		return nil
+	}
+	out := new(ProtoFields)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RootPaths) DeepCopyInto(out *RootPaths) {
 	*out = *in

vendor/k8s.io/apimachinery/pkg/runtime/converter.go

@@ -94,7 +94,7 @@ func parseBool(key string) bool {
 	}
 	value, err := strconv.ParseBool(key)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("Couldn't parse '%s' as bool for unstructured mismatch detection", key))
+		utilruntime.HandleError(fmt.Errorf("couldn't parse '%s' as bool for unstructured mismatch detection", key))
 	}
 	return value
 }

vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go

@@ -17,27 +17,19 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
 
-/*
-	Package runtime is a generated protocol buffer package.
-
-	It is generated from these files:
-		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
-
-	It has these top-level messages:
-		RawExtension
-		TypeMeta
-		Unknown
-*/
 package runtime
 
-import proto "github.com/gogo/protobuf/proto"
+import (
-import fmt "fmt"
+	fmt "fmt"
-import math "math"
 
-import strings "strings"
+	io "io"
-import reflect "reflect"
+	math "math"
+	math_bits "math/bits"
+	reflect "reflect"
+	strings "strings"
 
-import io "io"
+	proto "github.com/gogo/protobuf/proto"
+)
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
@@ -50,27 +42,132 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
-func (m *RawExtension) Reset()                    { *m = RawExtension{} }
+func (m *RawExtension) Reset()      { *m = RawExtension{} }
-func (*RawExtension) ProtoMessage()               {}
+func (*RawExtension) ProtoMessage() {}
-func (*RawExtension) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+func (*RawExtension) Descriptor() ([]byte, []int) {
+	return fileDescriptor_9d3c45d7f546725c, []int{0}
+}
+func (m *RawExtension) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *RawExtension) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *RawExtension) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RawExtension.Merge(m, src)
+}
+func (m *RawExtension) XXX_Size() int {
+	return m.Size()
+}
+func (m *RawExtension) XXX_DiscardUnknown() {
+	xxx_messageInfo_RawExtension.DiscardUnknown(m)
+}
 
-func (m *TypeMeta) Reset()                    { *m = TypeMeta{} }
+var xxx_messageInfo_RawExtension proto.InternalMessageInfo
-func (*TypeMeta) ProtoMessage()               {}
-func (*TypeMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
 
-func (m *Unknown) Reset()                    { *m = Unknown{} }
+func (m *TypeMeta) Reset()      { *m = TypeMeta{} }
-func (*Unknown) ProtoMessage()               {}
+func (*TypeMeta) ProtoMessage() {}
-func (*Unknown) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+func (*TypeMeta) Descriptor() ([]byte, []int) {
+	return fileDescriptor_9d3c45d7f546725c, []int{1}
+}
+func (m *TypeMeta) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *TypeMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *TypeMeta) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_TypeMeta.Merge(m, src)
+}
+func (m *TypeMeta) XXX_Size() int {
+	return m.Size()
+}
+func (m *TypeMeta) XXX_DiscardUnknown() {
+	xxx_messageInfo_TypeMeta.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_TypeMeta proto.InternalMessageInfo
+
+func (m *Unknown) Reset()      { *m = Unknown{} }
+func (*Unknown) ProtoMessage() {}
+func (*Unknown) Descriptor() ([]byte, []int) {
+	return fileDescriptor_9d3c45d7f546725c, []int{2}
+}
+func (m *Unknown) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *Unknown) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *Unknown) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Unknown.Merge(m, src)
+}
+func (m *Unknown) XXX_Size() int {
+	return m.Size()
+}
+func (m *Unknown) XXX_DiscardUnknown() {
+	xxx_messageInfo_Unknown.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Unknown proto.InternalMessageInfo
 
 func init() {
 	proto.RegisterType((*RawExtension)(nil), "k8s.io.apimachinery.pkg.runtime.RawExtension")
 	proto.RegisterType((*TypeMeta)(nil), "k8s.io.apimachinery.pkg.runtime.TypeMeta")
 	proto.RegisterType((*Unknown)(nil), "k8s.io.apimachinery.pkg.runtime.Unknown")
 }
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto", fileDescriptor_9d3c45d7f546725c)
+}
+
+var fileDescriptor_9d3c45d7f546725c = []byte{
+	// 378 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x8f, 0x4f, 0xab, 0x13, 0x31,
+	0x14, 0xc5, 0x27, 0xaf, 0x85, 0x3e, 0xd3, 0xc2, 0x93, 0xb8, 0x70, 0x74, 0x91, 0x79, 0x74, 0xe5,
+	0x5b, 0xbc, 0x04, 0x1e, 0x08, 0x6e, 0x3b, 0xa5, 0xa0, 0x88, 0x20, 0xc1, 0x3f, 0xe0, 0xca, 0x74,
+	0x26, 0x4e, 0xc3, 0xd0, 0x9b, 0x21, 0xcd, 0x38, 0x76, 0xe7, 0x47, 0xf0, 0x63, 0x75, 0xd9, 0x65,
+	0x57, 0xc5, 0x8e, 0x1f, 0xc2, 0xad, 0x34, 0x4d, 0x6b, 0xd5, 0x85, 0xbb, 0xe4, 0x9e, 0xf3, 0x3b,
+	0xf7, 0x1e, 0xfc, 0xbc, 0x7c, 0xb6, 0x60, 0xda, 0xf0, 0xb2, 0x9e, 0x2a, 0x0b, 0xca, 0xa9, 0x05,
+	0xff, 0xac, 0x20, 0x37, 0x96, 0x07, 0x41, 0x56, 0x7a, 0x2e, 0xb3, 0x99, 0x06, 0x65, 0x97, 0xbc,
+	0x2a, 0x0b, 0x6e, 0x6b, 0x70, 0x7a, 0xae, 0x78, 0xa1, 0x40, 0x59, 0xe9, 0x54, 0xce, 0x2a, 0x6b,
+	0x9c, 0x21, 0xc9, 0x01, 0x60, 0xe7, 0x00, 0xab, 0xca, 0x82, 0x05, 0xe0, 0xf1, 0x6d, 0xa1, 0xdd,
+	0xac, 0x9e, 0xb2, 0xcc, 0xcc, 0x79, 0x61, 0x0a, 0xc3, 0x3d, 0x37, 0xad, 0x3f, 0xf9, 0x9f, 0xff,
+	0xf8, 0xd7, 0x21, 0x6f, 0x78, 0x83, 0x07, 0x42, 0x36, 0x93, 0x2f, 0x4e, 0xc1, 0x42, 0x1b, 0x20,
+	0x8f, 0x70, 0xc7, 0xca, 0x26, 0x46, 0xd7, 0xe8, 0xc9, 0x20, 0xed, 0xb5, 0xdb, 0xa4, 0x23, 0x64,
+	0x23, 0xf6, 0xb3, 0xe1, 0x47, 0x7c, 0xf9, 0x66, 0x59, 0xa9, 0x57, 0xca, 0x49, 0x72, 0x87, 0xb1,
+	0xac, 0xf4, 0x3b, 0x65, 0xf7, 0x90, 0x77, 0xdf, 0x4b, 0xc9, 0x6a, 0x9b, 0x44, 0xed, 0x36, 0xc1,
+	0xa3, 0xd7, 0x2f, 0x82, 0x22, 0xce, 0x5c, 0xe4, 0x1a, 0x77, 0x4b, 0x0d, 0x79, 0x7c, 0xe1, 0xdd,
+	0x83, 0xe0, 0xee, 0xbe, 0xd4, 0x90, 0x0b, 0xaf, 0x0c, 0x7f, 0x22, 0xdc, 0x7b, 0x0b, 0x25, 0x98,
+	0x06, 0xc8, 0x7b, 0x7c, 0xe9, 0xc2, 0x36, 0x9f, 0xdf, 0xbf, 0xbb, 0x61, 0xff, 0xe9, 0xce, 0x8e,
+	0xe7, 0xa5, 0xf7, 0x43, 0xf8, 0xe9, 0x60, 0x71, 0x0a, 0x3b, 0x36, 0xbc, 0xf8, 0xb7, 0x21, 0x19,
+	0xe1, 0xab, 0xcc, 0x80, 0x53, 0xe0, 0x26, 0x90, 0x99, 0x5c, 0x43, 0x11, 0x77, 0xfc, 0xb1, 0x0f,
+	0x43, 0xde, 0xd5, 0xf8, 0x4f, 0x59, 0xfc, 0xed, 0x27, 0x4f, 0x71, 0x3f, 0x8c, 0xf6, 0xab, 0xe3,
+	0xae, 0xc7, 0x1f, 0x04, 0xbc, 0x3f, 0xfe, 0x2d, 0x89, 0x73, 0x5f, 0x7a, 0xbb, 0xda, 0xd1, 0x68,
+	0xbd, 0xa3, 0xd1, 0x66, 0x47, 0xa3, 0xaf, 0x2d, 0x45, 0xab, 0x96, 0xa2, 0x75, 0x4b, 0xd1, 0xa6,
+	0xa5, 0xe8, 0x7b, 0x4b, 0xd1, 0xb7, 0x1f, 0x34, 0xfa, 0xd0, 0x0b, 0x45, 0x7f, 0x05, 0x00, 0x00,
+	0xff, 0xff, 0xe3, 0x33, 0x18, 0x0b, 0x50, 0x02, 0x00, 0x00,
+}
+
 func (m *RawExtension) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
@@ -78,23 +175,29 @@ func (m *RawExtension) Marshal() (dAtA []byte, err error) {
 }
 
