From 13ef12bae0666a1483fa5868d82be19738e53a4b Mon Sep 17 00:00:00 2001 From: "donatohorn@gmail.com" Date: Mon, 18 Jul 2022 21:56:01 -0300 Subject: [PATCH 001/272] [pt-br] add content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md --- .../share-process-namespace.md | 131 ++++++++++++++++++ .../pods/share-process-namespace.yaml | 17 +++ 2 files changed, 148 insertions(+) create mode 100644 content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md create mode 100644 content/pt-br/examples/pods/share-process-namespace.yaml diff --git a/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md b/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md new file mode 100644 index 00000000000..d3161a8ad14 --- /dev/null +++ b/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md @@ -0,0 +1,131 @@ +--- +title: Compartilhando o Namespace de Processo Entre Contêineres em um Pod +update_date: 2022-07-16 +origin_version: 1.24 +contributors: DonatoHorn +reviewers: +- verb +- yujuhong +- dchen1107 +content_type: task +weight: 160 +--- + + + +Esta página mostra como configurar o compartilhamento de namespace de processos para um Pod. Quando +O compartilhamento de namespace de processos está ativado, os processos em um Contêiner são visíveis +para todos os outros Contêineres no mesmo Pod. + +Você pode usar este recurso para configurar Contêineres de cooperação, como um manipulador de log +`sidecar` de contêiner, ou para solucionar problemas em imagens de contêiner que não +incluem utilitários de depuração como um shell. + +## {{% heading "prerequisites" %}} + +{{< include "task-tutorial-prereqs.md" >}} + + + +## Configure um pod + +O compartilhamento de namespace de processos é ativado usando o campo `shareProcessNamespace` da +`.spec` para um Pod. Por exemplo: + +{{< codenew file="pods/share-process-namespace.yaml" >}} + +1. Crie o pod `nginx` no seu cluster: + + ```shell + kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml + ``` + +1. Conecte ao `shell` do contêiner e execute o comando `ps`: + + ```shell + kubectl attach -it nginx -c shell + ``` + + Se você não vir um prompt de comando, tente pressionar Enter. No shell do Contêiner execute: + + ```shell + # execute este comando dentro do "shell" do contêiner + ps ax + ``` + + A saída é semelhante a esta: + + ```none + PID USER TIME COMMAND + 1 root 0:00 /pause + 8 root 0:00 nginx: master process nginx -g daemon off; + 14 101 0:00 nginx: worker process + 15 root 0:00 sh + 21 root 0:00 ps ax + ``` + +Você pode sinalizar processos em outros Contêineres. Por exemplo, mandando `SIGHUP` ao +`nginx` para restartar o processo `worker`. Isso requer a capacidade `SYS_PTRACE`. + +```shell +# execute este comando dentro do "shell" do contêiner +kill -HUP 8 # substitua o "8" pelo PID do processo principal do nginx, se necessário +ps ax +``` + +A saída é semelhante a esta: + +```none +PID USER TIME COMMAND + 1 root 0:00 /pause + 8 root 0:00 nginx: master process nginx -g daemon off; + 15 root 0:00 sh + 22 101 0:00 nginx: worker process + 23 root 0:00 ps ax +``` + +É até possível acessar o sistema de arquivos de outro contêiner usando o link +`/proc/$pid/root`. + +```shell +# execute este comando dentro do "shell" do contêiner +# substitua o "8" pelo PID do processo Nginx, se necessario +head /proc/8/root/etc/nginx/nginx.conf +``` + +A saída é semelhante a esta: + +```none +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +``` + + + +## Compreendendo o compartilhamento de namespace de processos + +Os Pods compartilham muitos recursos, por isso faz sentido que eles também compartilhem um namespace de processo. +Alguns Contêineres podem esperar serem isolados de outros, no entanto, +por isso, é importante entender as diferenças: + +1. **O processo de contêiner não tem mais o PID 1.** Alguns Contêineres recusam + começar sem o PID 1 (por exemplo, contêineres usando `systemd`) ou executando comandos + como `kill -HUP 1` para sinalizar o processo de Contêiner. Em pods com um + namespace de processos compartilhado, `kill -HUP 1` irá sinalizar a `sandbox` + (`/pause` no exemplo acima). + +1. **Os processos são visíveis para outros contêineres no Pod.** Isso inclui todas + informações visíveis em `/proc`, como senhas que foram passadas como argumentos + ou variáveis de ambiente. Estes são protegidos apenas por permissões regulares do Unix. + +1. **Sistema de arquivos do Contêiner são visíveis para outros Contêineres do pod através do link + `/proc/$pid/root`.** Isso facilita a depuração, mas também significa + que os segredos do sistema de arquivos, são protegidos apenas por permissões de sistema de arquivos. + diff --git a/content/pt-br/examples/pods/share-process-namespace.yaml b/content/pt-br/examples/pods/share-process-namespace.yaml new file mode 100644 index 00000000000..bd48bf0ff6e --- /dev/null +++ b/content/pt-br/examples/pods/share-process-namespace.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + shareProcessNamespace: true + containers: + - name: nginx + image: nginx + - name: shell + image: busybox:1.28 + securityContext: + capabilities: + add: + - SYS_PTRACE + stdin: true + tty: true From 14a6477abb696f535efad4fb718a69c1d7b1d4b3 Mon Sep 17 00:00:00 2001 From: "donatohorn@gmail.com" Date: Mon, 18 Jul 2022 22:26:15 -0300 Subject: [PATCH 002/272] [pt-br] add content/pt-br/docs/tasks/configure-pod-container/static-pod.md --- .../configure-pod-container/static-pod.md | 248 ++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 content/pt-br/docs/tasks/configure-pod-container/static-pod.md diff --git a/content/pt-br/docs/tasks/configure-pod-container/static-pod.md b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md new file mode 100644 index 00000000000..c7609582745 --- /dev/null +++ b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md @@ -0,0 +1,248 @@ +--- +title: Criando Pods Estáticos +weight: 170 +content_type: task +update_date: 2022-07-16 +origin_version: 1.24 +contributors: DonatoHorn +reviewers: +- jsafrane +--- + + + + +*Pods Estáticos* são gerenciados diretamente pelo `daemon` kubelet em um nó específico, +sem o {{< glossary_tooltip text="servidor de API" term_id="kube-apiserver" >}} +observando-os. +Ao contrário dos pods que são gerenciados pelo `Control Plane` (por exemplo, uma +{{< glossary_tooltip text="Implantação" term_id="deployment" >}}); +em vez disso, o kubelet observa cada Pod estático +(e reinicia-os se falharem). + +Pods estáticos estão sempre ligados a um {{< glossary_tooltip term_id="kubelet" >}} em um nó específico. + +O Kubelet tenta automaticamente criar um {{< glossary_tooltip text="mirror Pod" term_id="mirror-pod" >}} +no servidor de API do Kubernetes para cada Pod estático. +Isso significa que os pods em execução em um nó são visíveis no servidor de API, +mas não podem ser controlados a partir daí. +Aos nomes de Pods será acrescido um sufixo com o nome de host do nó, com um hífem. + + +{{< note >}} +Se você está executando um cluster Kubernetes, usando Pods estáticos para executar um Pod em cada Nó, +provávelmente você deveria estar usando um {{< glossary_tooltip text="DaemonSet" term_id="daemonset" >}} em substituição. +{{< /note >}} + +{{< note >}} +A `especificação` de um Pod estático não pode referir-se à outros objetos da API +(ex., {{< glossary_tooltip text="Conta de Serviço" term_id="service-account" >}}, +{{< glossary_tooltip text="Mapa de Configuração" term_id="configmap" >}}, +{{< glossary_tooltip text="Segredo" term_id="secret" >}}, etc). +{{< /note >}} + +## {{% heading "prerequisites" %}} + +{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} + +Esta página assume que você está usando um {{< glossary_tooltip term_id="cri-o" >}} para executar os Pods, +e que seus nós estão executando o sistema operacional Fedora. +Instruções para outras distribuições, ou instalações de Kubernetes, podem variar. + + + +## Crie um pod estático {#static-pod-creation} + +Você pode configurar um Pod estático com um [arquivo de configuração hospedado no sistema de arquivos](/docs/tasks/configure-pod-container/static-pod/#configuration-files) ou um [arquivo de configuração hospedado na Web](/docs/tasks/configure-pod-container/static-pod/#pods-created-via-http). + +### Manifesto do Pod estático hospedado no sistema de arquivos {#configuration-files} + +Os manifestos, são definições de Pod padrão em formato JSON ou YAML em um diretório específico. Use o campo `staticPodPath: ` no +[arquivo de configuração do kubelet](/docs/reference/config-api/kubelet-config.v1beta1/), +que periodicamente varre o diretório e cria/exclui Pods estáticos conforme os arquivos YAML/JSON aparecem/desaparecem. +Observe que o Kubelet ignorará os arquivos começando com pontos ao varrer o diretório especificado. + +Por exemplo, como iniciar um servidor Web simples como um Pod estático + +1. Escolha um nó onde você deseja executar um Pod estático. Neste exemplo, é `my-node1`. + + ```shell + ssh my-node1 + ``` + +2. Escolha um diretório, digamos `/etc/kubernetes/manifests` e coloque uma definição de pod para um servidor web lá, por exemplo `/etc/kubernetes/manifests/static-web.yaml`: + + ```shell + # Execute este comando no nó onde o Kubelet está funcionando + mkdir -p /etc/kubernetes/manifests/ + cat </etc/kubernetes/manifests/static-web.yaml + apiVersion: v1 + kind: Pod + metadata: + name: static-web + labels: + role: myrole + spec: + containers: + - name: web + image: nginx + ports: + - name: web + containerPort: 80 + protocol: TCP + EOF + ``` + +3. Configure seu kubelet no nó para usar este diretório executando-o com o argumento `--pod-manifest-path=/etc/kubernetes/manifests/`. No Fedora, edite o arquivo `/etc/kubernetes/kubelet` para incluir esta linha: + + ``` + KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubernetes/manifests/" + ``` + ou adicione o campo `staticPodPath: ` no + [arquivo de configuração do kubelet](/docs/reference/config-api/kubelet-config.v1beta1/). + +4. Reinicie o kubelet. No Fedora, você poderia executar: + + ```shell + # Execute este comando no nó onde o kubelet está funcionando + systemctl restart kubelet + ``` + +### Manifesto do Pod estático hospedado na Web {#pods-created-via-http} + +O Kubelet baixa periodicamente um arquivo especificado pelo argumento `--manifest-url=` +e interpreta-o como um arquivo JSON/YAML que contém as definições do Pod. +Similar ao que [manifestos hospedados no sistema de arquivos](#configuration-files) fazem, o kubelet +reexamina o manifesto em um agendamento. Se houver alterações na lista de Pods estáticos, o kubelet aplica-os. + +Para usar esta abordagem: + +1. Crie um arquivo YAML e armazene-o em um servidor da Web, para que você possa passar o URL desse arquivo para o Kubelet. + + ```yaml + apiVersion: v1 + kind: Pod + metadata: + name: static-web + labels: + role: myrole + spec: + containers: + - name: web + image: nginx + ports: + - name: web + containerPort: 80 + protocol: TCP + ``` + +2. Configure o kubelet no seu nó selecionado para usar este manifesto da Web, executando-o com `--manifest-url=`. No Fedora, edite `/etc/kubernetes/kubelet` para incluir esta linha: + + ``` + KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --manifest-url=" + ``` + +3. Reinicie o Kubelet. No Fedora, você usaria: + + ```shell + # Execute este comando no nó onde o kubelet está funcionando + systemctl restart kubelet + ``` + +## Observe o comportamento do Pod estático {#behavior-of-static-pods} + +Quando o kubelet começa, inicia automaticamente todos os pods estáticos definidos. +Como você definiu um Pod estático e reiniciou o kubelet, o novo pod estático deveria +já estar em execução. + +Você pode ver os Contêineres em execução (incluindo os Pods estáticos) ao executar (no Nó): + +```shell +# Execute este comando no nó onde o kubelet está funcionando +crictl ps +``` + +A saída pode ser algo como: + +```console +CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID +129fd7d382018 docker.io/library/nginx@sha256:... 11 minutes ago Running web 0 34533c6729106 +``` + +{{< note >}} +`crictl` mostra a URI da imagem e o checksum SHA-256. O `NAME` vai parecer mais como: +`docker.io/library/nginx@sha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31`. +{{< /note >}} + +Você pode ver o Pod espelho no servidor de API: + +```shell +kubectl get pods +``` +``` +NAME READY STATUS RESTARTS AGE +static-web 1/1 Running 0 2m +``` + +{{< note >}} +Verifique se o Kubelet tem permissão para criar o Pod espelho no servidor de API. Caso contrário, a solicitação de criação é rejeitada pelo servidor de API. Veja [Admissão de segurança do pod](/docs/concepts/security/pod-security-admission) e [Políticas de Segurança de Pod](/docs/concepts/security/pod-security-policy/). +{{< /note >}} + +Os {{< glossary_tooltip term_id="label" text="Rótulos" >}} dos pods estáticos são +propagados no Pod espelho. Você pode usar esses rótulos como +{{< glossary_tooltip term_id="selector" text="seletores" >}} via normal, etc. + +Se você tentar usar o `kubectl` para excluir o Pod espelho do servidor de API, +o kubelet _não_ remove o Pod estático: + +```shell +kubectl delete pod static-web +``` +``` +pod "static-web" deleted +``` +Você pode ver que o Pod ainda está funcionando: +```shell +kubectl get pods +``` +``` +NAME READY STATUS RESTARTS AGE +static-web 1/1 Running 0 4s +``` + +De volta ao seu nó, onde o kubelet está funcionando, você pode tentar parar o Contêiner manualmente. +Você verá que, depois de algum tempo, o Kubelet notará e reiniciará o Pod +automaticamente: + +```shell +# Execute esses comandos no nó onde o Kubelet está funcionando +crictl stop 129fd7d382018 # substitua pelo ID do seu contêiner +sleep 20 +crictl ps +``` +```console +CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID +89db4553e1eeb docker.io/library/nginx@sha256:... 19 seconds ago Running web 1 34533c6729106 +``` + +## Adição e remoção dinâmica de Pods estáticos + +O Kubelet em execução varre periodicamente o diretório configurado (`/etc/kubernetes/manifests` em nosso exemplo) por alterações, e adiciona/remove os pods à medida que os arquivos aparecem/desaparecem neste diretório. + +```shell +# Pressupondo que você esteja usando a configuração de Pod estático hospedada no sistema de arquivos +# Execute esses comandos no nó onde o Kubelet está funcionando +# +mv /etc/kubelet.d/static-web.yaml /tmp +sleep 20 +crictl ps +# Você vê que nenhum contêiner nginx está funcionando +# +mv /tmp/static-web.yaml /etc/kubelet.d/ +sleep 20 +crictl ps +``` +```console +CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID +f427638871c35 docker.io/library/nginx@sha256:... 19 seconds ago Running web 1 34533c6729106 +``` From 4129eeb430fd747042fea310f481d3c0451a77b9 Mon Sep 17 00:00:00 2001 From: "donatohorn@gmail.com" Date: Fri, 22 Jul 2022 16:09:28 -0300 Subject: [PATCH 003/272] [pt-br] add content/pt-br/docs/tasks/configure-pod-container/static-pod.md --- content/pt-br/docs/tasks/configure-pod-container/static-pod.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/pt-br/docs/tasks/configure-pod-container/static-pod.md b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md index c7609582745..3447d39ab91 100644 --- a/content/pt-br/docs/tasks/configure-pod-container/static-pod.md +++ b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md @@ -2,9 +2,6 @@ title: Criando Pods Estáticos weight: 170 content_type: task -update_date: 2022-07-16 -origin_version: 1.24 -contributors: DonatoHorn reviewers: - jsafrane --- From 00a58ac4662bca01aa2154a188ceb2ed49e5003c Mon Sep 17 00:00:00 2001 From: "donatohorn@gmail.com" Date: Fri, 22 Jul 2022 16:14:44 -0300 Subject: [PATCH 004/272] [pt-br] add content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md --- .../tasks/configure-pod-container/share-process-namespace.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md b/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md index d3161a8ad14..e26f1f4895f 100644 --- a/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md +++ b/content/pt-br/docs/tasks/configure-pod-container/share-process-namespace.md @@ -1,8 +1,5 @@ --- title: Compartilhando o Namespace de Processo Entre Contêineres em um Pod -update_date: 2022-07-16 -origin_version: 1.24 -contributors: DonatoHorn reviewers: - verb - yujuhong From 93af2becccfbcc31c2bc134e8ad5647964c64837 Mon Sep 17 00:00:00 2001 From: lakshmi Date: Fri, 2 Dec 2022 15:13:10 +0530 Subject: [PATCH 005/272] Updated Owners and Dependents page --- .../working-with-objects/owners-dependents.