 func (m *RawExtension) MarshalTo(dAtA []byte) (int, error) {
-	var i int
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *RawExtension) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
 	_ = i
 	var l int
 	_ = l
 	if m.Raw != nil {
-		dAtA[i] = 0xa
+		i -= len(m.Raw)
-		i++
+		copy(dAtA[i:], m.Raw)
 		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Raw)))
-		i += copy(dAtA[i:], m.Raw)
+		i--
+		dAtA[i] = 0xa
 	}
-	return i, nil
+	return len(dAtA) - i, nil
 }
 
 func (m *TypeMeta) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
@@ -102,25 +205,32 @@ func (m *TypeMeta) Marshal() (dAtA []byte, err error) {
 }
 
 func (m *TypeMeta) MarshalTo(dAtA []byte) (int, error) {
-	var i int
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *TypeMeta) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
 	_ = i
 	var l int
 	_ = l
-	dAtA[i] = 0xa
+	i -= len(m.Kind)
-	i++
+	copy(dAtA[i:], m.Kind)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
-	i += copy(dAtA[i:], m.APIVersion)
-	dAtA[i] = 0x12
-	i++
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
-	i += copy(dAtA[i:], m.Kind)
+	i--
-	return i, nil
+	dAtA[i] = 0x12
+	i -= len(m.APIVersion)
+	copy(dAtA[i:], m.APIVersion)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
 }
 
 func (m *Unknown) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
@@ -128,45 +238,60 @@ func (m *Unknown) Marshal() (dAtA []byte, err error) {
 }
 
 func (m *Unknown) MarshalTo(dAtA []byte) (int, error) {
-	var i int
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *Unknown) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
 	_ = i
 	var l int
 	_ = l
-	dAtA[i] = 0xa
+	i -= len(m.ContentType)
-	i++
+	copy(dAtA[i:], m.ContentType)
-	i = encodeVarintGenerated(dAtA, i, uint64(m.TypeMeta.Size()))
-	n1, err := m.TypeMeta.MarshalTo(dAtA[i:])
-	if err != nil {
-		return 0, err
-	}
-	i += n1
-	if m.Raw != nil {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Raw)))
-		i += copy(dAtA[i:], m.Raw)
-	}
-	dAtA[i] = 0x1a
-	i++
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContentEncoding)))
-	i += copy(dAtA[i:], m.ContentEncoding)
-	dAtA[i] = 0x22
-	i++
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContentType)))
-	i += copy(dAtA[i:], m.ContentType)
+	i--
-	return i, nil
+	dAtA[i] = 0x22
+	i -= len(m.ContentEncoding)
+	copy(dAtA[i:], m.ContentEncoding)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContentEncoding)))
+	i--
+	dAtA[i] = 0x1a
+	if m.Raw != nil {
+		i -= len(m.Raw)
+		copy(dAtA[i:], m.Raw)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Raw)))
+		i--
+		dAtA[i] = 0x12
+	}
+	{
+		size, err := m.TypeMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
 }
 
 func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
 	for v >= 1<<7 {
 		dAtA[offset] = uint8(v&0x7f | 0x80)
 		v >>= 7
 		offset++
 	}
 	dAtA[offset] = uint8(v)
-	return offset + 1
+	return base
 }
 func (m *RawExtension) Size() (n int) {
+	if m == nil {
+		return 0
+	}
 	var l int
 	_ = l
 	if m.Raw != nil {
@@ -177,6 +302,9 @@ func (m *RawExtension) Size() (n int) {
 }
 
 func (m *TypeMeta) Size() (n int) {
+	if m == nil {
+		return 0
+	}
 	var l int
 	_ = l
 	l = len(m.APIVersion)
@@ -187,6 +315,9 @@ func (m *TypeMeta) Size() (n int) {
 }
 
 func (m *Unknown) Size() (n int) {
+	if m == nil {
+		return 0
+	}
 	var l int
 	_ = l
 	l = m.TypeMeta.Size()
@@ -203,14 +334,7 @@ func (m *Unknown) Size() (n int) {
 }
 
 func sovGenerated(x uint64) (n int) {
-	for {
+	return (math_bits.Len64(x|1) + 6) / 7
-		n++
-		x >>= 7
-		if x == 0 {
-			break
-		}
-	}
-	return n
 }
 func sozGenerated(x uint64) (n int) {
 	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
@@ -272,7 +396,7 @@ func (m *RawExtension) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
+			wire |= uint64(b&0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@@ -300,7 +424,7 @@ func (m *RawExtension) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= (int(b) & 0x7F) << shift
+				byteLen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -309,6 +433,9 @@ func (m *RawExtension) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -326,6 +453,9 @@ func (m *RawExtension) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthGenerated
 			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -353,7 +483,7 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
+			wire |= uint64(b&0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@@ -381,7 +511,7 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -391,6 +521,9 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -410,7 +543,7 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -420,6 +553,9 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -434,6 +570,9 @@ func (m *TypeMeta) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthGenerated
 			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -461,7 +600,7 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
+			wire |= uint64(b&0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@@ -489,7 +628,7 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= (int(b) & 0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -498,6 +637,9 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -519,7 +661,7 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= (int(b) & 0x7F) << shift
+				byteLen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -528,6 +670,9 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -550,7 +695,7 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -560,6 +705,9 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -579,7 +727,7 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -589,6 +737,9 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -603,6 +754,9 @@ func (m *Unknown) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthGenerated
 			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -669,10 +823,13 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
-			iNdEx += length
 			if length < 0 {
 				return 0, ErrInvalidLengthGenerated
 			}
+			iNdEx += length
+			if iNdEx < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
 			return iNdEx, nil
 		case 3:
 			for {
@@ -701,6 +858,9 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					return 0, err
 				}
 				iNdEx = start + next
+				if iNdEx < 0 {
+					return 0, ErrInvalidLengthGenerated
+				}
 			}
 			return iNdEx, nil
 		case 4:
@@ -719,35 +879,3 @@ var (
 	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
 	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
 )
-
-func init() {
-	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto", fileDescriptorGenerated)
-}
-
-var fileDescriptorGenerated = []byte{
-	// 378 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x8f, 0x4f, 0xab, 0x13, 0x31,
-	0x14, 0xc5, 0x27, 0xaf, 0x85, 0x3e, 0xd3, 0xc2, 0x93, 0xb8, 0x70, 0x74, 0x91, 0x79, 0x74, 0xe5,
-	0x5b, 0xbc, 0x04, 0x1e, 0x08, 0x6e, 0x3b, 0xa5, 0xa0, 0x88, 0x20, 0xc1, 0x3f, 0xe0, 0xca, 0x74,
-	0x26, 0x4e, 0xc3, 0xd0, 0x9b, 0x21, 0xcd, 0x38, 0x76, 0xe7, 0x47, 0xf0, 0x63, 0x75, 0xd9, 0x65,
-	0x57, 0xc5, 0x8e, 0x1f, 0xc2, 0xad, 0x34, 0x4d, 0x6b, 0xd5, 0x85, 0xbb, 0xe4, 0x9e, 0xf3, 0x3b,
-	0xf7, 0x1e, 0xfc, 0xbc, 0x7c, 0xb6, 0x60, 0xda, 0xf0, 0xb2, 0x9e, 0x2a, 0x0b, 0xca, 0xa9, 0x05,
-	0xff, 0xac, 0x20, 0x37, 0x96, 0x07, 0x41, 0x56, 0x7a, 0x2e, 0xb3, 0x99, 0x06, 0x65, 0x97, 0xbc,
-	0x2a, 0x0b, 0x6e, 0x6b, 0x70, 0x7a, 0xae, 0x78, 0xa1, 0x40, 0x59, 0xe9, 0x54, 0xce, 0x2a, 0x6b,
-	0x9c, 0x21, 0xc9, 0x01, 0x60, 0xe7, 0x00, 0xab, 0xca, 0x82, 0x05, 0xe0, 0xf1, 0x6d, 0xa1, 0xdd,
-	0xac, 0x9e, 0xb2, 0xcc, 0xcc, 0x79, 0x61, 0x0a, 0xc3, 0x3d, 0x37, 0xad, 0x3f, 0xf9, 0x9f, 0xff,
-	0xf8, 0xd7, 0x21, 0x6f, 0x78, 0x83, 0x07, 0x42, 0x36, 0x93, 0x2f, 0x4e, 0xc1, 0x42, 0x1b, 0x20,
-	0x8f, 0x70, 0xc7, 0xca, 0x26, 0x46, 0xd7, 0xe8, 0xc9, 0x20, 0xed, 0xb5, 0xdb, 0xa4, 0x23, 0x64,
-	0x23, 0xf6, 0xb3, 0xe1, 0x47, 0x7c, 0xf9, 0x66, 0x59, 0xa9, 0x57, 0xca, 0x49, 0x72, 0x87, 0xb1,
-	0xac, 0xf4, 0x3b, 0x65, 0xf7, 0x90, 0x77, 0xdf, 0x4b, 0xc9, 0x6a, 0x9b, 0x44, 0xed, 0x36, 0xc1,
-	0xa3, 0xd7, 0x2f, 0x82, 0x22, 0xce, 0x5c, 0xe4, 0x1a, 0x77, 0x4b, 0x0d, 0x79, 0x7c, 0xe1, 0xdd,
-	0x83, 0xe0, 0xee, 0xbe, 0xd4, 0x90, 0x0b, 0xaf, 0x0c, 0x7f, 0x22, 0xdc, 0x7b, 0x0b, 0x25, 0x98,
-	0x06, 0xc8, 0x7b, 0x7c, 0xe9, 0xc2, 0x36, 0x9f, 0xdf, 0xbf, 0xbb, 0x61, 0xff, 0xe9, 0xce, 0x8e,
-	0xe7, 0xa5, 0xf7, 0x43, 0xf8, 0xe9, 0x60, 0x71, 0x0a, 0x3b, 0x36, 0xbc, 0xf8, 0xb7, 0x21, 0x19,
-	0xe1, 0xab, 0xcc, 0x80, 0x53, 0xe0, 0x26, 0x90, 0x99, 0x5c, 0x43, 0x11, 0x77, 0xfc, 0xb1, 0x0f,
-	0x43, 0xde, 0xd5, 0xf8, 0x4f, 0x59, 0xfc, 0xed, 0x27, 0x4f, 0x71, 0x3f, 0x8c, 0xf6, 0xab, 0xe3,
-	0xae, 0xc7, 0x1f, 0x04, 0xbc, 0x3f, 0xfe, 0x2d, 0x89, 0x73, 0x5f, 0x7a, 0xbb, 0xda, 0xd1, 0x68,
-	0xbd, 0xa3, 0xd1, 0x66, 0x47, 0xa3, 0xaf, 0x2d, 0x45, 0xab, 0x96, 0xa2, 0x75, 0x4b, 0xd1, 0xa6,
-	0xa5, 0xe8, 0x7b, 0x4b, 0xd1, 0xb7, 0x1f, 0x34, 0xfa, 0xd0, 0x0b, 0x45, 0x7f, 0x05, 0x00, 0x00,
-	0xff, 0xff, 0xe3, 0x33, 0x18, 0x0b, 0x50, 0x02, 0x00, 0x00,
-}

vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go

@@ -17,19 +17,15 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
 
-/*
-Package schema is a generated protocol buffer package.
-
-It is generated from these files:
-	k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
-
-It has these top-level messages:
-*/
 package schema
 