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md b/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md index fd11031ab3c..9e09dc31b13 100644 --- a/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md +++ b/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md @@ -6,13 +6,13 @@ weight: 90 -In Kubernetes, some objects are *owners* of other objects. For example, a -{{}} is the owner of a set of Pods. These owned objects are *dependents* +In Kubernetes, some {{< glossary_tooltip text="objects" term_id="Object" >}} are *owners* of other objects. For example, a +{{}} is the owner of a set of {{}}. These owned objects are *dependents* of their owner. Ownership is different from the [labels and selectors](/docs/concepts/overview/working-with-objects/labels/) mechanism that some resources also use. For example, consider a Service that -creates `EndpointSlice` objects. The Service uses labels to allow the control plane to +creates `EndpointSlice` objects. The Service uses {{}} to allow the control plane to determine which `EndpointSlice` objects are used for that Service. In addition to the labels, each `EndpointSlice` that is managed on behalf of a Service has an owner reference. Owner references help different parts of Kubernetes avoid @@ -21,8 +21,8 @@ interfering with objects they don’t control. ## Owner references in object specifications Dependent objects have a `metadata.ownerReferences` field that references their -owner object. A valid owner reference consists of the object name and a UID -within the same namespace as the dependent object. Kubernetes sets the value of +owner object. A valid owner reference consists of the object name and a {{}} +within the same {{}} as the dependent object. Kubernetes sets the value of this field automatically for objects that are dependents of other objects like ReplicaSets, DaemonSets, Deployments, Jobs and CronJobs, and ReplicationControllers. You can also configure these relationships manually by changing the value of @@ -66,10 +66,10 @@ When you tell Kubernetes to delete a resource, the API server allows the managing controller to process any [finalizer rules](/docs/concepts/overview/working-with-objects/finalizers/) for the resource. {{}} prevent accidental deletion of resources your cluster may still need to function -correctly. For example, if you try to delete a `PersistentVolume` that is still +correctly. For example, if you try to delete a [PersistentVolume](/docs/concepts/storage/persistent-volumes/) that is still in use by a Pod, the deletion does not happen immediately because the `PersistentVolume` has the `kubernetes.io/pv-protection` finalizer on it. -Instead, the volume remains in the `Terminating` status until Kubernetes clears +Instead, the [volume](/docs/concepts/storage/volumes/) remains in the `Terminating` status until Kubernetes clears the finalizer, which only happens after the `PersistentVolume` is no longer bound to a Pod. @@ -84,6 +84,8 @@ object. ## {{% heading "whatsnext" %}} -* Learn more about [Kubernetes finalizers](/docs/concepts/overview/working-with-objects/finalizers/). -* Learn about [garbage collection](/docs/concepts/architecture/garbage-collection). -* Read the API reference for [object metadata](/docs/reference/kubernetes-api/common-definitions/object-meta/#System). \ No newline at end of file +Learn more about the following: +* [Kubernetes finalizers](/docs/concepts/overview/working-with-objects/finalizers/). +* [garbage collection](/docs/concepts/architecture/garbage-collection). +* API reference for [object metadata](/docs/reference/kubernetes-api/common-definitions/object-meta/#System). +* Objets such as [ReplicaSets](/docs/concepts/workloads/controllers/replicaset/), [DaemonSets](/docs/concepts/workloads/controllers/daemonset/), [Deployments](/docs/concepts/workloads/controllers/deployment/), [Jobs](/docs/concepts/workloads/controllers/job/), [CronJobs](/docs/concepts/workloads/controllers/cron-jobs/) and [ReplicationControllers](/docs/concepts/workloads/controllers/replicationcontroller/). From ca16a714c78d51da4296acd2fffde94a0bd84373 Mon Sep 17 00:00:00 2001 From: Mengjiao Liu Date: Mon, 19 Dec 2022 11:28:47 +0800 Subject: [PATCH 007/272] Move volume expansion feature gates to removed feature gates list --- .../feature-gates-removed.md | 17 +++++++++++++++++ .../feature-gates.md | 14 -------------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md index 26f6663e902..cc095f28330 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md @@ -127,6 +127,15 @@ In the following table: | `EvenPodsSpread` | `false` | Alpha | 1.16 | 1.17 | | `EvenPodsSpread` | `true` | Beta | 1.18 | 1.18 | | `EvenPodsSpread` | `true` | GA | 1.19 | 1.21 | +| `ExpandCSIVolumes` | `false` | Alpha | 1.14 | 1.15 | +| `ExpandCSIVolumes` | `true` | Beta | 1.16 | 1.23 | +| `ExpandCSIVolumes` | `true` | GA | 1.24 | 1.27 | +| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.14 | +| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.15 | 1.23 | +| `ExpandInUsePersistentVolumes` | `true` | GA | 1.24 | 1.27 | +| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 | +| `ExpandPersistentVolumes` | `true` | Beta | 1.11 | 1.23 | +| `ExpandPersistentVolumes` | `true` | GA | 1.24 | 1.27 | | `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | 1.12 | | `ExperimentalCriticalPodAnnotation` | `false` | Deprecated | 1.13 | 1.16 | | `ExternalPolicyForExternalIP` | `true` | GA | 1.18 | 1.22 | @@ -470,6 +479,14 @@ In the following table: - `EvenPodsSpread`: Enable pods to be scheduled evenly across topology domains. See [Pod Topology Spread Constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/). +- `ExpandCSIVolumes`: Enable the expanding of CSI volumes. + +- `ExpandInUsePersistentVolumes`: Enable expanding in-use PVCs. See + [Resizing an in-use PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/#resizing-an-in-use-persistentvolumeclaim). + +- `ExpandPersistentVolumes`: Enable the expanding of persistent volumes. See + [Expanding Persistent Volumes Claims](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims). + - `ExperimentalCriticalPodAnnotation`: Enable annotating specific pods as *critical* so that their [scheduling is guaranteed](/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/). This feature is deprecated by Pod Priority and Preemption as of v1.13. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 48de9a13dd2..eb293652925 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -282,15 +282,6 @@ For a reference to old feature gates that are removed, please refer to | `EphemeralContainers` | `true` | GA | 1.25 | - | | `EventedPLEG` | `false` | Alpha | 1.26 | - | | `ExecProbeTimeout` | `true` | GA | 1.20 | - | -| `ExpandCSIVolumes` | `false` | Alpha | 1.14 | 1.15 | -| `ExpandCSIVolumes` | `true` | Beta | 1.16 | 1.23 | -| `ExpandCSIVolumes` | `true` | GA | 1.24 | - | -| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.14 | -| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.15 | 1.23 | -| `ExpandInUsePersistentVolumes` | `true` | GA | 1.24 | - | -| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 | -| `ExpandPersistentVolumes` | `true` | Beta | 1.11 | 1.23 | -| `ExpandPersistentVolumes` | `true` | GA | 1.24 |- | | `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 | | `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 | | `IdentifyPodOS` | `true` | GA | 1.25 | - | @@ -553,15 +544,10 @@ Each feature gate is designed for enabling/disabling a specific feature: This feature gate exists in case any of your existing workloads depend on a now-corrected fault where Kubernetes ignored exec probe timeouts. See [readiness probes](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). -- `ExpandCSIVolumes`: Enable the expanding of CSI volumes. - `ExpandedDNSConfig`: Enable kubelet and kube-apiserver to allow more DNS search paths and longer list of DNS search paths. This feature requires container runtime support(Containerd: v1.5.6 or higher, CRI-O: v1.22 or higher). See [Expanded DNS Configuration](/docs/concepts/services-networking/dns-pod-service/#expanded-dns-configuration). -- `ExpandInUsePersistentVolumes`: Enable expanding in-use PVCs. See - [Resizing an in-use PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/#resizing-an-in-use-persistentvolumeclaim). -- `ExpandPersistentVolumes`: Enable the expanding of persistent volumes. See - [Expanding Persistent Volumes Claims](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims). - `ExperimentalHostUserNamespaceDefaulting`: Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced From 0201ddd70f13adf7f21e1ebc08c0cc3eadb525d8 Mon Sep 17 00:00:00 2001 From: Mengjiao Liu Date: Mon, 19 Dec 2022 11:08:02 +0800 Subject: [PATCH 008/272] Update MinDomainsInPodTopologySpread feature gate default value. --- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 48de9a13dd2..ae69a369316 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -139,7 +139,8 @@ For a reference to old feature gates that are removed, please refer to | `MemoryManager` | `true` | Beta | 1.22 | | | `MemoryQoS` | `false` | Alpha | 1.22 | | | `MinDomainsInPodTopologySpread` | `false` | Alpha | 1.24 | 1.24 | -| `MinDomainsInPodTopologySpread` | `false` | Beta | 1.25 | | +| `MinDomainsInPodTopologySpread` | `false` | Beta | 1.25 | 1.26 | +| `MinDomainsInPodTopologySpread` | `true` | Beta | 1.27 | | | `MixedProtocolLBService` | `false` | Alpha | 1.20 | 1.23 | | `MixedProtocolLBService` | `true` | Beta | 1.24 | | | `MultiCIDRRangeAllocator` | `false` | Alpha | 1.25 | | From fed60f3728f84bd163e5315a7a18caee44eb7382 Mon Sep 17 00:00:00 2001 From: Wei Huang Date: Mon, 9 Jan 2023 12:29:33 -0800 Subject: [PATCH 009/272] Rename 'PreemptionByKubeScheduler' to 'PreemptionByScheduler' --- content/en/docs/concepts/workloads/pods/disruptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/workloads/pods/disruptions.md b/content/en/docs/concepts/workloads/pods/disruptions.md index 66d05ef92a3..1ddbfa4c2aa 100644 --- a/content/en/docs/concepts/workloads/pods/disruptions.md +++ b/content/en/docs/concepts/workloads/pods/disruptions.md @@ -247,7 +247,7 @@ that the Pod is about to be deleted due to a {{}} by a scheduler in order to accommodate a new Pod with a higher priority. For more information, see [Pod priority preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/). `DeletionByTaintManager` From 1f612943ad02f18bbceff2d27bd8283b26fb5083 Mon Sep 17 00:00:00 2001 From: lakshmi Date: Wed, 18 Jan 2023 12:53:53 +0530 Subject: [PATCH 010/272] revert the previous changes for what's next session. --- .../overview/working-with-objects/owners-dependents.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md b/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md index 9e09dc31b13..035298930ba 100644 --- a/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md +++ b/content/en/docs/concepts/overview/working-with-objects/owners-dependents.md @@ -84,8 +84,6 @@ object. ## {{% heading "whatsnext" %}} -Learn more about the following: -* [Kubernetes finalizers](/docs/concepts/overview/working-with-objects/finalizers/). -* [garbage collection](/docs/concepts/architecture/garbage-collection). -* API reference for [object metadata](/docs/reference/kubernetes-api/common-definitions/object-meta/#System). -* Objets such as [ReplicaSets](/docs/concepts/workloads/controllers/replicaset/), [DaemonSets](/docs/concepts/workloads/controllers/daemonset/), [Deployments](/docs/concepts/workloads/controllers/deployment/), [Jobs](/docs/concepts/workloads/controllers/job/), [CronJobs](/docs/concepts/workloads/controllers/cron-jobs/) and [ReplicationControllers](/docs/concepts/workloads/controllers/replicationcontroller/). +* Learn more about [Kubernetes finalizers](/docs/concepts/overview/working-with-objects/finalizers/). +* Learn about [garbage collection](/docs/concepts/architecture/garbage-collection). +* Read the API reference for [object metadata](/docs/reference/kubernetes-api/common-definitions/object-meta/#System). From c1bf88e71e530cb534cf01433021e042a33af1bd Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Wed, 18 Jan 2023 13:55:45 +0100 Subject: [PATCH 011/272] Update seccomp docs for v1.27 seccomp annotation will become non-functional in v1.27, which will be now reflected in the documentation as well. Ref: https://github.com/kubernetes/kubernetes/pull/114947 Signed-off-by: Sascha Grunert --- .../labels-annotations-taints/_index.md | 24 ++++++++----------- content/en/docs/tutorials/security/seccomp.md | 16 ++++--------- 2 files changed, 15 insertions(+), 25 deletions(-) diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md index 75974454588..514e4c921a8 100644 --- a/content/en/docs/reference/labels-annotations-taints/_index.md +++ b/content/en/docs/reference/labels-annotations-taints/_index.md @@ -737,23 +737,19 @@ When the PodSecurityPolicy admission controller admitted a Pod, the admission co modified the Pod to have this annotation. The value of the annotation was the name of the PodSecurityPolicy that was used for validation. -### seccomp.security.alpha.kubernetes.io/pod (deprecated) {#seccomp-security-alpha-kubernetes-io-pod} +### seccomp.security.alpha.kubernetes.io/pod (non-functional) {#seccomp-security-alpha-kubernetes-io-pod} -This annotation has been deprecated since Kubernetes v1.19 and will become non-functional in a future release. -please use the corresponding pod or container `securityContext.seccompProfile` field instead. -To specify security settings for a Pod, include the `securityContext` field in the Pod specification. -The [`securityContext`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) field within a Pod's `.spec` defines pod-level security attributes. -When you [specify the security context for a Pod](/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod), -the settings you specify apply to all containers in that Pod. +Older versions of Kubernetes allowed you to configure seccomp +behavior using this {{< glossary_tooltip text="annotation" term_id="annotation" >}}. +See [Restrict a Container's Syscalls with seccomp](/docs/tutorials/security/seccomp/) to +learn the supported way to specify seccomp restrictions for a Pod. -### container.seccomp.security.alpha.kubernetes.io/[NAME] (deprecated) {#container-seccomp-security-alpha-kubernetes-io} +### container.seccomp.security.alpha.kubernetes.io/[NAME] (non-functional) {#container-seccomp-security-alpha-kubernetes-io} -This annotation has been deprecated since Kubernetes v1.19 and will become non-functional in a future release. -please use the corresponding pod or container `securityContext.seccompProfile` field instead. -The tutorial [Restrict a Container's Syscalls with seccomp](/docs/tutorials/security/seccomp/) takes -you through the steps you follow to apply a seccomp profile to a Pod or to one of -its containers. That tutorial covers the supported mechanism for configuring seccomp in Kubernetes, -based on setting `securityContext` within the Pod's `.spec`. +Older versions of Kubernetes allowed you to configure seccomp +behavior using this {{< glossary_tooltip text="annotation" term_id="annotation" >}}. +See [Restrict a Container's Syscalls with seccomp](/docs/tutorials/security/seccomp/) to +learn the supported way to specify seccomp restrictions for a Pod. ### snapshot.storage.kubernetes.io/allowVolumeModeChange diff --git a/content/en/docs/tutorials/security/seccomp.md b/content/en/docs/tutorials/security/seccomp.md index 6187d198f19..05b2fde77f1 100644 --- a/content/en/docs/tutorials/security/seccomp.md +++ b/content/en/docs/tutorials/security/seccomp.md @@ -275,17 +275,11 @@ Here's a manifest for that Pod: {{< codenew file="pods/security/seccomp/ga/audit-pod.yaml" >}} {{< note >}} -The functional support for the already deprecated seccomp annotations -`seccomp.security.alpha.kubernetes.io/pod` (for the whole pod) and -`container.seccomp.security.alpha.kubernetes.io/[name]` (for a single container) -is going to be removed with a future release of Kubernetes. Please always use -the native API fields in favor of the annotations. - -Since Kubernetes v1.25, kubelets no longer support the annotations, use of the -annotations in static pods is no longer supported, and the seccomp annotations -are no longer auto-populated when pods with seccomp fields are created. -Auto-population of the seccomp fields from the annotations is planned to be -removed in a future release. +Older versions of Kubernetes allowed you to configure seccomp +behavior using {{< glossary_tooltip text="annotations" term_id="annotation" >}}. +Kubernetes {{< skew currentVersion >}} only supports using fields within +`.spec.securityContext` to configure seccomp, and this tutorial explains that +approach. {{< /note >}} Create the Pod in the cluster: From 7093775c888405bf72e1202a746fa04812e54155 Mon Sep 17 00:00:00 2001 From: "jack.casey" Date: Mon, 6 Feb 2023 16:38:58 -0800 Subject: [PATCH 012/272] Improve grammar in etcd glossary --- content/en/docs/reference/glossary/etcd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/glossary/etcd.md b/content/en/docs/reference/glossary/etcd.md index 474b923caf1..3689df2b1d7 100644 --- a/content/en/docs/reference/glossary/etcd.md +++ b/content/en/docs/reference/glossary/etcd.md @@ -17,6 +17,6 @@ tags: If your Kubernetes cluster uses etcd as its backing store, make sure you have a [back up](/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster) plan -for those data. +for the data. You can find in-depth information about etcd in the official [documentation](https://etcd.io/docs/). From 4480cd3634a1e511f7e926d7a69fb9f581a5d126 Mon Sep 17 00:00:00 2001 From: Paco Xu Date: Wed, 1 Mar 2023 13:37:38 +0800 Subject: [PATCH 013/272] removed ControllerManagerLeaderMigration in v1.27 Signed-off-by: Paco Xu --- .../feature-gates-removed.md | 10 ++++++++++ .../command-line-tools-reference/feature-gates.md | 11 ----------- .../controller-manager-leader-migration.md | 2 -- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md index fea125c3763..5536e254b48 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md @@ -93,6 +93,9 @@ In the following table: | `CronJobControllerV2` | `true` | GA | 1.22 | 1.23 | | `CSRDuration` | `true` | Beta | 1.22 | 1.23 | | `CSRDuration` | `true` | GA | 1.24 | 1.25 | +| `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 | +| `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | 1.23 | +| `ControllerManagerLeaderMigration` | `true` | GA | 1.24 | 1.26 | | `CustomPodDNS` | `false` | Alpha | 1.9 | 1.9 | | `CustomPodDNS` | `true` | Beta| 1.10 | 1.13 | | `CustomPodDNS` | `true` | GA | 1.14 | 1.16 | @@ -477,6 +480,13 @@ In the following table: {{< glossary_tooltip text="CronJob" term_id="cronjob" >}} controller. Otherwise, version 1 of the same controller is selected. +- `ControllerManagerLeaderMigration`: Enables Leader Migration for + [kube-controller-manager](/docs/tasks/administer-cluster/controller-manager-leader-migration/#initial-leader-migration-configuration) and + [cloud-controller-manager](/docs/tasks/administer-cluster/controller-manager-leader-migration/#deploy-cloud-controller-manager) + which allows a cluster operator to live migrate + controllers from the kube-controller-manager into an external controller-manager + (e.g. the cloud-controller-manager) in an HA cluster without downtime. + - `CustomPodDNS`: Enable customizing the DNS settings for a Pod using its `dnsConfig` property. Check [Pod's DNS Config](/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) for more details. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index d9b2505960a..3680548e7af 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -251,9 +251,6 @@ For a reference to old feature gates that are removed, please refer to | `CSIStorageCapacity` | `true` | Beta | 1.21 | 1.23 | | `CSIStorageCapacity` | `true` | GA | 1.24 | - | | `ConsistentHTTPGetHandlers` | `true` | GA | 1.25 | - | -| `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 | -| `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | 1.23 | -| `ControllerManagerLeaderMigration` | `true` | GA | 1.24 | - | | `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 | | `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | 1.24 | | `DaemonSetUpdateSurge` | `true` | GA | 1.25 | - | @@ -390,12 +387,6 @@ Each feature gate is designed for enabling/disabling a specific feature: See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details. - `ContainerCheckpoint`: Enables the kubelet `checkpoint` API. See [Kubelet Checkpoint API](/docs/reference/node/kubelet-checkpoint-api/) for more details. -- `ControllerManagerLeaderMigration`: Enables Leader Migration for - [kube-controller-manager](/docs/tasks/administer-cluster/controller-manager-leader-migration/#initial-leader-migration-configuration) and - [cloud-controller-manager](/docs/tasks/administer-cluster/controller-manager-leader-migration/#deploy-cloud-controller-manager) - which allows a cluster operator to live migrate - controllers from the kube-controller-manager into an external controller-manager - (e.g. the cloud-controller-manager) in an HA cluster without downtime. - `CPUManager`: Enable container level CPU affinity support, see [CPU Management Policies](/docs/tasks/administer-cluster/cpu-management-policies/). - `CPUManagerPolicyAlphaOptions`: This allows fine-tuning of CPUManager policies, @@ -467,8 +458,6 @@ Each feature gate is designed for enabling/disabling a specific feature: handlers with probers. - `ContextualLogging`: When you enable this feature gate, Kubernetes components that support contextual logging add extra detail to log output. -- `ControllerManagerLeaderMigration`: Enables leader migration for - `kube-controller-manager` and `cloud-controller-manager`. - `CronJobTimeZone`: Allow the use of the `timeZone` optional field in [CronJobs](/docs/concepts/workloads/controllers/cron-jobs/) - `CrossNamespaceVolumeDataSource`: Enable the usage of cross namespace volume data source to allow you to specify a source namespace in the `dataSourceRef` field of a diff --git a/content/en/docs/tasks/administer-cluster/controller-manager-leader-migration.md b/content/en/docs/tasks/administer-cluster/controller-manager-leader-migration.md index 743e23d0bd1..c31f309b190 100644 --- a/content/en/docs/tasks/administer-cluster/controller-manager-leader-migration.md +++ b/content/en/docs/tasks/administer-cluster/controller-manager-leader-migration.md @@ -10,8 +10,6 @@ weight: 250 -{{< feature-state for_k8s_version="v1.24" state="stable" >}} - {{< glossary_definition term_id="cloud-controller-manager" length="all" prepend="The cloud-controller-manager is">}} ## Background From 51ed819df191783bc07584eeba561cea017c6962 Mon Sep 17 00:00:00 2001 From: "donatohorn@gmail.com" Date: Sun, 5 Mar 2023 13:33:43 +1300 Subject: [PATCH 014/272] [pt-br] Add content/pt-br/docs/tasks/configure-pod-container/static-pod.md --- .../docs/tasks/configure-pod-container/static-pod.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/pt-br/docs/tasks/configure-pod-container/static-pod.md b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md index 3447d39ab91..805e6d04949 100644 --- a/content/pt-br/docs/tasks/configure-pod-container/static-pod.md +++ b/content/pt-br/docs/tasks/configure-pod-container/static-pod.md @@ -23,7 +23,7 @@ O Kubelet tenta automaticamente criar um {{< glossary_tooltip text="mirror Pod" no servidor de API do Kubernetes para cada Pod estático. Isso significa que os pods em execução em um nó são visíveis no servidor de API, mas não podem ser controlados a partir daí. -Aos nomes de Pods será acrescido um sufixo com o nome de host do nó, com um hífem. +Aos nomes de Pods será sufixados com o nome de host do nó, com um hífem a esquerda. {{< note >}} @@ -33,9 +33,9 @@ provávelmente você deveria estar usando um {{< glossary_tooltip text="DaemonSe {{< note >}} A `especificação` de um Pod estático não pode referir-se à outros objetos da API -(ex., {{< glossary_tooltip text="Conta de Serviço" term_id="service-account" >}}, -{{< glossary_tooltip text="Mapa de Configuração" term_id="configmap" >}}, -{{< glossary_tooltip text="Segredo" term_id="secret" >}}, etc). +(ex., {{< glossary_tooltip text="ServiceAccount" term_id="service-account" >}}, +{{< glossary_tooltip text="ConfigMap" term_id="configmap" >}}, +{{< glossary_tooltip text="Secret" term_id="secret" >}}, etc). {{< /note >}} ## {{% heading "prerequisites" %}} From fc019615abd2ab1dc0008d28875720349ff9b2be Mon Sep 17 00:00:00 2001 From: Wei Huang Date: Mon, 6 Mar 2023 09:02:48 -0800 Subject: [PATCH 015/272] Doc for Beta feature PodSchedulingReadiness --- .../concepts/scheduling-eviction/pod-scheduling-readiness.md | 2 +- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- content/en/examples/pods/pod-with-scheduling-gates.yaml | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md b/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md index be999463155..07064386701 100644 --- a/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md +++ b/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md @@ -55,7 +55,7 @@ kubectl get pod test-pod -o jsonpath='{.spec.schedulingGates}' The output is: ```none -[{"name":"foo"},{"name":"bar"}] +[{"name":"example.com/foo"},{"name":"example.com/bar"}] ``` To inform scheduler this Pod is ready for scheduling, you can remove its `schedulingGates` entirely diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 3680548e7af..2d1cf00ffa6 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -164,7 +164,8 @@ For a reference to old feature gates that are removed, please refer to | `PodDisruptionConditions` | `false` | Alpha | 1.25 | 1.25 | | `PodDisruptionConditions` | `true` | Beta | 1.26 | | | `PodHasNetworkCondition` | `false` | Alpha | 1.25 | | -| `PodSchedulingReadiness` | `false` | Alpha | 1.26 | | +| `PodSchedulingReadiness` | `false` | Alpha | 1.26 | 1.26 | +| `PodSchedulingReadiness` | `true` | Beta | 1.27 | | | `ProbeTerminationGracePeriod` | `false` | Alpha | 1.21 | 1.21 | | `ProbeTerminationGracePeriod` | `false` | Beta | 1.22 | 1.24 | | `ProbeTerminationGracePeriod` | `true` | Beta | 1.25 | | diff --git a/content/en/examples/pods/pod-with-scheduling-gates.yaml b/content/en/examples/pods/pod-with-scheduling-gates.yaml index b0b012fb72c..de761d96946 100644 --- a/content/en/examples/pods/pod-with-scheduling-gates.yaml +++ b/content/en/examples/pods/pod-with-scheduling-gates.yaml @@ -4,8 +4,8 @@ metadata: name: test-pod spec: schedulingGates: - - name: foo - - name: bar + - name: example.com/foo + - name: example.com/bar containers: - name: pause image: registry.k8s.io/pause:3.6 From d84256921bc738f87508792e7a9a8997daa7d373 Mon Sep 17 00:00:00 2001 From: Alex Wang Date: Tue, 7 Mar 2023 11:07:09 +0800 Subject: [PATCH 016/272] doc: graduate matchLabelKeys in podTopologySpread to beta Signed-off-by: Alex Wang --- .../scheduling-eviction/topology-spread-constraints.md | 7 +++---- .../command-line-tools-reference/feature-gates.md | 3 ++- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md index 76855f5a5e5..6e47447100c 100644 --- a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md +++ b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md @@ -64,7 +64,7 @@ spec: topologyKey: whenUnsatisfiable: labelSelector: - matchLabelKeys: # optional; alpha since v1.25 + matchLabelKeys: # optional; beta since v1.27 nodeAffinityPolicy: [Honor|Ignore] # optional; beta since v1.26 nodeTaintsPolicy: [Honor|Ignore] # optional; beta since v1.26 ### other Pod fields go here @@ -144,9 +144,8 @@ your cluster. Those fields are: ``` {{< note >}} - The `matchLabelKeys` field is an alpha field added in 1.25. You have to enable the - `MatchLabelKeysInPodTopologySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) - in order to use it. + The `matchLabelKeys` field is a beta-level field and enabled by default in 1.27. You can disable it by disabling the + `MatchLabelKeysInPodTopologySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/). {{< /note >}} - **nodeAffinityPolicy** indicates how we will treat Pod's nodeAffinity/nodeSelector diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 3680548e7af..afac9234a7e 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -134,7 +134,8 @@ For a reference to old feature gates that are removed, please refer to | `LogarithmicScaleDown` | `true` | Beta | 1.22 | | | `LoggingAlphaOptions` | `false` | Alpha | 1.24 | - | | `LoggingBetaOptions` | `true` | Beta | 1.24 | - | -| `MatchLabelKeysInPodTopologySpread` | `false` | Alpha | 1.25 | | +| `MatchLabelKeysInPodTopologySpread` | `false` | Alpha | 1.25 | 1.26 | +| `MatchLabelKeysInPodTopologySpread` | `true` | Beta | 1.27 | - | | `MaxUnavailableStatefulSet` | `false` | Alpha | 1.24 | | | `MemoryManager` | `false` | Alpha | 1.21 | 1.21 | | `MemoryManager` | `true` | Beta | 1.22 | | From 1cbca5cf369aa9db7376dbb5d97259e13d702af8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= Date: Mon, 6 Mar 2023 08:21:57 +0300 Subject: [PATCH 017/272] document plugin resolution as subcommand for builtin commands --- content/en/docs/reference/kubectl/kubectl.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/content/en/docs/reference/kubectl/kubectl.md b/content/en/docs/reference/kubectl/kubectl.md index 00314826750..aa92d9f9685 100644 --- a/content/en/docs/reference/kubectl/kubectl.md +++ b/content/en/docs/reference/kubectl/kubectl.md @@ -361,6 +361,14 @@ kubectl [flags] + +KUBECTL_ENABLE_CMD_SHADOW + + +When set to true, external plugins can be used as subcommands for builtin commands if subcommand does not exist. In alpha stage, this feature can only be used for create command(e.g. kubectl create networkpolicy). + + + From bb14c6db8d9cbfe8917ef9b98bbfbec47fa50d7b Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Sun, 5 Mar 2023 22:28:04 +0100 Subject: [PATCH 018/272] Promote SelfSubjectReview to Beta Signed-off-by: m.nabokikh --- .../reference/access-authn-authz/authentication.md | 14 +++++++------- .../command-line-tools-reference/feature-gates.md | 3 ++- .../configure-access-multiple-clusters.md | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md index 6ab9ba3c75d..ed0c8ef5cfa 100644 --- a/content/en/docs/reference/access-authn-authz/authentication.md +++ b/content/en/docs/reference/access-authn-authz/authentication.md @@ -1221,7 +1221,7 @@ The following `ExecCredential` manifest describes a cluster information sample. ## API access to authentication information for a client {#self-subject-review} -{{< feature-state for_k8s_version="v1.26" state="alpha" >}} +{{< feature-state for_k8s_version="v1.27" state="beta" >}} If your cluster has the API enabled, you can use the `SelfSubjectReview` API to find out how your Kubernetes cluster maps your authentication information to identify you as a client. This works whether you are authenticating as a user (typically representing @@ -1231,11 +1231,11 @@ a real person) or as a ServiceAccount. Request example (the body would be a `SelfSubjectReview`): ``` -POST /apis/authentication.k8s.io/v1alpha1/selfsubjectreviews +POST /apis/authentication.k8s.io/v1beta1/selfsubjectreviews ``` ```json { - "apiVersion": "authentication.k8s.io/v1alpha1", + "apiVersion": "authentication.k8s.io/v1beta1", "kind": "SelfSubjectReview" } ``` @@ -1243,7 +1243,7 @@ Response example: ```json { - "apiVersion": "authentication.k8s.io/v1alpha1", + "apiVersion": "authentication.k8s.io/v1beta1", "kind": "SelfSubjectReview", "status": { "userInfo": { @@ -1262,7 +1262,7 @@ Response example: } ``` -For convenience, the `kubectl alpha auth whoami` command is present. Executing this command will produce the following output (yet different user attributes will be shown): +For convenience, the `kubectl auth whoami` command is present. Executing this command will produce the following output (yet different user attributes will be shown): * Simple output example ``` @@ -1352,8 +1352,8 @@ By default, all authenticated users can create `SelfSubjectReview` objects when You can only make `SelfSubjectReview` requests if: * the `APISelfSubjectReview` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) - is enabled for your cluster -* the API server for your cluster has the `authentication.k8s.io/v1alpha1` + is enabled for your cluster (enabled by default after reaching Beta) +* the API server for your cluster has the `authentication.k8s.io/v1alpha1` or `authentication.k8s.io/v1beta1` {{< glossary_tooltip term_id="api-group" text="API group" >}} enabled. {{< /note >}} diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..de505faa007 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -62,7 +62,8 @@ For a reference to old feature gates that are removed, please refer to | `APIPriorityAndFairness` | `true` | Beta | 1.20 | | | `APIResponseCompression` | `false` | Alpha | 1.7 | 1.15 | | `APIResponseCompression` | `true` | Beta | 1.16 | | -| `APISelfSubjectReview` | `false` | Alpha | 1.26 | | +| `APISelfSubjectReview` | `false` | Alpha | 1.26 | 1.26 | +| `APISelfSubjectReview` | `true` | Beta | 1.27 | | | `APIServerIdentity` | `false` | Alpha | 1.20 | 1.25 | | `APIServerIdentity` | `true` | Beta | 1.26 | | | `APIServerTracing` | `false` | Alpha | 1.22 | | diff --git a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md index 03dc6b4dc03..01f44c7fee8 100644 --- a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md +++ b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md @@ -404,7 +404,7 @@ It is not always obvious what attributes (username, groups) you will get after a It can be even more challenging if you are managing more than one cluster at the same time. There is a `kubectl` alpha subcommand command to check subject attributes, such as username, -for your selected Kubernetes client context: `kubectl alpha auth whoami`. +for your selected Kubernetes client context: `kubectl auth whoami`. Read [API access to authentication information for a client](/docs/reference/access-authn-authz/authentication/#self-subject-review) to learn about this in more detail. From 112f01d2fca316db4b283e16b2577139b9337ed3 Mon Sep 17 00:00:00 2001 From: Peter Schuurman Date: Mon, 6 Mar 2023 16:56:51 -0800 Subject: [PATCH 019/272] Update KEP-3335 documentation for beta in 1.27 --- content/en/docs/concepts/workloads/controllers/statefulset.md | 2 +- .../reference/command-line-tools-reference/feature-gates.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/workloads/controllers/statefulset.md b/content/en/docs/concepts/workloads/controllers/statefulset.md index cfa65e285ad..8023c1020f0 100644 --- a/content/en/docs/concepts/workloads/controllers/statefulset.md +++ b/content/en/docs/concepts/workloads/controllers/statefulset.md @@ -160,7 +160,7 @@ pods will be assigned ordinals from 0 up through N-1. ### Start ordinal -{{< feature-state for_k8s_version="v1.26" state="alpha" >}} +{{< feature-state for_k8s_version="v1.27" state="beta" >}} `.spec.ordinals` is an optional field that allows you to configure the integer ordinals assigned to each Pod. It defaults to nil. You must enable the diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..1844be19a62 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -190,7 +190,7 @@ For a reference to old feature gates that are removed, please refer to | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | | `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | | -| `StatefulSetStartOrdinal` | `false` | Alpha | 1.26 | | +| `StatefulSetStartOrdinal` | `true` | Beta | 1.27 | | | `StorageVersionAPI` | `false` | Alpha | 1.20 | | | `StorageVersionHash` | `false` | Alpha | 1.14 | 1.14 | | `StorageVersionHash` | `true` | Beta | 1.15 | | From 6f689fe306c62006a4e470330fc02433c5aa6eaa Mon Sep 17 00:00:00 2001 From: Peter Schuurman Date: Fri, 10 Mar 2023 08:02:51 -0800 Subject: [PATCH 020/272] Add back 1.26 Alpha documentation for StatefulSetStartOrdinal feature gate --- .../docs/reference/command-line-tools-reference/feature-gates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 1844be19a62..5bda7723a89 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -190,6 +190,7 @@ For a reference to old feature gates that are removed, please refer to | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | | `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | | +| `StatefulSetStartOrdinal` | `false` | Alpha | 1.26 | 1.26 | | `StatefulSetStartOrdinal` | `true` | Beta | 1.27 | | | `StorageVersionAPI` | `false` | Alpha | 1.20 | | | `StorageVersionHash` | `false` | Alpha | 1.14 | 1.14 | From 1054d0bcc78ac2fbcff15f6913a6685abd28c6c4 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Thu, 9 Mar 2023 22:52:38 +0000 Subject: [PATCH 021/272] docs: updates EncryptionConfiguration doc to add wildcard support to encrypt all resources. Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .../tasks/administer-cluster/encrypt-data.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md index c683c5aa9b2..d34281b2283 100644 --- a/content/en/docs/tasks/administer-cluster/encrypt-data.md +++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md @@ -19,6 +19,8 @@ This page shows how to enable and configure encryption of secret data at rest. * To encrypt a custom resource, your cluster must be running Kubernetes v1.26 or newer. +* Use of wildcard for resource encryption is available from Kubernetes v1.27 or newer. + @@ -63,6 +65,24 @@ resources: keys: - name: key1 secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY= + - resources: + - events + providers: + - identity: {} # do not encrypt events even though *.* is specified below + - resources: + - '*.apps' + providers: + - aescbc: + keys: + - name: key2 + secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg== + - resources: + - '*.*' + providers: + - aescbc: + keys: + - name: key3 + secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw== ``` Each `resources` array item is a separate config and contains a complete configuration. The @@ -84,6 +104,29 @@ resources from storage, each provider that matches the stored data attempts in o data. If no provider can read the stored data due to a mismatch in format or secret key, an error is returned which prevents clients from accessing that resource. +`EncryptionConfiguration` supports the use of wildcards to specify the resources that should be encrypted. +Use '`*.`' to encrypt all resources within a group (for eg '`*.apps`' in above example) or '`*.*`' +to encrypt all resources. '`*.`' can be used to encrypt all resource in the core group. '`*.*`' will +encrypt all resources, even custom resources that are added after API server start. + +{{< note >}} Use of wildcards that overlap within the same resource list or across multiple entries are not allowed +since part of the configuration would be ineffective. The `resources` list's processing order and precedence +are determined by the order it's listed in the configuration. {{< /note >}} + +Opting out of encryption for specific resources while wildcard is enabled can be achieved by adding a new +`resources` array item with the resource name, followed by the `providers` array item with the `identity` provider. +For example, if '`*.*`' is enabled and you want to opt-out encryption for the `events` resource, add a new item +to the `resources` array with `events` as the resource name, followed by the providers array item with `identity`. +The new item should look like this: + +```yaml +- resources: + - events + providers: + - identity: {} +``` +Ensure that the new item is listed before the wildcard '`*.*`' item in the resources array to give it precedence. + For more detailed information about the `EncryptionConfiguration` struct, please refer to the [encryption configuration API](/docs/reference/config-api/apiserver-encryption.v1/). From e600a75b414e3932e3e0dda6aa12817590839100 Mon Sep 17 00:00:00 2001 From: Chris Henzie Date: Tue, 7 Mar 2023 09:43:35 -0800 Subject: [PATCH 022/272] Update ReadWriteOncePod feature to beta --- content/en/docs/concepts/storage/persistent-volumes.md | 3 ++- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- .../en/docs/tasks/configure-pod-container/security-context.md | 3 +-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md index 6df299674b4..ca68c365eef 100644 --- a/content/en/docs/concepts/storage/persistent-volumes.md +++ b/content/en/docs/concepts/storage/persistent-volumes.md @@ -637,7 +637,8 @@ The access modes are: : the volume can be mounted as read-write by many nodes. `ReadWriteOncePod` -: the volume can be mounted as read-write by a single Pod. Use ReadWriteOncePod +: {{< feature-state for_k8s_version="v1.27" state="beta" >}} + the volume can be mounted as read-write by a single Pod. Use ReadWriteOncePod access mode if you want to ensure that only one pod across whole cluster can read that PVC or write to it. This is only supported for CSI volumes and Kubernetes version 1.22+. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..4ed52963f64 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -174,7 +174,8 @@ For a reference to old feature gates that are removed, please refer to | `ProxyTerminatingEndpoints` | `false` | Alpha | 1.22 | 1.25 | | `ProxyTerminatingEndpoints` | `true` | Beta | 1.26 | | | `QOSReserved` | `false` | Alpha | 1.11 | | -| `ReadWriteOncePod` | `false` | Alpha | 1.22 | | +| `ReadWriteOncePod` | `false` | Alpha | 1.22 | 1.26 | +| `ReadWriteOncePod` | `true` | Beta | 1.27 | | | `RecoverVolumeExpansionFailure` | `false` | Alpha | 1.23 | | | `RemainingItemCount` | `false` | Alpha | 1.15 | 1.15 | | `RemainingItemCount` | `true` | Beta | 1.16 | | diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md index 756222eb426..0f5549c220b 100644 --- a/content/en/docs/tasks/configure-pod-container/security-context.md +++ b/content/en/docs/tasks/configure-pod-container/security-context.md @@ -449,8 +449,7 @@ SELinux label of a volume instantly by using a mount option To benefit from this speedup, all these conditions must be met: -* Alpha feature gates `ReadWriteOncePod` and `SELinuxMountReadWriteOncePod` must - be enabled. +* Alpha feature gate `SELinuxMountReadWriteOncePod` must be enabled. * Pod must use PersistentVolumeClaim with `accessModes: ["ReadWriteOncePod"]`. * Pod (or all its Containers that use the PersistentVolumeClaim) must have `seLinuxOptions` set. From 993bae24c3dd634bf9f419e6751c81f4b5ce1629 Mon Sep 17 00:00:00 2001 From: ystkfujii Date: Thu, 16 Mar 2023 02:03:36 +0900 Subject: [PATCH 023/272] Drop turnkey cloud solutions for ja --- .../production-environment/turnkey/_index.md | 4 - .../turnkey/alibaba-cloud.md | 17 -- .../production-environment/turnkey/aws.md | 82 ------- .../production-environment/turnkey/azure.md | 33 --- .../production-environment/turnkey/gce.md | 217 ------------------ .../production-environment/turnkey/icp.md | 63 ----- 6 files changed, 416 deletions(-) delete mode 100644 content/ja/docs/setup/production-environment/turnkey/_index.md delete mode 100644 content/ja/docs/setup/production-environment/turnkey/alibaba-cloud.md delete mode 100644 content/ja/docs/setup/production-environment/turnkey/aws.md delete mode 100644 content/ja/docs/setup/production-environment/turnkey/azure.md delete mode 100644 content/ja/docs/setup/production-environment/turnkey/gce.md delete mode 100644 content/ja/docs/setup/production-environment/turnkey/icp.md diff --git a/content/ja/docs/setup/production-environment/turnkey/_index.md b/content/ja/docs/setup/production-environment/turnkey/_index.md deleted file mode 100644 index 6b9dabb7ab6..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/_index.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: ターンキークラウドソリューション -weight: 30 ---- diff --git a/content/ja/docs/setup/production-environment/turnkey/alibaba-cloud.md b/content/ja/docs/setup/production-environment/turnkey/alibaba-cloud.md deleted file mode 100644 index 4506e9cba0b..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/alibaba-cloud.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Alibaba CloudでKubernetesを動かす ---- - -## Alibaba Cloud Container Service - -[Alibaba Cloud Container Service](https://www.alibabacloud.com/product/container-service)はAlibaba Cloud ECSインスタンスのクラスター上もしくはサーバーレスの形態でDockerアプリケーションを起動して管理します。著名なオープンソースのコンテナオーケストレーターであるDocker SwarmおよびKubernetesをサポートしています。 - -クラスターの構築と管理を簡素化するために、[Alibaba Cloud Container ServiceのためのKubernetesサポート](https://www.alibabacloud.com/product/kubernetes)を使用します。[Kubernetes walk-through](https://www.alibabacloud.com/help/doc-detail/86737.htm)に従ってすぐに始めることができ、中国語の[Alibaba CloudにおけるKubernetesサポートのためのチュートリアル](https://yq.aliyun.com/teams/11/type_blog-cid_200-page_1)もあります。 - -カスタムバイナリもしくはオープンソースKubernetesを使用する場合は、以下の手順に従って下さい。 - -## 構築のカスタム - -[Alibaba Cloudプロバイダーが実装されたKubernetesのソースコード](https://github.com/AliyunContainerService/kubernetes)はオープンソースであり、GitHubから入手可能です。 - -さらなる情報は英語の[Kubernetesのクイックデプロイメント - Alibaba CloudのVPC環境](https://www.alibabacloud.com/forum/read-830)をご覧下さい。 diff --git a/content/ja/docs/setup/production-environment/turnkey/aws.md b/content/ja/docs/setup/production-environment/turnkey/aws.md deleted file mode 100644 index f7ec4bd0123..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/aws.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: AWS EC2上でKubernetesを動かす -content_type: task ---- - - - -このページでは、AWS上でKubernetesクラスターをインストールする方法について説明します。 - - - -## {{% heading "prerequisites" %}} - - -AWS上でKubernetesクラスターを作成するには、AWSからアクセスキーIDおよびシークレットアクセスキーを入手する必要があります。 - -### サポートされているプロダクショングレードのツール - -* [conjure-up](https://docs.conjure-up.io/stable/en/cni/k8s-and-aws)はUbuntu上でネイティブなAWSインテグレーションを用いてKubernetesクラスターを作成するオープンソースのインストーラーです。 - -* [Kubernetes Operations](https://github.com/kubernetes/kops) - プロダクショングレードなKubernetesのインストール、アップグレード、管理が可能です。AWS上のDebian、Ubuntu、CentOS、RHELをサポートしています。 - -* [kube-aws](https://github.com/kubernetes-incubator/kube-aws) EC2、CloudFormation、Auto Scalingを使用して、[Flatcar Linux](https://www.flatcar-linux.org/)ノードでKubernetesクラスターを作成および管理します。 - -* [KubeOne](https://github.com/kubermatic/kubeone)は可用性の高いKubernetesクラスターを作成、アップグレード、管理するための、オープンソースのライフサイクル管理ツールです。 - - - - - -## クラスターの始まり - -### コマンドライン管理ツール: kubectl - -クラスターの起動スクリプトによってワークステーション上に`kubernetes`ディレクトリが作成されます。もしくは、Kubernetesの最新リリースを[こちら](https://github.com/kubernetes/kubernetes/releases)からダウンロードすることも可能です。 - -次に、kubectlにアクセスするために適切なバイナリフォルダーを`PATH`へ追加します: - -```shell -# macOS -export PATH=/platforms/darwin/amd64:$PATH - -# Linux -export PATH=/platforms/linux/amd64:$PATH -``` - -ツールに関する最新のドキュメントページはこちらです: [kubectl manual](/docs/reference/kubectl/kubectl/) - -デフォルトでは、`kubectl`はクラスターの起動中に生成された`kubeconfig`ファイルをAPIに対する認証に使用します。 -詳細な情報は、[kubeconfig files](/ja/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)を参照してください。 - -### 例 - -新しいクラスターを試すには、[簡単なnginxの例](/ja/docs/tasks/run-application/run-stateless-application-deployment/)を参照してください。 - -"Guestbook"アプリケーションは、Kubernetesを始めるもう一つのポピュラーな例です: [guestbookの例](https://github.com/kubernetes/examples/tree/master/guestbook/) - -より完全なアプリケーションについては、[examplesディレクトリ](https://github.com/kubernetes/examples/tree/master/)を参照してください。 - -## クラスターのスケーリング - -`kubectl`を使用したノードの追加および削除はサポートしていません。インストール中に作成された[Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/latest/userguide/as-manual-scaling.html)内の'Desired'および'Max'プロパティを手動で調整することで、ノード数をスケールさせることができます。 - -## クラスターの解体 - -クラスターのプロビジョニングに使用した環境変数がexportされていることを確認してから、`kubernetes`ディレクトリ内で以下のスクリプトを実行してください: - -```shell -cluster/kube-down.sh -``` - -## サポートレベル - - -IaaS プロバイダー | 構成管理 | OS | ネットワーク | ドキュメント | 適合 | サポートレベル --------------------- | ------------ | ------------- | ------------ | --------------------------------------------- | ---------| ---------------------------- -AWS | kops | Debian | k8s (VPC) | [docs](https://github.com/kubernetes/kops) | | Community ([@justinsb](https://github.com/justinsb)) -AWS | CoreOS | CoreOS | flannel | - | | Community -AWS | Juju | Ubuntu | flannel, calico, canal | - | 100% | Commercial, Community -AWS | KubeOne | Ubuntu, CoreOS, CentOS | canal, weavenet | [docs](https://github.com/kubermatic/kubeone) | 100% | Commercial, Community - - diff --git a/content/ja/docs/setup/production-environment/turnkey/azure.md b/content/ja/docs/setup/production-environment/turnkey/azure.md deleted file mode 100644 index dcf4a4ffb00..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/azure.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Azure 上で Kubernetes を動かす ---- - -## Azure Kubernetes Service (AKS) - -[Azure Kubernetes Service](https://azure.microsoft.com/ja-jp/services/kubernetes-service/)は、Kubernetesクラスターのためのシンプルなデプロイ機能を提供します。 - -Azure Kubernetes Serviceを利用してAzure上にKubernetesクラスターをデプロイする例: - -**[Microsoft Azure Kubernetes Service](https://docs.microsoft.com/ja-jp/azure/aks/intro-kubernetes)** - -## デプロイのカスタマイズ: AKS-Engine - -Azure Kubernetes Serviceのコア部分は**オープンソース**であり、コミュニティのためにGitHub上で公開され、利用およびコントリビュートすることができます: **[AKS-Engine](https://github.com/Azure/aks-engine)**。レガシーな [ACS-Engine](https://github.com/Azure/acs-engine) のコードベースはAKS-engineのために廃止となりました。 - -AKS-Engineは、Azure Kubernetes Serviceが公式にサポートしている機能を超えてデプロイをカスタマイズしたい場合に適した選択肢です。 -既存の仮想ネットワークへのデプロイや、複数のagent poolを利用するなどのカスタマイズをすることができます。 -コミュニティによるAKS-Engineへのコントリビュートが、Azure Kubernetes Serviceに組み込まれる場合もあります。 - -AKS-Engineへの入力は、Kubernetesクラスターを記述するapimodelのJSONファイルです。これはAzure Kubernetes Serviceを使用してクラスターを直接デプロイするために使用されるAzure Resource Manager (ARM) のテンプレート構文と似ています。 -処理結果はARMテンプレートとして出力され、ソース管理に組み込んだり、AzureにKubernetesクラスターをデプロイするために使うことができます。 - -**[AKS-Engine Kubernetes Tutorial](https://github.com/Azure/aks-engine/blob/master/docs/tutorials/README.md)** を参照して始めることができます。 - -## Azure上でCoreOS Tectonicを動かす - -Azureで利用できるCoreOS Tectonic Installerは**オープンソース**であり、コミュニティのためにGitHub上で公開され、利用およびコントリビュートすることができます: **[Tectonic Installer](https://github.com/coreos/tectonic-installer)**. - -Tectonic Installerは、 [Hashicorp が提供する Terraform](https://www.terraform.io/docs/providers/azurerm/)のAzure Resource Manager(ARM)プロバイダーを用いてクラスターをカスタマイズしたい場合に適した選択肢です。 -これを利用することにより、Terraformと親和性の高いツールを使用してカスタマイズしたり連携したりすることができます。 - -[Tectonic Installer for Azure Guide](https://coreos.com/tectonic/docs/latest/install/azure/azure-terraform.html)を参照して、すぐに始めることができます。 diff --git a/content/ja/docs/setup/production-environment/turnkey/gce.md b/content/ja/docs/setup/production-environment/turnkey/gce.md deleted file mode 100644 index 39e03efc941..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/gce.md +++ /dev/null @@ -1,217 +0,0 @@ ---- -title: Google Compute Engine上でKubernetesを動かす -content_type: task ---- - - - -The example below creates a Kubernetes cluster with 3 worker node Virtual Machines and a master Virtual Machine (i.e. 4 VMs in your cluster). This cluster is set up and controlled from your workstation (or wherever you find convenient). - - - -## {{% heading "prerequisites" %}} - - -If you want a simplified getting started experience and GUI for managing clusters, please consider trying [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) for hosted cluster installation and management. - -For an easy way to experiment with the Kubernetes development environment, click the button below -to open a Google Cloud Shell with an auto-cloned copy of the Kubernetes source repo. - -[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.png)](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/kubernetes/kubernetes&page=editor&open_in_editor=README.md) - -If you want to use custom binaries or pure open source Kubernetes, please continue with the instructions below. - -### 前提条件 - -1. You need a Google Cloud Platform account with billing enabled. Visit the [Google Developers Console](https://console.cloud.google.com) for more details. -1. Install `gcloud` as necessary. `gcloud` can be installed as a part of the [Google Cloud SDK](https://cloud.google.com/sdk/). -1. Enable the [Compute Engine Instance Group Manager API](https://console.developers.google.com/apis/api/replicapool.googleapis.com/overview) in the [Google Cloud developers console](https://console.developers.google.com/apis/library). -1. Make sure that gcloud is set to use the Google Cloud Platform project you want. You can check the current project using `gcloud config list project` and change it via `gcloud config set project `. -1. Make sure you have credentials for GCloud by running `gcloud auth login`. -1. (Optional) In order to make API calls against GCE, you must also run `gcloud auth application-default login`. -1. Make sure you can start up a GCE VM from the command line. At least make sure you can do the [Create an instance](https://cloud.google.com/compute/docs/instances/#startinstancegcloud) part of the GCE Quickstart. -1. Make sure you can SSH into the VM without interactive prompts. See the [Log in to the instance](https://cloud.google.com/compute/docs/instances/#sshing) part of the GCE Quickstart. - - - - - -## クラスターの起動 - -You can install a client and start a cluster with either one of these commands (we list both in case only one is installed on your machine): - - -```shell -curl -sS https://get.k8s.io | bash -``` - -or - -```shell -wget -q -O - https://get.k8s.io | bash -``` - -Once this command completes, you will have a master VM and four worker VMs, running as a Kubernetes cluster. - -By default, some containers will already be running on your cluster. Containers