-import proto "github.com/gogo/protobuf/proto"
+import (
-import fmt "fmt"
+	fmt "fmt"
-import math "math"
+
+	math "math"
+
+	proto "github.com/gogo/protobuf/proto"
+)
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
@@ -43,10 +39,10 @@ var _ = math.Inf
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
 func init() {
-	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto", fileDescriptorGenerated)
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto", fileDescriptor_0462724132518e0d)
 }
 
-var fileDescriptorGenerated = []byte{
+var fileDescriptor_0462724132518e0d = []byte{
 	// 185 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0xcc, 0xaf, 0x6e, 0xc3, 0x30,
 	0x10, 0xc7, 0x71, 0x9b, 0x0c, 0x0c, 0x0e, 0x0e, 0x1c, 0x1c, 0xda, 0x7c, 0x74, 0xb8, 0x2f, 0x50,

vendor/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go

@@ -48,28 +48,40 @@ type serializerType struct {
 	StreamSerializer runtime.Serializer
 }
 
-func newSerializersForScheme(scheme *runtime.Scheme, mf json.MetaFactory) []serializerType {
+func newSerializersForScheme(scheme *runtime.Scheme, mf json.MetaFactory, options CodecFactoryOptions) []serializerType {
-	jsonSerializer := json.NewSerializer(mf, scheme, scheme, false)
+	jsonSerializer := json.NewSerializerWithOptions(
-	jsonPrettySerializer := json.NewSerializer(mf, scheme, scheme, true)
+		mf, scheme, scheme,
-	yamlSerializer := json.NewYAMLSerializer(mf, scheme, scheme)
+		json.SerializerOptions{Yaml: false, Pretty: false, Strict: options.Strict},
-	serializer := protobuf.NewSerializer(scheme, scheme)
+	)
-	raw := protobuf.NewRawSerializer(scheme, scheme)
+	jsonSerializerType := serializerType{
+		AcceptContentTypes: []string{runtime.ContentTypeJSON},
+		ContentType:        runtime.ContentTypeJSON,
+		FileExtensions:     []string{"json"},
+		EncodesAsText:      true,
+		Serializer:         jsonSerializer,
+
+		Framer:           json.Framer,
+		StreamSerializer: jsonSerializer,
+	}
+	if options.Pretty {
+		jsonSerializerType.PrettySerializer = json.NewSerializerWithOptions(
+			mf, scheme, scheme,
+			json.SerializerOptions{Yaml: false, Pretty: true, Strict: options.Strict},
+		)
+	}
+
+	yamlSerializer := json.NewSerializerWithOptions(
+		mf, scheme, scheme,
+		json.SerializerOptions{Yaml: true, Pretty: false, Strict: options.Strict},
+	)
+	protoSerializer := protobuf.NewSerializer(scheme, scheme)
+	protoRawSerializer := protobuf.NewRawSerializer(scheme, scheme)
 
 	serializers := []serializerType{
+		jsonSerializerType,
 		{
-			AcceptContentTypes: []string{"application/json"},
+			AcceptContentTypes: []string{runtime.ContentTypeYAML},
-			ContentType:        "application/json",
+			ContentType:        runtime.ContentTypeYAML,
-			FileExtensions:     []string{"json"},
-			EncodesAsText:      true,
-			Serializer:         jsonSerializer,
-			PrettySerializer:   jsonPrettySerializer,
-
-			Framer:           json.Framer,
-			StreamSerializer: jsonSerializer,
-		},
-		{
-			AcceptContentTypes: []string{"application/yaml"},
-			ContentType:        "application/yaml",
 			FileExtensions:     []string{"yaml"},
 			EncodesAsText:      true,
 			Serializer:         yamlSerializer,
@@ -78,10 +90,10 @@ func newSerializersForScheme(scheme *runtime.Scheme, mf json.MetaFactory) []seri
 			AcceptContentTypes: []string{runtime.ContentTypeProtobuf},
 			ContentType:        runtime.ContentTypeProtobuf,
 			FileExtensions:     []string{"pb"},
-			Serializer:         serializer,
+			Serializer:         protoSerializer,
 
 			Framer:           protobuf.LengthDelimitedFramer,
-			StreamSerializer: raw,
+			StreamSerializer: protoRawSerializer,
 		},
 	}
 
@@ -104,14 +116,56 @@ type CodecFactory struct {
 	legacySerializer runtime.Serializer
 }
 
+// CodecFactoryOptions holds the options for configuring CodecFactory behavior
+type CodecFactoryOptions struct {
+	// Strict configures all serializers in strict mode
+	Strict bool
+	// Pretty includes a pretty serializer along with the non-pretty one
+	Pretty bool
+}
+
+// CodecFactoryOptionsMutator takes a pointer to an options struct and then modifies it.
+// Functions implementing this type can be passed to the NewCodecFactory() constructor.
+type CodecFactoryOptionsMutator func(*CodecFactoryOptions)
+
+// EnablePretty enables including a pretty serializer along with the non-pretty one
+func EnablePretty(options *CodecFactoryOptions) {
+	options.Pretty = true
+}
+
+// DisablePretty disables including a pretty serializer along with the non-pretty one
+func DisablePretty(options *CodecFactoryOptions) {
+	options.Pretty = false
+}
+
+// EnableStrict enables configuring all serializers in strict mode
+func EnableStrict(options *CodecFactoryOptions) {
+	options.Strict = true
+}
+
+// DisableStrict disables configuring all serializers in strict mode
+func DisableStrict(options *CodecFactoryOptions) {
+	options.Strict = false
+}
+
 // NewCodecFactory provides methods for retrieving serializers for the supported wire formats
 // and conversion wrappers to define preferred internal and external versions. In the future,
 // as the internal version is used less, callers may instead use a defaulting serializer and
 // only convert objects which are shared internally (Status, common API machinery).
+//
+// Mutators can be passed to change the CodecFactoryOptions before construction of the factory.
+// It is recommended to explicitly pass mutators instead of relying on defaults.
+// By default, Pretty is enabled -- this is conformant with previously supported behavior.
+//
 // TODO: allow other codecs to be compiled in?
 // TODO: accept a scheme interface
-func NewCodecFactory(scheme *runtime.Scheme) CodecFactory {
+func NewCodecFactory(scheme *runtime.Scheme, mutators ...CodecFactoryOptionsMutator) CodecFactory {
-	serializers := newSerializersForScheme(scheme, json.DefaultMetaFactory)
+	options := CodecFactoryOptions{Pretty: true}
+	for _, fn := range mutators {
+		fn(&options)
+	}
+
+	serializers := newSerializersForScheme(scheme, json.DefaultMetaFactory, options)
 	return newCodecFactory(scheme, serializers)
 }
 

vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go

@@ -203,7 +203,7 @@ func (s *Serializer) Encode(obj runtime.Object, w io.Writer) error {
 	switch t := obj.(type) {
 	case bufferedMarshaller:
 		// this path performs a single allocation during write but requires the caller to implement
-		// the more efficient Size and MarshalTo methods
+		// the more efficient Size and MarshalToSizedBuffer methods
 		encodedSize := uint64(t.Size())
 		estimatedSize := prefixSize + estimateUnknownSize(&unk, encodedSize)
 		data := make([]byte, estimatedSize)
@@ -283,6 +283,12 @@ type bufferedMarshaller interface {
 	runtime.ProtobufMarshaller
 }
 
+// Like bufferedMarshaller, but is able to marshal backwards, which is more efficient since it doesn't call Size() as frequently.
+type bufferedReverseMarshaller interface {
+	proto.Sizer
+	runtime.ProtobufReverseMarshaller
+}
+
 // estimateUnknownSize returns the expected bytes consumed by a given runtime.Unknown
 // object with a nil RawJSON struct and the expected size of the provided buffer. The
 // returned size will not be correct if RawJSOn is set on unk.
@@ -414,6 +420,19 @@ func unmarshalToObject(typer runtime.ObjectTyper, creater runtime.ObjectCreater,
 // Encode serializes the provided object to the given writer. Overrides is ignored.
 func (s *RawSerializer) Encode(obj runtime.Object, w io.Writer) error {
 	switch t := obj.(type) {
+	case bufferedReverseMarshaller:
+		// this path performs a single allocation during write but requires the caller to implement
+		// the more efficient Size and MarshalToSizedBuffer methods
+		encodedSize := uint64(t.Size())
+		data := make([]byte, encodedSize)
+
+		n, err := t.MarshalToSizedBuffer(data)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data[:n])
+		return err
+
 	case bufferedMarshaller:
 		// this path performs a single allocation during write but requires the caller to implement
 		// the more efficient Size and MarshalTo methods

vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go

@@ -230,11 +230,3 @@ func (c *codec) Encode(obj runtime.Object, w io.Writer) error {
 	// Conversion is responsible for setting the proper group, version, and kind onto the outgoing object
 	return c.encoder.Encode(out, w)
 }
-
-// DirectEncoder was moved and renamed to runtime.WithVersionEncoder in 1.15.
-// TODO: remove in 1.16.
-type DirectEncoder = runtime.WithVersionEncoder
-
-// DirectDecoder was moved and renamed to runtime.WithoutVersionDecoder in 1.15.
-// TODO: remove in 1.16.
-type DirectDecoder = runtime.WithoutVersionDecoder

vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go

@@ -24,46 +24,66 @@ type ProtobufMarshaller interface {
 	MarshalTo(data []byte) (int, error)
 }
 
+type ProtobufReverseMarshaller interface {
+	MarshalToSizedBuffer(data []byte) (int, error)
+}
+
 // NestedMarshalTo allows a caller to avoid extra allocations during serialization of an Unknown
-// that will contain an object that implements ProtobufMarshaller.
+// that will contain an object that implements ProtobufMarshaller or ProtobufReverseMarshaller.
 func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64) (int, error) {
-	var i int
+	// Calculate the full size of the message.
-	_ = i
+	msgSize := m.Size()
-	var l int
+	if b != nil {
-	_ = l
+		msgSize += int(size) + sovGenerated(size) + 1
-	data[i] = 0xa
+	}
-	i++
+
-	i = encodeVarintGenerated(data, i, uint64(m.TypeMeta.Size()))
+	// Reverse marshal the fields of m.
-	n1, err := m.TypeMeta.MarshalTo(data[i:])
+	i := msgSize
+	i -= len(m.ContentType)
+	copy(data[i:], m.ContentType)
+	i = encodeVarintGenerated(data, i, uint64(len(m.ContentType)))
+	i--
+	data[i] = 0x22
+	i -= len(m.ContentEncoding)
+	copy(data[i:], m.ContentEncoding)
+	i = encodeVarintGenerated(data, i, uint64(len(m.ContentEncoding)))
+	i--
+	data[i] = 0x1a
+	if b != nil {
+		if r, ok := b.(ProtobufReverseMarshaller); ok {
+			n1, err := r.MarshalToSizedBuffer(data[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= int(size)
+			if uint64(n1) != size {
+				// programmer error: the Size() method for protobuf does not match the results of LashramOt, which means the proto
+				// struct returned would be wrong.
+				return 0, fmt.Errorf("the Size() value of %T was %d, but NestedMarshalTo wrote %d bytes to data", b, size, n1)
+			}
+		} else {
+			i -= int(size)
+			n1, err := b.MarshalTo(data[i:])
+			if err != nil {
+				return 0, err
+			}
+			if uint64(n1) != size {
+				// programmer error: the Size() method for protobuf does not match the results of MarshalTo, which means the proto
+				// struct returned would be wrong.
+				return 0, fmt.Errorf("the Size() value of %T was %d, but NestedMarshalTo wrote %d bytes to data", b, size, n1)
+			}
+		}
+		i = encodeVarintGenerated(data, i, size)
+		i--
+		data[i] = 0x12
+	}
+	n2, err := m.TypeMeta.MarshalToSizedBuffer(data[:i])
 	if err != nil {
 		return 0, err
 	}
-	i += n1
+	i -= n2
-
+	i = encodeVarintGenerated(data, i, uint64(n2))
-	if b != nil {
+	i--
-		data[i] = 0x12
+	data[i] = 0xa
-		i++
+	return msgSize - i, nil
-		i = encodeVarintGenerated(data, i, size)
-		n2, err := b.MarshalTo(data[i:])
-		if err != nil {
-			return 0, err
-		}
-		if uint64(n2) != size {
-			// programmer error: the Size() method for protobuf does not match the results of MarshalTo, which means the proto
-			// struct returned would be wrong.
-			return 0, fmt.Errorf("the Size() value of %T was %d, but NestedMarshalTo wrote %d bytes to data", b, size, n2)
-		}
-		i += n2
-	}
-
-	data[i] = 0x1a
-	i++
-	i = encodeVarintGenerated(data, i, uint64(len(m.ContentEncoding)))
-	i += copy(data[i:], m.ContentEncoding)
-
-	data[i] = 0x22
-	i++
-	i = encodeVarintGenerated(data, i, uint64(len(m.ContentType)))
-	i += copy(data[i:], m.ContentType)
-	return i, nil
 }

vendor/k8s.io/apimachinery/pkg/util/clock/clock.go

@@ -80,7 +80,6 @@ type fakeClockWaiter struct {
 	stepInterval  time.Duration
 	skipIfBlocked bool
 	destChan      chan time.Time
-	fired         bool
 }
 
 func NewFakeClock(t time.Time) *FakeClock {
@@ -175,12 +174,10 @@ func (f *FakeClock) setTimeLocked(t time.Time) {
 			if w.skipIfBlocked {
 				select {
 				case w.destChan <- t:
-					w.fired = true
 				default:
 				}
 			} else {
 				w.destChan <- t
-				w.fired = true
 			}
 
 			if w.stepInterval > 0 {
@@ -287,36 +284,50 @@ func (f *fakeTimer) C() <-chan time.Time {
 	return f.waiter.destChan
 }
 
-// Stop stops the timer and returns true if the timer has not yet fired, or false otherwise.
+// Stop conditionally stops the timer.  If the timer has neither fired
+// nor been stopped then this call stops the timer and returns true,
+// otherwise this call returns false.  This is like time.Timer::Stop.
 func (f *fakeTimer) Stop() bool {
 	f.fakeClock.lock.Lock()
 	defer f.fakeClock.lock.Unlock()
-
+	// The timer has already fired or been stopped, unless it is found
-	newWaiters := make([]fakeClockWaiter, 0, len(f.fakeClock.waiters))
+	// among the clock's waiters.
-	for i := range f.fakeClock.waiters {
+	stopped := false
-		w := &f.fakeClock.waiters[i]
+	oldWaiters := f.fakeClock.waiters
-		if w != &f.waiter {
+	newWaiters := make([]fakeClockWaiter, 0, len(oldWaiters))
-			newWaiters = append(newWaiters, *w)
+	seekChan := f.waiter.destChan
+	for i := range oldWaiters {
+		// Identify the timer's fakeClockWaiter by the identity of the
+		// destination channel, nothing else is necessarily unique and
+		// constant since the timer's creation.
+		if oldWaiters[i].destChan == seekChan {
+			stopped = true
+		} else {
+			newWaiters = append(newWaiters, oldWaiters[i])
 		}
 	}
 
 	f.fakeClock.waiters = newWaiters
 
-	return !f.waiter.fired
+	return stopped
 }
 
-// Reset resets the timer to the fake clock's "now" + d. It returns true if the timer has not yet
+// Reset conditionally updates the firing time of the timer.  If the
-// fired, or false otherwise.
+// timer has neither fired nor been stopped then this call resets the
+// timer to the fake clock's "now" + d and returns true, otherwise
+// this call returns false.  This is like time.Timer::Reset.
 func (f *fakeTimer) Reset(d time.Duration) bool {
 	f.fakeClock.lock.Lock()
 	defer f.fakeClock.lock.Unlock()
-
+	waiters := f.fakeClock.waiters
-	active := !f.waiter.fired
+	seekChan := f.waiter.destChan
-
+	for i := range waiters {
-	f.waiter.fired = false
+		if waiters[i].destChan == seekChan {
-	f.waiter.targetTime = f.fakeClock.time.Add(d)
+			waiters[i].targetTime = f.fakeClock.time.Add(d)
-
+			return true
-	return active
+		}
+	}
+	return false
 }
 
 type Ticker interface {

vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go

@@ -17,22 +17,17 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
 
-/*
-	Package intstr is a generated protocol buffer package.
-
-	It is generated from these files:
-		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
-
-	It has these top-level messages:
-		IntOrString
-*/
 package intstr
 
-import proto "github.com/gogo/protobuf/proto"
+import (
-import fmt "fmt"
+	fmt "fmt"
-import math "math"
 
-import io "io"
+	io "io"
+	math "math"
+	math_bits "math/bits"
+
+	proto "github.com/gogo/protobuf/proto"
+)
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
@@ -45,17 +40,69 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
-func (m *IntOrString) Reset()                    { *m = IntOrString{} }
+func (m *IntOrString) Reset()      { *m = IntOrString{} }
-func (*IntOrString) ProtoMessage()               {}
+func (*IntOrString) ProtoMessage() {}
-func (*IntOrString) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+func (*IntOrString) Descriptor() ([]byte, []int) {
+	return fileDescriptor_94e046ae3ce6121c, []int{0}
+}
+func (m *IntOrString) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *IntOrString) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *IntOrString) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_IntOrString.Merge(m, src)
+}
+func (m *IntOrString) XXX_Size() int {
+	return m.Size()
+}
+func (m *IntOrString) XXX_DiscardUnknown() {
+	xxx_messageInfo_IntOrString.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_IntOrString proto.InternalMessageInfo
 