like `fluentd` provide [logging](/docs/concepts/cluster-administration/logging/), while `heapster` provides [monitoring](https://releases.k8s.io/master/cluster/addons/cluster-monitoring/README.md) services. - -The script run by the commands above creates a cluster with the name/prefix "kubernetes". It defines one specific cluster config, so you can't run it more than once. - -Alternately, you can download and install the latest Kubernetes release from [this page](https://github.com/kubernetes/kubernetes/releases), then run the `/cluster/kube-up.sh` script to start the cluster: - -```shell -cd kubernetes -cluster/kube-up.sh -``` - -If you want more than one cluster running in your project, want to use a different name, or want a different number of worker nodes, see the `/cluster/gce/config-default.sh` file for more fine-grained configuration before you start up your cluster. - -If you run into trouble, please see the section on [troubleshooting](/ja/docs/setup/production-environment/turnkey/gce/#troubleshooting), post to the -[Kubernetes Forum](https://discuss.kubernetes.io), or come ask questions on `#gke` Slack channel. - -The next few steps will show you: - -1. How to set up the command line client on your workstation to manage the cluster -1. Examples of how to use the cluster -1. How to delete the cluster -1. How to start clusters with non-default options (like larger clusters) - -## ワークステーション上でのKubernetesコマンドラインツールのインストール - -The cluster startup script will leave you with a running cluster and a `kubernetes` directory on your workstation. - -The [kubectl](/docs/reference/kubectl/kubectl/) tool controls the Kubernetes cluster -manager. It lets you inspect your cluster resources, create, delete, and update -components, and much more. You will use it to look at your new cluster and bring -up example apps. - -You can use `gcloud` to install the `kubectl` command-line tool on your workstation: - -```shell -gcloud components install kubectl -``` - -{{< note >}} -The kubectl version bundled with `gcloud` may be older than the one -The [kubectl](/ja/docs/reference/kubectl/kubectl/) tool controls the Kubernetes cluster -document to see how you can set up the latest `kubectl` on your workstation. -{{< /note >}} - -## クラスターの始まり - -### クラスターの様子を見る - -Once `kubectl` is in your path, you can use it to look at your cluster. E.g., running: - -```shell -kubectl get --all-namespaces services -``` - -should show a set of [services](/docs/concepts/services-networking/service/) that look something like this: - -```shell -NAMESPACE NAME TYPE CLUSTER_IP EXTERNAL_IP PORT(S) AGE -default kubernetes ClusterIP 10.0.0.1 443/TCP 1d -kube-system kube-dns ClusterIP 10.0.0.2 53/TCP,53/UDP 1d -kube-system kube-ui ClusterIP 10.0.0.3 80/TCP 1d -... -``` - -Similarly, you can take a look at the set of [pods](/ja/docs/concepts/workloads/pods/) that were created during cluster startup. -You can do this via the - -```shell -kubectl get --all-namespaces pods -``` - -command. - -You'll see a list of pods that looks something like this (the name specifics will be different): - -```shell -NAMESPACE NAME READY STATUS RESTARTS AGE -kube-system coredns-5f4fbb68df-mc8z8 1/1 Running 0 15m -kube-system fluentd-cloud-logging-kubernetes-minion-63uo 1/1 Running 0 14m -kube-system fluentd-cloud-logging-kubernetes-minion-c1n9 1/1 Running 0 14m -kube-system fluentd-cloud-logging-kubernetes-minion-c4og 1/1 Running 0 14m -kube-system fluentd-cloud-logging-kubernetes-minion-ngua 1/1 Running 0 14m -kube-system kube-ui-v1-curt1 1/1 Running 0 15m -kube-system monitoring-heapster-v5-ex4u3 1/1 Running 1 15m -kube-system monitoring-influx-grafana-v1-piled 2/2 Running 0 15m -``` - -Some of the pods may take a few seconds to start up (during this time they'll show `Pending`), but check that they all show as `Running` after a short period. - -### いくつかの例の実行 - -Then, see [a simple nginx example](/ja/docs/tasks/run-application/run-stateless-application-deployment/) to try out your new cluster. - -For more complete applications, please look in the [examples directory](https://github.com/kubernetes/examples/tree/master/). The [guestbook example](https://github.com/kubernetes/examples/tree/master/guestbook/) is a good "getting started" walkthrough. - -## クラスターの解体 - -To remove/delete/teardown the cluster, use the `kube-down.sh` script. - -```shell -cd kubernetes -cluster/kube-down.sh -``` - -Likewise, the `kube-up.sh` in the same directory will bring it back up. You do not need to rerun the `curl` or `wget` command: everything needed to setup the Kubernetes cluster is now on your workstation. - -## カスタマイズ - -The script above relies on Google Storage to stage the Kubernetes release. It -then will start (by default) a single master VM along with 3 worker VMs. You -can tweak some of these parameters by editing `kubernetes/cluster/gce/config-default.sh` -You can view a transcript of a successful cluster creation -[here](https://gist.github.com/satnam6502/fc689d1b46db9772adea). - -## トラブルシューティング - -### プロジェクトの設定 - -You need to have the Google Cloud Storage API, and the Google Cloud Storage -JSON API enabled. It is activated by default for new projects. Otherwise, it -can be done in the Google Cloud Console. See the [Google Cloud Storage JSON -API Overview](https://cloud.google.com/storage/docs/json_api/) for more -details. - -Also ensure that-- as listed in the [Prerequisites section](#前提条件)-- you've enabled the `Compute Engine Instance Group Manager API`, and can start up a GCE VM from the command line as in the [GCE Quickstart](https://cloud.google.com/compute/docs/quickstart) instructions. - -### クラスター初期化のハング - -If the Kubernetes startup script hangs waiting for the API to be reachable, you can troubleshoot by SSHing into the master and node VMs and looking at logs such as `/var/log/startupscript.log`. - -**Once you fix the issue, you should run `kube-down.sh` to cleanup** after the partial cluster creation, before running `kube-up.sh` to try again. - -### SSH - -If you're having trouble SSHing into your instances, ensure the GCE firewall -isn't blocking port 22 to your VMs. By default, this should work but if you -have edited firewall rules or created a new non-default network, you'll need to -expose it: `gcloud compute firewall-rules create default-ssh --network= ---description "SSH allowed from anywhere" --allow tcp:22` - -Additionally, your GCE SSH key must either have no passcode or you need to be -using `ssh-agent`. - -### ネットワーク - -The instances must be able to connect to each other using their private IP. The -script uses the "default" network which should have a firewall rule called -"default-allow-internal" which allows traffic on any port on the private IPs. -If this rule is missing from the default network or if you change the network -being used in `cluster/config-default.sh` create a new rule with the following -field values: - -* Source Ranges: `10.0.0.0/8` -* Allowed Protocols and Port: `tcp:1-65535;udp:1-65535;icmp` - -## サポートレベル - - -IaaS Provider | Config. Mgmt | OS | Networking | Docs | Conforms | Support Level --------------------- | ------------ | ------ | ---------- | --------------------------------------------- | ---------| ---------------------------- -GCE | Saltstack | Debian | GCE | [docs](/ja/docs/setup/production-environment/turnkey/gce/) | | Project - diff --git a/content/ja/docs/setup/production-environment/turnkey/icp.md b/content/ja/docs/setup/production-environment/turnkey/icp.md deleted file mode 100644 index 1313f37ff0c..00000000000 --- a/content/ja/docs/setup/production-environment/turnkey/icp.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: IBM Cloud Privateを使ってマルチクラウドでKubernetesを動かす ---- - -IBM® Cloud Private is a turnkey cloud solution and an on-premises turnkey cloud solution. IBM Cloud Private delivers pure upstream Kubernetes with the typical management components that are required to run real enterprise workloads. These workloads include health management, log management, audit trails, and metering for tracking usage of workloads on the platform. - -IBM Cloud Private is available in a community edition and a fully supported enterprise edition. The community edition is available at no charge from [Docker Hub](https://hub.docker.com/r/ibmcom/icp-inception/). The enterprise edition supports high availability topologies and includes commercial support from IBM for Kubernetes and the IBM Cloud Private management platform. If you want to try IBM Cloud Private, you can use either the hosted trial, the tutorial, or the self-guided demo. You can also try the free community edition. For details, see [Get started with IBM Cloud Private](https://www.ibm.com/cloud/private/get-started). - -For more information, explore the following resources: - -* [IBM Cloud Private](https://www.ibm.com/cloud/private) -* [Reference architecture for IBM Cloud Private](https://github.com/ibm-cloud-architecture/refarch-privatecloud) -* [IBM Cloud Private documentation](https://www.ibm.com/support/knowledgecenter/SSBS6K/product_welcome_cloud_private.html) - -## IBM Cloud PrivateとTerraform - -The following modules are available where you can deploy IBM Cloud Private by using Terraform: - -* AWS: [Deploy IBM Cloud Private to AWS](https://github.com/ibm-cloud-architecture/terraform-icp-aws) -* Azure: [Deploy IBM Cloud Private to Azure](https://github.com/ibm-cloud-architecture/terraform-icp-azure) -* IBM Cloud: [Deploy IBM Cloud Private cluster to IBM Cloud](https://github.com/ibm-cloud-architecture/terraform-icp-ibmcloud) -* OpenStack: [Deploy IBM Cloud Private to OpenStack](https://github.com/ibm-cloud-architecture/terraform-icp-openstack) -* Terraform module: [Deploy IBM Cloud Private on any supported infrastructure vendor](https://github.com/ibm-cloud-architecture/terraform-module-icp-deploy) -* VMware: [Deploy IBM Cloud Private to VMware](https://github.com/ibm-cloud-architecture/terraform-icp-vmware) - -## AWS上でのIBM Cloud Private - -You can deploy an IBM Cloud Private cluster on Amazon Web Services (AWS) using Terraform. - -IBM Cloud Private can also run on the AWS cloud platform by using Terraform. To deploy IBM Cloud Private in an AWS EC2 environment, see [Installing IBM Cloud Private on AWS](https://github.com/ibm-cloud-architecture/terraform-icp-aws). - -## Azure上でのIBM Cloud Private - -You can enable Microsoft Azure as a cloud provider for IBM Cloud Private deployment and take advantage of all the IBM Cloud Private features on the Azure public cloud. For more information, see [IBM Cloud Private on Azure](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.2.0/supported_environments/azure_overview.html). - -## Red Hat OpenShiftを用いたIBM Cloud Private - -You can deploy IBM certified software containers that are running on IBM Cloud Private onto Red Hat OpenShift. - -Integration capabilities: - -* Supports Linux® 64-bit platform in offline-only installation mode -* Single-master configuration -* Integrated IBM Cloud Private cluster management console and catalog -* Integrated core platform services, such as monitoring, metering, and logging -* IBM Cloud Private uses the OpenShift image registry - -For more information see, [IBM Cloud Private on OpenShift](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.2.0/supported_environments/openshift/overview.html). - -## VirtualBox上でのIBM Cloud Private - -To install IBM Cloud Private to a VirtualBox environment, see [Installing IBM Cloud Private on VirtualBox](https://github.com/ibm-cloud-architecture/refarch-privatecloud-virtualbox). - -## VMware上でのIBM Cloud Private - -You can install IBM Cloud Private on VMware with either Ubuntu or RHEL images. For details, see the following projects: - -* [Installing IBM Cloud Private with Ubuntu](https://github.com/ibm-cloud-architecture/refarch-privatecloud/blob/master/Installing_ICp_on_prem_ubuntu.md) -* [Installing IBM Cloud Private with Red Hat Enterprise](https://github.com/ibm-cloud-architecture/refarch-privatecloud/tree/master/icp-on-rhel) - -The IBM Cloud Private Hosted service automatically deploys IBM Cloud Private Hosted on your VMware vCenter Server instances. This service brings the power of microservices and containers to your VMware environment on IBM Cloud. With this service, you can extend the same familiar VMware and IBM Cloud Private operational model and tools from on-premises into the IBM Cloud. - -For more information, see [IBM Cloud Private Hosted service](https://cloud.ibm.com/docs/vmwaresolutions?topic=vmwaresolutions-icp_overview). From efa8181fde21353fa0ac6e1c04d49b55def2244c Mon Sep 17 00:00:00 2001 From: Harshal Patil Date: Tue, 14 Mar 2023 11:15:45 -0400 Subject: [PATCH 024/272] Graduate Evented PLEG to Beta Signed-off-by: Harshal Patil Co-authored-by: Tim Bannister --- .../feature-gates.md | 3 +- .../switch-to-evented-pleg.md | 91 +++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 content/en/docs/tasks/administer-cluster/switch-to-evented-pleg.md diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..bd28ebde4df 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -94,7 +94,8 @@ For a reference to old feature gates that are removed, please refer to | `DownwardAPIHugePages` | `false` | Beta | 1.21 | 1.21 | | `DownwardAPIHugePages` | `true` | Beta | 1.22 | | | `DynamicResourceAllocation` | `false` | Alpha | 1.26 | | -| `EventedPLEG` | `false` | Alpha | 1.26 | - | +| `EventedPLEG` | `false` | Alpha | 1.26 | 1.26 | +| `EventedPLEG` | `false` | Beta | 1.27 | - | | `ExpandedDNSConfig` | `false` | Alpha | 1.22 | 1.25 | | `ExpandedDNSConfig` | `true` | Beta | 1.26 | | | `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | | diff --git a/content/en/docs/tasks/administer-cluster/switch-to-evented-pleg.md b/content/en/docs/tasks/administer-cluster/switch-to-evented-pleg.md new file mode 100644 index 00000000000..8fdb491c28a --- /dev/null +++ b/content/en/docs/tasks/administer-cluster/switch-to-evented-pleg.md @@ -0,0 +1,91 @@ +--- +title: Switching From Polling to CRI Event-based Updates to Container Status +min-kubernetes-server-version: 1.26 +content_type: task +weight: 90 +--- + +{{< feature-state for_k8s_version="v1.26" state="beta" >}} + + +This page shows how to migrate notes to use event based updates for container status. The event-based +implementation reduces node resource consumption by the kubelet, compared to the legacy approach +that relies on polling. +You may know this feature as _evented Pod lifecycle event generator (PLEG)_. That's the name used +internally within the Kubernetes project for a key implementation detail. + + +## {{% heading "prerequisites" %}} + +* You need to run a version of Kubernetes that provides this feature. +Kubernetes {{< skew currentVersion >}} includes beta support for event-based container +status updates. The feature is beta and is disabled by default. +{{< version-check >}} +If you are running a different version of Kubernetes, check the documentation for that release. + + + + +## Why switch to Evented PLEG? + +* The current `Generic PLEG` incurs non-negligible overhead due to frequent polling of container statuses. +* This overhead is exacerbated by Kubelet's parallelism, limiting its scalability and causing poor performance and reliability problems. +* The goal of `Evented PLEG` is to reduce unnecessary work during inactivity by replacing periodic polling. + +## Switching to Evented PLEG + + +1. Start the Kubelet with the [feature gate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/) `EventedPLEG` enabled. In Kubelet feature gates can be enabled by editing [config file](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/) and restarting the Kubelet service. + +2. Please make sure the node is [drained](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/) before proceeding. + +3. Start the `CRI Runtime` with the `Evented PLEG` support. + {{< tabs name="tab_with_code" >}} + {{< tab name="Containerd" codelang="bash" >}} + Version 1.7+ + {{< /tab >}} + {{< tab name="CRI-O" codelang="bash" >}} + Version 1.26+ + + Check if the CRI-O is already configured to emit `CRI Events` by verifying the configuration, + ``` + $ crio config | grep enable_pod_events + ``` + If its enabled it should show, + ``` + # enable_pod_events = true + ``` + + To enable it, start the cri-o daemon with the flag `--enable-pod-events=true` or using a drop in config like, + + [crio.runtime] + enable_pod_events: true + + + {{< /tab >}} + {{< /tabs >}} + + +{{< version-check >}} + +4. Verify that `Evented PLEG` is in use by looking for the term `EventedPLEG` in the kubelet logs + + The output is similar to this: + ``` + I0314 11:10:13.909915 1105457 feature_gate.go:249] feature gates: &{map[EventedPLEG:true]} + ``` + + If you have set LOG_LEVEL to 4 and above, you might see more entries that indicate `Evented PLEG` is in use by the kubelet. + + ``` + I0314 11:12:42.009542 1110177 evented.go:238] "Evented PLEG: Generated pod status from the received event" podUID=3b2c6172-b112-447a-ba96-94e7022912dc + I0314 11:12:44.623326 1110177 evented.go:238] "Evented PLEG: Generated pod status from the received event" podUID=b3fba5ea-a8c5-4b76-8f43-481e17e8ec40 + I0314 11:12:44.714564 1110177 evented.go:238] "Evented PLEG: Generated pod status from the received event" podUID=b3fba5ea-a8c5-4b76-8f43-481e17e8ec40 + ``` + +## {{% heading "whatsnext" %}} + +* Learn more about [KEP 3386](https://github.com/kubernetes/enhancements/blob/5b258a990adabc2ffdc9d84581ea6ed696f7ce6c/keps/sig-node/3386-kubelet-evented-pleg/README.md). + + + From 5beb348e62422da89c3270aa21de7c5059d33411 Mon Sep 17 00:00:00 2001 From: Patrick Ohly Date: Fri, 17 Mar 2023 11:56:25 +0100 Subject: [PATCH 025/272] dynamic resource allocation: update for 1.27 The API group was bumped to make some incompatible internal changes and the user-visible renaming of PodScheduling to PodSchedulingContext. --- .../dynamic-resource-allocation.