 func init() {
 	proto.RegisterType((*IntOrString)(nil), "k8s.io.apimachinery.pkg.util.intstr.IntOrString")
 }
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto", fileDescriptor_94e046ae3ce6121c)
+}
+
+var fileDescriptor_94e046ae3ce6121c = []byte{
+	// 292 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0x8f, 0x31, 0x4b, 0x33, 0x31,
+	0x1c, 0xc6, 0x93, 0xb7, 0x7d, 0x8b, 0x9e, 0xe0, 0x50, 0x1c, 0x8a, 0x43, 0x7a, 0x28, 0xc8, 0x0d,
+	0x9a, 0xac, 0xe2, 0xd8, 0xad, 0x20, 0x08, 0x57, 0x71, 0x70, 0xbb, 0x6b, 0x63, 0x1a, 0xae, 0x4d,
+	0x42, 0xee, 0x7f, 0xc2, 0x6d, 0xfd, 0x08, 0xba, 0x39, 0xfa, 0x71, 0x6e, 0xec, 0xd8, 0x41, 0x8a,
+	0x17, 0xbf, 0x85, 0x93, 0x5c, 0xee, 0x40, 0xa7, 0xe4, 0x79, 0x9e, 0xdf, 0x2f, 0x90, 0xe0, 0x36,
+	0xbb, 0xce, 0xa9, 0xd4, 0x2c, 0x2b, 0x52, 0x6e, 0x15, 0x07, 0x9e, 0xb3, 0x67, 0xae, 0x16, 0xda,
+	0xb2, 0x6e, 0x48, 0x8c, 0x5c, 0x27, 0xf3, 0xa5, 0x54, 0xdc, 0x96, 0xcc, 0x64, 0x82, 0x15, 0x20,
+	0x57, 0x4c, 0x2a, 0xc8, 0xc1, 0x32, 0xc1, 0x15, 0xb7, 0x09, 0xf0, 0x05, 0x35, 0x56, 0x83, 0x1e,
+	0x9e, 0xb7, 0x12, 0xfd, 0x2b, 0x51, 0x93, 0x09, 0xda, 0x48, 0xb4, 0x95, 0x4e, 0xaf, 0x84, 0x84,
+	0x65, 0x91, 0xd2, 0xb9, 0x5e, 0x33, 0xa1, 0x85, 0x66, 0xde, 0x4d, 0x8b, 0x27, 0x9f, 0x7c, 0xf0,
+	0xb7, 0xf6, 0xcd, 0xb3, 0x57, 0x1c, 0x1c, 0x4d, 0x15, 0xdc, 0xd9, 0x19, 0x58, 0xa9, 0xc4, 0x30,
+	0x0a, 0xfa, 0x50, 0x1a, 0x3e, 0xc2, 0x21, 0x8e, 0x7a, 0x93, 0x93, 0x6a, 0x3f, 0x46, 0x6e, 0x3f,
+	0xee, 0xdf, 0x97, 0x86, 0x7f, 0x77, 0x67, 0xec, 0x89, 0xe1, 0x45, 0x30, 0x90, 0x0a, 0x1e, 0x92,
+	0xd5, 0xe8, 0x5f, 0x88, 0xa3, 0xff, 0x93, 0xe3, 0x8e, 0x1d, 0x4c, 0x7d, 0x1b, 0x77, 0x6b, 0xc3,
+	0xe5, 0x60, 0x1b, 0xae, 0x17, 0xe2, 0xe8, 0xf0, 0x97, 0x9b, 0xf9, 0x36, 0xee, 0xd6, 0x9b, 0x83,
+	0xb7, 0xf7, 0x31, 0xda, 0x7c, 0x84, 0x68, 0x72, 0x59, 0xd5, 0x04, 0x6d, 0x6b, 0x82, 0x76, 0x35,
+	0x41, 0x1b, 0x47, 0x70, 0xe5, 0x08, 0xde, 0x3a, 0x82, 0x77, 0x8e, 0xe0, 0x4f, 0x47, 0xf0, 0xcb,
+	0x17, 0x41, 0x8f, 0x83, 0xf6, 0xc3, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x52, 0xa0, 0xb5, 0xc9,
+	0x64, 0x01, 0x00, 0x00,
+}
+
 func (m *IntOrString) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
@@ -63,33 +110,44 @@ func (m *IntOrString) Marshal() (dAtA []byte, err error) {
 }
 
 func (m *IntOrString) MarshalTo(dAtA []byte) (int, error) {
-	var i int
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *IntOrString) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
 	_ = i
 	var l int
 	_ = l
-	dAtA[i] = 0x8
+	i -= len(m.StrVal)
-	i++
+	copy(dAtA[i:], m.StrVal)
-	i = encodeVarintGenerated(dAtA, i, uint64(m.Type))
-	dAtA[i] = 0x10
-	i++
-	i = encodeVarintGenerated(dAtA, i, uint64(m.IntVal))
-	dAtA[i] = 0x1a
-	i++
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StrVal)))
-	i += copy(dAtA[i:], m.StrVal)
+	i--
-	return i, nil
+	dAtA[i] = 0x1a
+	i = encodeVarintGenerated(dAtA, i, uint64(m.IntVal))
+	i--
+	dAtA[i] = 0x10
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Type))
+	i--
+	dAtA[i] = 0x8
+	return len(dAtA) - i, nil
 }
 
 func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
 	for v >= 1<<7 {
 		dAtA[offset] = uint8(v&0x7f | 0x80)
 		v >>= 7
 		offset++
 	}
 	dAtA[offset] = uint8(v)
-	return offset + 1
+	return base
 }
 func (m *IntOrString) Size() (n int) {
+	if m == nil {
+		return 0
+	}
 	var l int
 	_ = l
 	n += 1 + sovGenerated(uint64(m.Type))
@@ -100,14 +158,7 @@ func (m *IntOrString) Size() (n int) {
 }
 
 func sovGenerated(x uint64) (n int) {
-	for {
+	return (math_bits.Len64(x|1) + 6) / 7
-		n++
-		x >>= 7
-		if x == 0 {
-			break
-		}
-	}
-	return n
 }
 func sozGenerated(x uint64) (n int) {
 	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
@@ -127,7 +178,7 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
+			wire |= uint64(b&0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@@ -155,7 +206,7 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				m.Type |= (Type(b) & 0x7F) << shift
+				m.Type |= Type(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -174,7 +225,7 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				m.IntVal |= (int32(b) & 0x7F) << shift
+				m.IntVal |= int32(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -193,7 +244,7 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@@ -203,6 +254,9 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthGenerated
 			}
 			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -217,6 +271,9 @@ func (m *IntOrString) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthGenerated
 			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@@ -283,10 +340,13 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
-			iNdEx += length
 			if length < 0 {
 				return 0, ErrInvalidLengthGenerated
 			}
+			iNdEx += length
+			if iNdEx < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
 			return iNdEx, nil
 		case 3:
 			for {
@@ -315,6 +375,9 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					return 0, err
 				}
 				iNdEx = start + next
+				if iNdEx < 0 {
+					return 0, ErrInvalidLengthGenerated
+				}
 			}
 			return iNdEx, nil
 		case 4:
@@ -333,30 +396,3 @@ var (
 	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
 	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
 )
-
-func init() {
-	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto", fileDescriptorGenerated)
-}
-
-var fileDescriptorGenerated = []byte{
-	// 292 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0x8f, 0x31, 0x4b, 0x33, 0x31,
-	0x1c, 0xc6, 0x93, 0xb7, 0x7d, 0x8b, 0x9e, 0xe0, 0x50, 0x1c, 0x8a, 0x43, 0x7a, 0x28, 0xc8, 0x0d,
-	0x9a, 0xac, 0xe2, 0xd8, 0xad, 0x20, 0x08, 0x57, 0x71, 0x70, 0xbb, 0x6b, 0x63, 0x1a, 0xae, 0x4d,
-	0x42, 0xee, 0x7f, 0xc2, 0x6d, 0xfd, 0x08, 0xba, 0x39, 0xfa, 0x71, 0x6e, 0xec, 0xd8, 0x41, 0x8a,
-	0x17, 0xbf, 0x85, 0x93, 0x5c, 0xee, 0x40, 0xa7, 0xe4, 0x79, 0x9e, 0xdf, 0x2f, 0x90, 0xe0, 0x36,
-	0xbb, 0xce, 0xa9, 0xd4, 0x2c, 0x2b, 0x52, 0x6e, 0x15, 0x07, 0x9e, 0xb3, 0x67, 0xae, 0x16, 0xda,
-	0xb2, 0x6e, 0x48, 0x8c, 0x5c, 0x27, 0xf3, 0xa5, 0x54, 0xdc, 0x96, 0xcc, 0x64, 0x82, 0x15, 0x20,
-	0x57, 0x4c, 0x2a, 0xc8, 0xc1, 0x32, 0xc1, 0x15, 0xb7, 0x09, 0xf0, 0x05, 0x35, 0x56, 0x83, 0x1e,
-	0x9e, 0xb7, 0x12, 0xfd, 0x2b, 0x51, 0x93, 0x09, 0xda, 0x48, 0xb4, 0x95, 0x4e, 0xaf, 0x84, 0x84,
-	0x65, 0x91, 0xd2, 0xb9, 0x5e, 0x33, 0xa1, 0x85, 0x66, 0xde, 0x4d, 0x8b, 0x27, 0x9f, 0x7c, 0xf0,
-	0xb7, 0xf6, 0xcd, 0xb3, 0x57, 0x1c, 0x1c, 0x4d, 0x15, 0xdc, 0xd9, 0x19, 0x58, 0xa9, 0xc4, 0x30,
-	0x0a, 0xfa, 0x50, 0x1a, 0x3e, 0xc2, 0x21, 0x8e, 0x7a, 0x93, 0x93, 0x6a, 0x3f, 0x46, 0x6e, 0x3f,
-	0xee, 0xdf, 0x97, 0x86, 0x7f, 0x77, 0x67, 0xec, 0x89, 0xe1, 0x45, 0x30, 0x90, 0x0a, 0x1e, 0x92,
-	0xd5, 0xe8, 0x5f, 0x88, 0xa3, 0xff, 0x93, 0xe3, 0x8e, 0x1d, 0x4c, 0x7d, 0x1b, 0x77, 0x6b, 0xc3,
-	0xe5, 0x60, 0x1b, 0xae, 0x17, 0xe2, 0xe8, 0xf0, 0x97, 0x9b, 0xf9, 0x36, 0xee, 0xd6, 0x9b, 0x83,
-	0xb7, 0xf7, 0x31, 0xda, 0x7c, 0x84, 0x68, 0x72, 0x59, 0xd5, 0x04, 0x6d, 0x6b, 0x82, 0x76, 0x35,
-	0x41, 0x1b, 0x47, 0x70, 0xe5, 0x08, 0xde, 0x3a, 0x82, 0x77, 0x8e, 0xe0, 0x4f, 0x47, 0xf0, 0xcb,
-	0x17, 0x41, 0x8f, 0x83, 0xf6, 0xc3, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x52, 0xa0, 0xb5, 0xc9,
-	0x64, 0x01, 0x00, 0x00,
-}

vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go

@@ -122,11 +122,11 @@ func (intstr IntOrString) MarshalJSON() ([]byte, error) {
 // the OpenAPI spec of this type.
 //
 // See: https://github.com/kubernetes/kube-openapi/tree/master/pkg/generators
-func (_ IntOrString) OpenAPISchemaType() []string { return []string{"string"} }
+func (IntOrString) OpenAPISchemaType() []string { return []string{"string"} }
 
 // OpenAPISchemaFormat is used by the kube-openapi generator when constructing
 // the OpenAPI spec of this type.
-func (_ IntOrString) OpenAPISchemaFormat() string { return "int-or-string" }
+func (IntOrString) OpenAPISchemaFormat() string { return "int-or-string" }
 
 func (intstr *IntOrString) Fuzz(c fuzz.Continue) {
 	if intstr == nil {

vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go

@@ -40,11 +40,7 @@ var PanicHandlers = []func(interface{}){logPanic}
 // called in case of panic.  HandleCrash actually crashes, after calling the
 // handlers and logging the panic message.
 //
-// TODO: remove this function. We are switching to a world where it's safe for
+// E.g., you can provide one or more additional handlers for something like shutting down go routines gracefully.
-// apiserver to panic, since it will be restarted by kubelet. At the beginning
-// of the Kubernetes project, nothing was going to restart apiserver and so
-// catching panics was important. But it's actually much simpler for monitoring
-// software if we just exit when an unexpected panic happens.
 func HandleCrash(additionalHandlers ...func(interface{})) {
 	if r := recover(); r != nil {
 		for _, fn := range PanicHandlers {

vendor/modules.txt

@@ -45,7 +45,7 @@ github.com/containernetworking/cni/pkg/version
 github.com/containernetworking/cni/pkg/types/020
 # github.com/containernetworking/plugins v0.8.1
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.8.4-0.20190821140209-376e52ee0142
+# github.com/containers/buildah v1.11.0
 github.com/containers/buildah
 github.com/containers/buildah/imagebuildah
 github.com/containers/buildah/pkg/chrootuser
@@ -60,6 +60,7 @@ github.com/containers/buildah/docker
 github.com/containers/buildah/pkg/blobcache
 github.com/containers/buildah/pkg/overlay
 github.com/containers/buildah/pkg/unshare
+github.com/containers/buildah/pkg/cgroups
 # github.com/containers/image v3.0.2+incompatible
 github.com/containers/image/directory
 github.com/containers/image/docker
@@ -240,7 +241,7 @@ github.com/fsouza/go-dockerclient/internal/term
 github.com/ghodss/yaml
 # github.com/godbus/dbus v0.0.0-20181101234600-2ff6f7ffd60f
 github.com/godbus/dbus
-# github.com/gogo/protobuf v1.2.1
+# github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d
 github.com/gogo/protobuf/proto
 github.com/gogo/protobuf/sortkeys
 # github.com/golang/protobuf v1.3.1
@@ -269,7 +270,7 @@ github.com/imdario/mergo
 github.com/inconshreveable/mousetrap
 # github.com/ishidawataru/sctp v0.0.0-20180918013207-6e2cb1366111
 github.com/ishidawataru/sctp
-# github.com/json-iterator/go v1.1.6
+# github.com/json-iterator/go v1.1.7
 github.com/json-iterator/go
 # github.com/klauspost/compress v1.7.2
 github.com/klauspost/compress/zstd
@@ -366,6 +367,8 @@ github.com/opencontainers/runtime-tools/error
 # github.com/opencontainers/selinux v1.3.0
 github.com/opencontainers/selinux/go-selinux/label
 github.com/opencontainers/selinux/go-selinux
+# github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible
+github.com/openshift/api/config/v1
 # github.com/openshift/imagebuilder v1.1.0
 github.com/openshift/imagebuilder
 github.com/openshift/imagebuilder/dockerfile/parser
@@ -539,9 +542,9 @@ gopkg.in/inf.v0
 gopkg.in/tomb.v1
 # gopkg.in/yaml.v2 v2.2.2
 gopkg.in/yaml.v2
-# k8s.io/api v0.0.0-20190624085159-95846d7ef82a
+# k8s.io/api v0.0.0-20190813020757-36bff7324fb7
 k8s.io/api/core/v1
-# k8s.io/apimachinery v0.0.0-20190624085041-961b39a1baa0
+# k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010
 k8s.io/apimachinery/pkg/apis/meta/v1
 k8s.io/apimachinery/pkg/util/runtime
 k8s.io/apimachinery/pkg/api/resource