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md b/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md index e1c468f58f0..5a6779a8747 100644 --- a/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md +++ b/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md @@ -9,7 +9,7 @@ weight: 65 -{{< feature-state for_k8s_version="v1.26" state="alpha" >}} +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} Dynamic resource allocation is a new API for requesting and sharing resources between pods and containers inside a pod. It is a generalization of the @@ -31,7 +31,7 @@ check the documentation for that version of Kubernetes. ## API -The new `resource.k8s.io/v1alpha1` {{< glossary_tooltip text="API group" +The `resource.k8s.io/v1alpha2` {{< glossary_tooltip text="API group" term_id="api-group" >}} provides four new types: ResourceClass @@ -51,7 +51,7 @@ ResourceClaimTemplate : Defines the spec and some meta data for creating ResourceClaims. Created by a user when deploying a workload. -PodScheduling +PodSchedulingContext : Used internally by the control plane and resource drivers to coordinate pod scheduling when ResourceClaims need to be allocated for a Pod. @@ -76,7 +76,7 @@ Here is an example for a fictional resource driver. Two ResourceClaim objects will get created for this Pod and each container gets access to one of them. ```yaml -apiVersion: resource.k8s.io/v1alpha1 +apiVersion: resource.k8s.io/v1alpha2 kind: ResourceClass name: resource.example.com driverName: resource-driver.example.com @@ -88,7 +88,7 @@ spec: color: black size: large --- -apiVersion: resource.k8s.io/v1alpha1 +apiVersion: resource.k8s.io/v1alpha2 kind: ResourceClaimTemplate metadata: name: large-black-cat-claim-template @@ -176,7 +176,7 @@ future. Dynamic resource allocation is an *alpha feature* and only enabled when the `DynamicResourceAllocation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and the -`resource.k8s.io/v1alpha1` {{< glossary_tooltip text="API group" +`resource.k8s.io/v1alpha2` {{< glossary_tooltip text="API group" term_id="api-group" >}} are enabled. For details on that, see the `--feature-gates` and `--runtime-config` [kube-apiserver parameters](/docs/reference/command-line-tools-reference/kube-apiserver/). @@ -203,8 +203,9 @@ error: the server doesn't have a resource type "resourceclasses" ``` The default configuration of kube-scheduler enables the "DynamicResources" -plugin if and only if the feature gate is enabled. Custom configurations may -have to be modified to include it. +plugin if and only if the feature gate is enabled and when using +the v1 configuration API. Custom configurations may have to be modified to +include it. In addition to enabling the feature in the cluster, a resource driver also has to be installed. Please refer to the driver's documentation for details. From b6b1fc392d1255c12b9d9f741ff49fd9645c1e59 Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Tue, 7 Mar 2023 13:08:01 +0100 Subject: [PATCH 026/272] Promote CronJobTimeZone to stable --- .../workloads/controllers/cron-jobs.md | 35 +++++++++---------- .../feature-gates.md | 5 +-- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/content/en/docs/concepts/workloads/controllers/cron-jobs.md b/content/en/docs/concepts/workloads/controllers/cron-jobs.md index dd327758e33..29ec67caab7 100644 --- a/content/en/docs/concepts/workloads/controllers/cron-jobs.md +++ b/content/en/docs/concepts/workloads/controllers/cron-jobs.md @@ -14,9 +14,9 @@ weight: 80 A _CronJob_ creates {{< glossary_tooltip term_id="job" text="Jobs" >}} on a repeating schedule. -CronJob is meant for performing regular scheduled actions such as backups, report generation, -and so on. One CronJob object is like one line of a _crontab_ (cron table) file on a -Unix system. It runs a job periodically on a given schedule, written in +CronJob is meant for performing regular scheduled actions such as backups, report generation, +and so on. One CronJob object is like one line of a _crontab_ (cron table) file on a +Unix system. It runs a job periodically on a given schedule, written in [Cron](https://en.wikipedia.org/wiki/Cron) format. CronJobs have limitations and idiosyncrasies. @@ -162,19 +162,22 @@ For another way to clean up jobs automatically, see [Clean up finished jobs auto ### Time zones -For CronJobs with no time zone specified, the {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}} interprets schedules relative to its local time zone. +{{< feature-state for_k8s_version="v1.27" state="stable" >}} -{{< feature-state for_k8s_version="v1.25" state="beta" >}} +For CronJobs with no time zone specified, the {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}} +interprets schedules relative to its local time zone. -If you enable the `CronJobTimeZone` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/), -you can specify a time zone for a CronJob (if you don't enable that feature gate, or if you are using a version of -Kubernetes that does not have experimental time zone support, all CronJobs in your cluster have an unspecified -timezone). +You can specify a time zone for a CronJob by setting `.spec.timeZone` to the name +of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). +For example, setting `.spec.timeZone: "Etc/UTC"` instructs Kubernetes to interpret +the schedule relative to Coordinated Universal Time. -When you have the feature enabled, you can set `.spec.timeZone` to the name of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For example, setting -`.spec.timeZone: "Etc/UTC"` instructs Kubernetes to interpret the schedule relative to Coordinated Universal Time. +A time zone database from the Go standard library is included in the binaries and used as a fallback in case an external database is not available on the system. + +## CronJob limitations {#cron-job-limitations} + +### Unsupported TimeZone specification -{{< caution >}} The implementation of the CronJob API in Kubernetes {{< skew currentVersion >}} lets you set the `.spec.schedule` field to include a timezone; for example: `CRON_TZ=UTC * * * * *` or `TZ=UTC * * * * *`. @@ -183,14 +186,10 @@ Specifying a timezone that way is **not officially supported** (and never has be If you try to set a schedule that includes `TZ` or `CRON_TZ` timezone specification, Kubernetes reports a [warning](/blog/2020/09/03/warnings/) to the client. -Future versions of Kubernetes might not implement that unofficial timezone mechanism at all. -{{< /caution >}} - -A time zone database from the Go standard library is included in the binaries and used as a fallback in case an external database is not available on the system. - -## CronJob limitations {#cron-job-limitations} +Future versions of Kubernetes will prevent setting the unofficial timezone mechanism entirely. ### Modifying a CronJob + By design, a CronJob contains a template for _new_ Jobs. If you modify an existing CronJob, the changes you make will apply to new Jobs that start to run after your modification is complete. Jobs (and their Pods) that have already diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 3680548e7af..f6288cb26d0 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -82,8 +82,6 @@ For a reference to old feature gates that are removed, please refer to | `ComponentSLIs` | `false` | Alpha | 1.26 | | | `ContainerCheckpoint` | `false` | Alpha | 1.25 | | | `ContextualLogging` | `false` | Alpha | 1.24 | | -| `CronJobTimeZone` | `false` | Alpha | 1.24 | 1.24 | -| `CronJobTimeZone` | `true` | Beta | 1.25 | | | `CrossNamespaceVolumeDataSource` | `false` | Alpha| 1.26 | | | `CustomCPUCFSQuotaPeriod` | `false` | Alpha | 1.12 | | | `CustomResourceValidationExpressions` | `false` | Alpha | 1.23 | 1.24 | @@ -251,6 +249,9 @@ For a reference to old feature gates that are removed, please refer to | `CSIStorageCapacity` | `true` | Beta | 1.21 | 1.23 | | `CSIStorageCapacity` | `true` | GA | 1.24 | - | | `ConsistentHTTPGetHandlers` | `true` | GA | 1.25 | - | +| `CronJobTimeZone` | `false` | Alpha | 1.24 | 1.24 | +| `CronJobTimeZone` | `true` | Beta | 1.25 | 1.26 | +| `CronJobTimeZone` | `true` | GA | 1.27 | - | | `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 | | `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | 1.24 | | `DaemonSetUpdateSurge` | `true` | GA | 1.25 | - | From 7eefbb8de09c52e4072085567928d498ef10c6d5 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Thu, 16 Mar 2023 09:53:26 +0100 Subject: [PATCH 027/272] Add NewVolumeManagerReconstruction feature gate --- .../command-line-tools-reference/feature-gates.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..8c6b666b020 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -149,6 +149,7 @@ For a reference to old feature gates that are removed, please refer to | `MinimizeIPTablesRestore` | `false` | Alpha | 1.26 | - | | `MultiCIDRRangeAllocator` | `false` | Alpha | 1.25 | | | `NetworkPolicyStatus` | `false` | Alpha | 1.24 | | +| `NewVolumeManagerReconstruction` | `true` | Beta | 1.27 | | | `NodeInclusionPolicyInPodTopologySpread` | `false` | Alpha | 1.25 | 1.25 | | `NodeInclusionPolicyInPodTopologySpread` | `true` | Beta | 1.26 | | | `NodeOutOfServiceVolumeDetach` | `false` | Alpha | 1.24 | 1.25 | @@ -626,6 +627,19 @@ Each feature gate is designed for enabling/disabling a specific feature: - `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects, allowing the selection of a port range instead of a single port. - `NetworkPolicyStatus`: Enable the `status` subresource for NetworkPolicy objects. +- `NewVolumeManagerReconstruction`: Enable improved discovery of mounted volumes during kubelet + startup. + + Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted + volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select + the legacy discovery behavior. + + In Kubernetes v1.25 and v1.26, this behavior toggle was part of the `SELinuxMountReadWriteOncePod` + feature gate. +- `NewVolumeManagerReconstruction`: Enables improved discovery of mounted volumes during kubelet + startup. Since this code has been significantly refactored, we allow to opt-out in case kubelet + gets stuck at the startup or is not unmounting volumes from terminated Pods. Note that this + refactoring was behind `SELinuxMountReadWriteOncePod` alpha feature gate in Kubernetes 1.25. - `NodeInclusionPolicyInPodTopologySpread`: Enable using `nodeAffinityPolicy` and `nodeTaintsPolicy` in [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/) when calculating pod topology spread skew. From 3a4f7ab1e75d9426d44ed8c517a6d70f96862d87 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Sun, 12 Mar 2023 13:39:35 +0900 Subject: [PATCH 028/272] fix: HPA container resource metrics beta graduation --- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- .../en/docs/tasks/run-application/horizontal-pod-autoscale.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 1ea5df83424..94dcf45504f 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -104,7 +104,8 @@ For a reference to old feature gates that are removed, please refer to | `GracefulNodeShutdown` | `true` | Beta | 1.21 | | | `GracefulNodeShutdownBasedOnPodPriority` | `false` | Alpha | 1.23 | 1.23 | | `GracefulNodeShutdownBasedOnPodPriority` | `true` | Beta | 1.24 | | -| `HPAContainerMetrics` | `false` | Alpha | 1.20 | | +| `HPAContainerMetrics` | `false` | Alpha | 1.20 | 1.26 | +| `HPAContainerMetrics` | `true` | Beta | 1.27 | | | `HPAScaleToZero` | `false` | Alpha | 1.16 | | | `HonorPVReclaimPolicy` | `false` | Alpha | 1.23 | | | `IPTablesOwnershipCleanup` | `false` | Alpha | 1.25 | | diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md index 09c91f87803..b9c2b56a0c6 100644 --- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md +++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md @@ -274,7 +274,7 @@ pod usage is still within acceptable limits. ### Container resource metrics -{{< feature-state for_k8s_version="v1.20" state="alpha" >}} +{{< feature-state for_k8s_version="v1.27" state="beta" >}} The HorizontalPodAutoscaler API also supports a container metric source where the HPA can track the resource usage of individual containers across a set of Pods, in order to scale the target resource. From 3a81c94ba8b6ada277bc5e5e44a4e7ce62c2cfa9 Mon Sep 17 00:00:00 2001 From: Todd Neal Date: Wed, 15 Mar 2023 14:06:10 -0500 Subject: [PATCH 029/272] remove pod-eviction-timeout documentation pod-eviction-timeout has been removed from v1.27, update the docs to reference the taint based eviction that is now the default and only mechanism. --- .../en/docs/concepts/architecture/nodes.md | 36 ++++++------------- .../taint-and-toleration.md | 5 +++ 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/content/en/docs/concepts/architecture/nodes.md b/content/en/docs/concepts/architecture/nodes.md index d36d82174b7..301f2b2fab6 100644 --- a/content/en/docs/concepts/architecture/nodes.md +++ b/content/en/docs/concepts/architecture/nodes.md @@ -215,34 +215,20 @@ of the Node resource. For example, the following JSON structure describes a heal ] ``` -If the `status` of the Ready condition remains `Unknown` or `False` for longer -than the `pod-eviction-timeout` (an argument passed to the -{{< glossary_tooltip text="kube-controller-manager" term_id="kube-controller-manager" ->}}), then the [node controller](#node-controller) triggers -{{< glossary_tooltip text="API-initiated eviction" term_id="api-eviction" >}} -for all Pods assigned to that node. The default eviction timeout duration is -**five minutes**. -In some cases when the node is unreachable, the API server is unable to communicate -with the kubelet on the node. The decision to delete the pods cannot be communicated to -the kubelet until communication with the API server is re-established. In the meantime, -the pods that are scheduled for deletion may continue to run on the partitioned node. - -The node controller does not force delete pods until it is confirmed that they have stopped -running in the cluster. You can see the pods that might be running on an unreachable node as -being in the `Terminating` or `Unknown` state. In cases where Kubernetes cannot deduce from the -underlying infrastructure if a node has permanently left a cluster, the cluster administrator -may need to delete the node object by hand. Deleting the node object from Kubernetes causes -all the Pod objects running on the node to be deleted from the API server and frees up their -names. - When problems occur on nodes, the Kubernetes control plane automatically creates [taints](/docs/concepts/scheduling-eviction/taint-and-toleration/) that match the conditions -affecting the node. -The scheduler takes the Node's taints into consideration when assigning a Pod to a Node. -Pods can also have {{< glossary_tooltip text="tolerations" term_id="toleration" >}} that let -them run on a Node even though it has a specific taint. +affecting the node. An example of this is when the `status` of the Ready condition +remains `Unknown` or `False` for longer than the kube-controller-manager's `NodeMonitorGracePeriod`, +which defaults to 40 seconds. This will cause either an `node.kubernetes.io/unreachable` taint, for an `Unknown` status, +or a `node.kubernetes.io/not-ready` taint, for a `False` status, to be added to the Node. -See [Taint Nodes by Condition](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition) +These taints affect pending pods as the scheduler takes the Node's taints into consideration when +assigning a pod to a Node. Existing pods scheduled to the node may be evicted due to the application +of `NoExecute` taints. Pods may also have {{< glossary_tooltip text="tolerations" term_id="toleration" >}} that let +them schedule to and continue running on a Node even though it has a specific taint. + +See [Taint Based Evictions](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions) and +[Taint Nodes by Condition](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition) for more details. ### Capacity and Allocatable {#capacity} diff --git a/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md b/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md index 7fde68c09f8..3ffb845ec87 100644 --- a/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md +++ b/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md @@ -224,6 +224,11 @@ In case a node is to be evicted, the node controller or the kubelet adds relevan with `NoExecute` effect. If the fault condition returns to normal the kubelet or node controller can remove the relevant taint(s). +In some cases when the node is unreachable, the API server is unable to communicate +with the kubelet on the node. The decision to delete the pods cannot be communicated to +the kubelet until communication with the API server is re-established. In the meantime, +the pods that are scheduled for deletion may continue to run on the partitioned node. + {{< note >}} The control plane limits the rate of adding node new taints to nodes. This rate limiting manages the number of evictions that are triggered when many nodes become unreachable at From b17509592b4113e5c6fbc5c7d9d0cd3484488851 Mon Sep 17 00:00:00 2001 From: Ritikaa96 Date: Fri, 17 Mar 2023 15:39:27 +0530 Subject: [PATCH 030/272] Deprecation Note addedi for loadbalancerIP --- .../concepts/services-networking/service.md | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index d096096ec2a..8aa0edf068d 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -645,12 +645,6 @@ status: Traffic from the external load balancer is directed at the backend Pods. The cloud provider decides how it is load balanced. -Some cloud providers allow you to specify the `loadBalancerIP`. In those cases, the load-balancer is created -with the user-specified `loadBalancerIP`. If the `loadBalancerIP` field is not specified, -the loadBalancer is set up with an ephemeral IP address. If you specify a `loadBalancerIP` -but your cloud provider does not support the feature, the `loadbalancerIP` field that you -set is ignored. - To implement a Service of `type: LoadBalancer`, Kubernetes typically starts off by making the changes that are equivalent to you requesting a Service of `type: NodePort`. The cloud-controller-manager component then configures the external load balancer to @@ -663,16 +657,16 @@ cloud provider implementation supports this. {{< note >}} -On **Azure**, if you want to use a user-specified public type `loadBalancerIP`, you first need -to create a static type public IP address resource. This public IP address resource should -be in the same resource group of the other automatically created resources of the cluster. -For example, `MC_myResourceGroup_myAKSCluster_eastus`. - -Specify the assigned IP address as loadBalancerIP. Ensure that you have updated the -`securityGroupName` in the cloud provider configuration file. -For information about troubleshooting `CreatingLoadBalancerFailed` permission issues see, -[Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](https://docs.microsoft.com/en-us/azure/aks/static-ip) -or [CreatingLoadBalancerFailed on AKS cluster with advanced networking](https://github.com/Azure/AKS/issues/357). +The`.spec.loadBalancerIP` field for a Service was deprecated in Kubernetes v1.24. + +This field was under-specified and its meaning varies across implementations. It also cannot support dual-stack networking. This field may be removed in a future API version. + +If you're integrating with a provider that supports specifying the load balancer IP address(es) +for a Service via a (provider specific) annotation, you should switch to doing that. + +If you are writing code for a load balancer integration with Kubernetes, avoid using this field. +You can integrate with [Gateway](https://gateway-api.sigs.k8s.io/) rather than Service, or you +can define your own (provider specific) annotations on the Service that specify the equivalent detail. {{< /note >}} From c79c8f2a12c59fd91418ba1e77a30451b88d2610 Mon Sep 17 00:00:00 2001 From: Ritikaa96 Date: Tue, 21 Mar 2023 19:04:20 +0530 Subject: [PATCH 031/272] Adding loadbalancerdeprecation info and removing Azure Info in NOTE Signed-off-by: Ritikaa96 --- content/en/docs/concepts/services-networking/service.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index 8aa0edf068d..2f97b28f25f 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -654,6 +654,11 @@ You can configure a load balanced Service to [omit](#load-balancer-nodeport-allocation) assigning a node port, provided that the cloud provider implementation supports this. +Some cloud providers allow you to specify the `loadBalancerIP`. In those cases, the load-balancer is created +with the user-specified `loadBalancerIP`. If the `loadBalancerIP` field is not specified, +the loadBalancer is set up with an ephemeral IP address. If you specify a `loadBalancerIP` +but your cloud provider does not support the feature, the `loadbalancerIP` field that you +set is ignored. {{< note >}} From 6f914b6f60b3937af868d436dd1f84971a4f8a19 Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Tue, 21 Mar 2023 13:57:44 +0000 Subject: [PATCH 033/272] KEP-1880 MultiCIDRServiceAllocator Signed-off-by: Antonio Ojea --- .../reference/command-line-tools-reference/feature-gates.md | 3 +++ content/en/docs/reference/networking/virtual-ips.md | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 6021f29a734..95151f0e27c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -146,6 +146,7 @@ For a reference to old feature gates that are removed, please refer to | `MinDomainsInPodTopologySpread` | `false` | Beta | 1.25 | | | `MinimizeIPTablesRestore` | `false` | Alpha | 1.26 | - | | `MultiCIDRRangeAllocator` | `false` | Alpha | 1.25 | | +| `MultiCIDRServiceAllocator` | `false` | Alpha | 1.27 | | | `NetworkPolicyStatus` | `false` | Alpha | 1.24 | | | `NodeInclusionPolicyInPodTopologySpread` | `false` | Alpha | 1.25 | 1.25 | | `NodeInclusionPolicyInPodTopologySpread` | `true` | Beta | 1.26 | | @@ -625,6 +626,8 @@ Each feature gate is designed for enabling/disabling a specific feature: - `MixedProtocolLBService`: Enable using different protocols in the same `LoadBalancer` type Service instance. - `MultiCIDRRangeAllocator`: Enables the MultiCIDR range allocator. +- `MultiCIDRServiceAllocator`: Enables a new IPAddress object kind, and a new Service ClusterIP allocator. + The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64. - `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects, allowing the selection of a port range instead of a single port. - `NetworkPolicyStatus`: Enable the `status` subresource for NetworkPolicy objects. diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md index 670960f1710..32ff8626f0e 100644 --- a/content/en/docs/reference/networking/virtual-ips.md +++ b/content/en/docs/reference/networking/virtual-ips.md @@ -271,6 +271,12 @@ When clients connect to the VIP, their traffic is automatically transported to a appropriate endpoint. The environment variables and DNS for Services are actually populated in terms of the Service's virtual IP address (and port). +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} +If you enable the `MultiCIDRServiceAllocator` +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/), +the `ClusterIP` address associated to each `Service` will have a referenced +`IPAddress` object. + ### Avoiding collisions One of the primary philosophies of Kubernetes is that you should not be From 801b556183b2e8a29c601325f69c66b86af3a7d3 Mon Sep 17 00:00:00 2001 From: Michal Wozniak Date: Mon, 6 Mar 2023 12:43:19 +0100 Subject: [PATCH 034/272] Update for KEP3329: "Retriable and non-retriable Pod failures for Jobs" Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com> --- .../concepts/workloads/controllers/job.md | 11 ++ .../concepts/workloads/pods/disruptions.md | 5 - .../concepts/workloads/pods/pod-lifecycle.md | 8 ++ .../en/docs/tasks/job/pod-failure-policy.md | 111 ++++++++++++++++++ .../job-pod-failure-policy-config-issue.yaml | 19 +++ 5 files changed, 149 insertions(+), 5 deletions(-) create mode 100644 content/en/examples/controllers/job-pod-failure-policy-config-issue.yaml diff --git a/content/en/docs/concepts/workloads/controllers/job.md b/content/en/docs/concepts/workloads/controllers/job.md index ecdcb62027b..7d83ca69992 100644 --- a/content/en/docs/concepts/workloads/controllers/job.md +++ b/content/en/docs/concepts/workloads/controllers/job.md @@ -807,6 +807,17 @@ These are some requirements and semantics of the API: - `Count`: use to indicate that the Pod should be handled in the default way. The counter towards the `.spec.backoffLimit` should be incremented. +{{< note >}} +When you use a `podFailurePolicy`, the job controller only matches Pods in the +`Failed` phase. Pods with a deletion timestamp that are not in a terminal phase +(`Failed` or `Succeeded`) are considered still terminating. This implies that +terminating pods retain a [tracking finalizer](#job-tracking-with-finalizers) +until they reach a terminal phase. +Since Kubernetes 1.27, Kubelet transitions deleted pods to a terminal phase +(see: [Pod Phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)). This +ensures that deleted pods have their finalizers removed by the Job controller. +{{< /note >}} + ### Job tracking with finalizers {{< feature-state for_k8s_version="v1.26" state="stable" >}} diff --git a/content/en/docs/concepts/workloads/pods/disruptions.md b/content/en/docs/concepts/workloads/pods/disruptions.md index 1ddbfa4c2aa..25982067532 100644 --- a/content/en/docs/concepts/workloads/pods/disruptions.md +++ b/content/en/docs/concepts/workloads/pods/disruptions.md @@ -231,11 +231,6 @@ can happen, according to: {{< feature-state for_k8s_version="v1.26" state="beta" >}} -{{< note >}} -If you are using an older version of Kubernetes than {{< skew currentVersion >}} -please refer to the corresponding version of the documentation. -{{< /note >}} - {{< note >}} In order to use this behavior, you must have the `PodDisruptionConditions` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md index 43f9c70ccf3..d37dbb18eb3 100644 --- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md +++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md @@ -91,6 +91,12 @@ A Pod is granted a term to terminate gracefully, which defaults to 30 seconds. You can use the flag `--force` to [terminate a Pod by force](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced). {{< /note >}} +Since Kubernetes 1.27, the kubelet transitions deleted pods, except for +[static pods](/docs/tasks/configure-pod-container/static-pod/) and +[force-deleted pods](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced) +without a finalizer, to a terminal phase (`Failed` or `Succeeded` depending on +the exit statuses of the pod containers) before their deletion from the API server. + If a node dies or is disconnected from the rest of the cluster, Kubernetes applies a policy for setting the `phase` of all Pods on the lost node to Failed. @@ -476,6 +482,8 @@ An example flow: 1. When the grace period expires, the kubelet triggers forcible shutdown. The container runtime sends `SIGKILL` to any processes still running in any container in the Pod. The kubelet also cleans up a hidden `pause` container if that container runtime uses one. +1. The kubelet transitions the pod into a terminal phase (`Failed` or `Succeeded` depending on + the end state of its containers). This step is guaranteed since version 1.27. 1. The kubelet triggers forcible removal of Pod object from the API server, by setting grace period to 0 (immediate deletion). 1. The API server deletes the Pod's API object, which is then no longer visible from any client. diff --git a/content/en/docs/tasks/job/pod-failure-policy.md b/content/en/docs/tasks/job/pod-failure-policy.md index 3cafd35ae98..124331847cc 100644 --- a/content/en/docs/tasks/job/pod-failure-policy.md +++ b/content/en/docs/tasks/job/pod-failure-policy.md @@ -28,6 +28,9 @@ You should already be familiar with the basic use of [Job](/docs/concepts/worklo {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} +Ensure that the [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) +`PodDisruptionConditions` and `JobPodFailurePolicy` are both enabled in your cluster. + ## Using Pod failure policy to avoid unnecessary Pod retries With the following example, you can learn how to use Pod failure policy to @@ -129,6 +132,114 @@ kubectl delete jobs/job-pod-failure-policy-ignore The cluster automatically cleans up the Pods. +## Using Pod failure policy to avoid unnecessary Pod retries based on custom Pod Conditions + +With the following example, you can learn how to use Pod failure policy to +avoid unnecessary Pod restarts based on custom Pod Conditions. + +{{< note >}} +The example below works since version 1.27 as it relies on transitioning of +deleted pods, in the `Pending` phase, to a terminal phase +(see: [Pod Phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)). +{{< /note >}} + +1. First, create a Job based on the config: + + {{< codenew file="/controllers/job-pod-failure-policy-config-issue.yaml" >}} + + by running: + + ```sh + kubectl create -f job-pod-failure-policy-config-issue.yaml + ``` + + Note that, the image is misconfigured, as it does not exist. + +2. Inspect the status of the job's Pods by running: + + ```sh + kubectl get pods -l job-name=job-pod-failure-policy-config-issue -o yaml + ``` + + You will see output similar to this: + ```yaml + containerStatuses: + - image: non-existing-repo/non-existing-image:example + ... + state: + waiting: + message: Back-off pulling image "non-existing-repo/non-existing-image:example" + reason: ImagePullBackOff + ... + phase: Pending + ``` + + Note that the pod remains in the `Pending` phase as it fails to pull the + misconfigured image. This, in principle, could be a transient issue and the + image could get pulled. However, in this case, the image does not exist so + we indicate this fact by a custom condition. + +3. Add the custom condition. First prepare the patch by running: + + ```sh + cat < patch.yaml + status: + conditions: + - type: ConfigIssue + status: "True" + reason: "NonExistingImage" + lastTransitionTime: "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" + EOF + ``` + Second, select one of the pods created by the job by running: + ``` + podName=$(kubectl get pods -l job-name=job-pod-failure-policy-config-issue -o jsonpath='{.items[0].metadata.name}') + ``` + + Then, apply the patch on one of the pods by running the following command: + + ```sh + kubectl patch pod $podName --subresource=status --patch-file=patch.yaml + ``` + + If applied successfully, you will get a notification like this: + + ```sh + pod/job-pod-failure-policy-config-issue-k6pvp patched + ``` + +4. Delete the pod to transition it to `Failed` phase, by running the command: + + ```sh + kubectl delete pods/$podName + ``` + +5. Inspect the status of the Job by running: + + ```sh + kubectl get jobs -l job-name=job-pod-failure-policy-config-issue -o yaml + ``` + + In the Job status, see a job `Failed` condition with the field `reason` + equal `PodFailurePolicy`. Additionally, the `message` field contains a + more detailed information about the Job termination, such as: + `Pod default/job-pod-failure-policy-config-issue-k6pvp has condition ConfigIssue matching FailJob rule at index 0`. + +{{< note >}} +In a production environment, the steps 3 and 4 should be automated by a +user-provided controller. +{{< /note >}} + +### Cleaning up + +Delete the Job you created: + +```sh +kubectl delete jobs/job-pod-failure-policy-config-issue +``` + +The cluster automatically cleans up the Pods. + ## Alternatives You could rely solely on the diff --git a/content/en/examples/controllers/job-pod-failure-policy-config-issue.yaml b/content/en/examples/controllers/job-pod-failure-policy-config-issue.yaml new file mode 100644 index 00000000000..fc82ca188c0 --- /dev/null +++ b/content/en/examples/controllers/job-pod-failure-policy-config-issue.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: job-pod-failure-policy-config-issue +spec: + completions: 8 + parallelism: 2 + template: + spec: + restartPolicy: Never + containers: + - name: main + image: "non-existing-repo/non-existing-image:example" + backoffLimit: 6 + podFailurePolicy: + rules: + - action: FailJob + onPodConditions: + - type: ConfigIssue From 15b2e78646ee694f028adebef141b116a74b0732 Mon Sep 17 00:00:00 2001 From: Han Kang Date: Tue, 21 Mar 2023 09:04:28 -0700 Subject: [PATCH 035/272] add documentation for beta stability levels --- content/en/docs/reference/using-api/deprecation-policy.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/using-api/deprecation-policy.md b/content/en/docs/reference/using-api/deprecation-policy.md index 9bf80456e46..ad8b0291b27 100644 --- a/content/en/docs/reference/using-api/deprecation-policy.md +++ b/content/en/docs/reference/using-api/deprecation-policy.md @@ -425,7 +425,7 @@ to determine SLOs, these tend to have greater import. Other metrics are more experimental in nature or are used primarily in the Kubernetes development process. -Accordingly, metrics fall under two stability classes (`ALPHA` and `STABLE`); +Accordingly, metrics fall under three stability classes (`ALPHA`, `BETA` `STABLE`); this impacts removal of a metric during a Kubernetes release. These classes are determined by the perceived importance of the metric. The rules for deprecating and removing a metric are as follows: @@ -433,11 +433,13 @@ deprecating and removing a metric are as follows: **Rule #9a: Metrics, for the corresponding stability class, must function for no less than:** * **STABLE: 4 releases or 12 months (whichever is longer)** + * **BETA: 2 releases or 8 months (whichever is longer)** * **ALPHA: 0 releases** **Rule #9b: Metrics, after their _announced deprecation_, must function for no less than:** * **STABLE: 3 releases or 9 months (whichever is longer)** + * **BETA: 1 releases or 4 months (whichever is longer)** * **ALPHA: 0 releases** Deprecated metrics will have their description text prefixed with a deprecation notice From 8212bf1edd6aacd7b261575fafd79b5d778720a5 Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Tue, 21 Mar 2023 09:10:08 -0700 Subject: [PATCH 036/272] update LegacyServiceAccountTokenTracking to beta --- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 6021f29a734..6145065a73e 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -126,7 +126,8 @@ For a reference to old feature gates that are removed, please refer to | `KubeletPodResourcesGetAllocatable` | `false` | Alpha | 1.21 | 1.22 | | `KubeletPodResourcesGetAllocatable` | `true` | Beta | 1.23 | | | `KubeletTracing` | `false` | Alpha | 1.25 | | -| `LegacyServiceAccountTokenTracking` | `false` | Alpha | 1.25 | | +| `LegacyServiceAccountTokenTracking` | `false` | Alpha | 1.26 | 1.26 | +| `LegacyServiceAccountTokenTracking` | `true` | Beta | 1.27 | | | `LocalStorageCapacityIsolationFSQuotaMonitoring` | `false` | Alpha | 1.15 | - | | `LogarithmicScaleDown` | `false` | Alpha | 1.21 | 1.21 | | `LogarithmicScaleDown` | `true` | Beta | 1.22 | | From 6887d395f3db9913904cdcd9a9bab7dd2b3b9abe Mon Sep 17 00:00:00 2001 From: xuzhenglun Date: Wed, 22 Mar 2023 03:38:02 +0800 Subject: [PATCH 037/272] add docs in service concepts --- .../docs/concepts/services-networking/service.md | 14 ++++++++++++++ .../command-line-tools-reference/feature-gates.md | 1 + 2 files changed, 15 insertions(+) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index df4895e52fb..1eaa5539754 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -586,6 +586,20 @@ spec: nodePort: 30007 ``` +#### Reserve Nodeport Ranges to avoid collisions when port assigning + +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} + +The policy for assigning ports to NodePort services applies to both the auto-assignment and +the manual assignment scenarios. When a user wants to create a NodePort service that +uses a specific port, the target port may conflict with another port that has already been assigned. +In this case, you can enable the feature gate `ServiceNodePortStaticSubrange`, which allows you +to use a different port allocation strategy for NodePort Services. The port range for NodePort services +is divided into two bands. Dynamic port assignment uses the upper band by default, and it may use +the lower band once the upper band has been exhausted. Users can then allocate from the lower band +with a lower risk of port collision. + + #### Custom IP address configuration for `type: NodePort` Services {#service-nodeport-custom-listen-address} You can set up nodes in your cluster to use a particular IP address for serving node port diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index afac9234a7e..234a31af40d 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -186,6 +186,7 @@ For a reference to old feature gates that are removed, please refer to | `SeccompDefault` | `true` | Beta | 1.25 | | | `ServerSideFieldValidation` | `false` | Alpha | 1.23 | 1.24 | | `ServerSideFieldValidation` | `true` | Beta | 1.25 | | +| `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | | | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | | `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | | From bcff6ab600cc3ba873cbac0f515036fba0af1822 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Fri, 10 Mar 2023 08:25:27 +0100 Subject: [PATCH 038/272] [KEP-2053] Add docs for DownwardAPIHugepages graduation Signed-off-by: Sascha Grunert --- content/en/docs/concepts/workloads/pods/downward-api.md | 4 ++-- .../command-line-tools-reference/feature-gates.md | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/content/en/docs/concepts/workloads/pods/downward-api.md b/content/en/docs/concepts/workloads/pods/downward-api.md index a3cb201d473..971475199c5 100644 --- a/content/en/docs/concepts/workloads/pods/downward-api.md +++ b/content/en/docs/concepts/workloads/pods/downward-api.md @@ -107,10 +107,10 @@ for resources such as CPU and memory. : A container's memory request `resource: limits.hugepages-*` -: A container's hugepages limit (provided that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled) +: A container's hugepages limit `resource: requests.hugepages-*` -: A container's hugepages request (provided that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled) +: A container's hugepages request `resource: limits.ephemeral-storage` : A container's ephemeral-storage limit diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..a2ec9b47f87 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -90,9 +90,6 @@ For a reference to old feature gates that are removed, please refer to | `CustomResourceValidationExpressions` | `true` | Beta | 1.25 | | | `DisableCloudProviders` | `false` | Alpha | 1.22 | | | `DisableKubeletCloudCredentialProviders` | `false` | Alpha | 1.23 | | -| `DownwardAPIHugePages` | `false` | Alpha | 1.20 | 1.20 | -| `DownwardAPIHugePages` | `false` | Beta | 1.21 | 1.21 | -| `DownwardAPIHugePages` | `true` | Beta | 1.22 | | | `DynamicResourceAllocation` | `false` | Alpha | 1.26 | | | `EventedPLEG` | `false` | Alpha | 1.26 | - | | `ExpandedDNSConfig` | `false` | Alpha | 1.22 | 1.25 | @@ -265,6 +262,10 @@ For a reference to old feature gates that are removed, please refer to | `DisableAcceleratorUsageMetrics` | `false` | Alpha | 1.19 | 1.19 | | `DisableAcceleratorUsageMetrics` | `true` | Beta | 1.20 | 1.24 | | `DisableAcceleratorUsageMetrics` | `true` | GA | 1.25 |- | +| `DownwardAPIHugePages` | `false` | Alpha | 1.20 | 1.20 | +| `DownwardAPIHugePages` | `false` | Beta | 1.21 | 1.21 | +| `DownwardAPIHugePages` | `true` | Beta | 1.22 | 1.26 | +| `DownwardAPIHugePages` | `true` | GA | 1.27 | - | | `DryRun` | `false` | Alpha | 1.12 | 1.12 | | `DryRun` | `true` | Beta | 1.13 | 1.18 | | `DryRun` | `true` | GA | 1.19 | - | From 5170f4a669576e01c7a2a79a822851163d7c9a5a Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Tue, 31 Jan 2023 09:11:06 -0500 Subject: [PATCH 039/272] Update iptables perf discussion for 1.27 Co-authored-by: Tim Bannister --- .../docs/reference/networking/virtual-ips.md | 60 +++++++++---------- 1 file changed, 28 insertions(+), 32 deletions(-) diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md index 670960f1710..d022448ea09 100644 --- a/content/en/docs/reference/networking/virtual-ips.md +++ b/content/en/docs/reference/networking/virtual-ips.md @@ -131,6 +131,26 @@ iptables: ... ``` +##### Performance optimization for `iptables` mode {#minimize-iptables-restore} + +{{< feature-state for_k8s_version="v1.27" state="beta" >}} + +In Kubernetes {{< skew currentVersion >}} the kube-proxy defaults to a minimal approach +to `iptables-restore` operations, only making updates where Services or EndpointSlices have +actually changed. This is a performance optimization. +The original implementation updated all the rules for all Services on every sync; this +sometimes led to performance issues (update lag) in large clusters. + +If you are not running kube-proxy from Kubernetes {{< skew currentVersion >}}, check +the behavior and associated advice for the version that you are actually running. + +If you were previously overriding `minSyncPeriod`, you should try +removing that override and letting kube-proxy use the default value +(`1s`) or at least a smaller value than you were using before upgrading. +You can select the legacy behavior by disabling the `MinimizeIPTablesRestore` +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +(you should not need to). + ##### `minSyncPeriod` The `minSyncPeriod` parameter sets the minimum duration between @@ -142,7 +162,7 @@ things change in a small time period. For example, if you have a Service backed by a {{< glossary_tooltip term_id="deployment" text="Deployment" >}} with 100 pods, and you delete the Deployment, then with `minSyncPeriod: 0s`, kube-proxy would end up -removing the Service's Endpoints from the iptables rules one by one, +removing the Service's endpoints from the iptables rules one by one, for a total of 100 updates. With a larger `minSyncPeriod`, multiple Pod deletion events would get aggregated together, so kube-proxy might @@ -154,20 +174,19 @@ The larger the value of `minSyncPeriod`, the more work that can be aggregated, but the downside is that each individual change may end up waiting up to the full `minSyncPeriod` before being processed, meaning that the iptables rules spend more time being out-of-sync with the -current apiserver state. +current API server state. -The default value of `1s` is a good compromise for small and medium -clusters. In large clusters, it may be necessary to set it to a larger -value. (Especially, if kube-proxy's -`sync_proxy_rules_duration_seconds` metric indicates an average -time much larger than 1 second, then bumping up `minSyncPeriod` may -make updates more efficient.) +The default value of `1s` should work well in most clusters, but in very +large clusters it may be necessary to set it to a larger value. +Especially, if kube-proxy's `sync_proxy_rules_duration_seconds` metric +indicates an average time much larger than 1 second, then bumping up +`minSyncPeriod` may make updates more efficient. ##### `syncPeriod` The `syncPeriod` parameter controls a handful of synchronization operations that are not directly related to changes in individual -Services and Endpoints. In particular, it controls how quickly +Services and EndpointSlices. In particular, it controls how quickly kube-proxy notices if an external component has interfered with kube-proxy's iptables rules. In large clusters, kube-proxy also only performs certain cleanup operations once every `syncPeriod` to avoid @@ -178,29 +197,6 @@ impact on performance, but in the past, it was sometimes useful to set it to a very large value (eg, `1h`). This is no longer recommended, and is likely to hurt functionality more than it improves performance. -##### Experimental performance improvements {#minimize-iptables-restore} - -{{< feature-state for_k8s_version="v1.26" state="alpha" >}} - -In Kubernetes 1.26, some new performance improvements were made to the -iptables proxy mode, but they are not enabled by default (and should -probably not be enabled in production clusters yet). To try them out, -enable the `MinimizeIPTablesRestore` [feature -gate](/docs/reference/command-line-tools-reference/feature-gates/) for -kube-proxy with `--feature-gates=MinimizeIPTablesRestore=true,…`. - -If you enable that feature gate and -you were previously overriding -`minSyncPeriod`, you should try removing that override and letting -kube-proxy use the default value (`1s`) or at least a smaller value -than you were using before. - -If you notice kube-proxy's -`sync_proxy_rules_iptables_restore_failures_total` or -`sync_proxy_rules_iptables_partial_restore_failures_total` metrics -increasing after enabling this feature, that likely indicates you are -encountering bugs in the feature and you should file a bug report. - ### IPVS proxy mode {#proxy-mode-ipvs} In `ipvs` mode, kube-proxy watches Kubernetes Services and EndpointSlices, From b17085427749eb68ee43c00b1f1712cc27510204 Mon Sep 17 00:00:00 2001 From: Kevin Delgado Date: Tue, 31 Jan 2023 16:58:29 +0000 Subject: [PATCH 040/272] docs for field validation GA --- .../reference/command-line-tools-reference/feature-gates.md | 5 +++-- content/en/docs/reference/using-api/api-concepts.md | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 544dc68d612..96fd5d7937c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -181,8 +181,6 @@ For a reference to old feature gates that are removed, please refer to | `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | | | `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 | | `SeccompDefault` | `true` | Beta | 1.25 | | -| `ServerSideFieldValidation` | `false` | Alpha | 1.23 | 1.24 | -| `ServerSideFieldValidation` | `true` | Beta | 1.25 | | | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | | | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | @@ -313,6 +311,9 @@ For a reference to old feature gates that are removed, please refer to | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 | | `ServerSideApply` | `true` | Beta | 1.16 | 1.21 | | `ServerSideApply` | `true` | GA | 1.22 | - | +| `ServerSideFieldValidation` | `false` | Alpha | 1.23 | 1.24 | +| `ServerSideFieldValidation` | `true` | Beta | 1.25 | 1.26 | +| `ServerSideFieldValidation` | `true` | GA | 1.27 | - | | `ServiceIPStaticSubrange` | `false` | Alpha | 1.24 | 1.24 | | `ServiceIPStaticSubrange` | `true` | Beta | 1.25 | 1.25 | | `ServiceIPStaticSubrange` | `true` | GA | 1.26 | - | diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index 3c7c0fa8ccb..2396fbd1eb4 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -700,7 +700,7 @@ These situations are: ### Setting the field validation level - {{< feature-state for_k8s_version="v1.25" state="beta" >}} + {{< feature-state for_k8s_version="v1.27" state="stable" >}} Provided that the `ServerSideFieldValidation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled (disabled by default in 1.23 and 1.24, enabled by default starting in 1.25), you can take From c0df96e6aab96d246b747c572043fbd5d23494e7 Mon Sep 17 00:00:00 2001 From: Kevin Delgado Date: Wed, 1 Feb 2023 17:29:54 +0000 Subject: [PATCH 041/272] make more timeless --- .../docs/reference/using-api/api-concepts.md | 62 ++++++++++--------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index 2396fbd1eb4..803736957ea 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -698,29 +698,13 @@ These situations are: fields via `x-kubernetes-preserve-unknown-fields`). 2. The field is duplicated in the object. -### Setting the field validation level +### Validation for unrecognized or duplicate fields (#setting-the-field-validation-level) {{< feature-state for_k8s_version="v1.27" state="stable" >}} -Provided that the `ServerSideFieldValidation` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled (disabled -by default in 1.23 and 1.24, enabled by default starting in 1.25), you can take -advantage of server side field validation to catch these unrecognized fields. - -When you use HTTP verbs that can submit data (`POST`, `PUT`, and `PATCH`), field -validation gives you the option to choose how you would like to be notified of -these fields that are being dropped by the API server. Possible levels of -validation are `Ignore`, `Warn`, and `Strict`. - -{{< note >}} -If you submit a request that specifies an unrecognized field, and that is also invalid for -a different reason (for example, the request provides a string value where the API expects -an integer), then the API server responds with a 400 Bad Request error response. - -You always receive an error response in this case, no matter what field validation level you requested. -{{< /note >}} - -Field validation is set by the `fieldValidation` query parameter. The three -values that you can provide for this parameter are: +From 1.25 onward, unrecognized or duplicate fields in an object are detected via +validation on the server when you use HTTP verbs that can submit data (`POST`, `PUT`, and `PATCH`). Possible levels of +validation are `Ignore`, `Warn` (default), and `Strict`. `Ignore` : The API server succeeds in handling the request as it would without the erroneous fields @@ -740,20 +724,38 @@ detects any unknown or duplicate fields. The response message from the API server specifies all the unknown or duplicate fields that the API server has detected. +The field validation level is set by the `fieldValidation` query parameter. + +{{< note >}} +If you submit a request that specifies an unrecognized field, and that is also invalid for +a different reason (for example, the request provides a string value where the API expects +an integer for a known field), then the API server responds with a 400 Bad Request error, but will +not provide any information on unknown or duplicate fields (only which fatal +error it encountered first). + +You always receive an error response in this case, no matter what field validation level you requested. +{{< /note >}} + Tools that submit requests to the server (such as `kubectl`), might set their own defaults that are different from the `Warn` validation level that the API server uses by default. -The `kubectl` tool uses the `--validate` flag to set the level of field validation. -Historically `--validate` was used to toggle client-side validation on or off as -a boolean flag. Since Kubernetes 1.25, kubectl uses -server-side field validation when sending requests to a server with this feature -enabled. Validation will fall back to client-side only when it cannot connect -to an API server with field validation enabled. -It accepts the values `ignore`, `warn`, -and `strict` while also accepting the values `true` (equivalent to `strict`) and `false` -(equivalent to `ignore`). The default validation setting for kubectl is `--validate=true`, -which means strict server-side field validation. +The `kubectl` tool uses the `--validate` flag to set the level of field +validation. It accepts the values `ignore`, `warn`, and `strict` while +also accepting the values `true` (equivalent to `strict`) and `false` +(equivalent to `ignore`). The default validation setting for kubectl is +`--validate=true`, which means strict server-side field validation. + +When kubectl cannot connect to an API server with field validation (API servers +prior to Kubernetes 1.27), it will fall back to using client-side validation. +Client-side validation will be removed entirely in a future version of kubectl. + +{{< note >}} + +Prior to Kubernetes 1.25 `kubectl --validate` was used to toggle client-side validation on or off as +a boolean flag. + +{{< /note >}} ## Dry-run From 457c26b997ed2d3564a6b3fa46f2f271e7c9b32e Mon Sep 17 00:00:00 2001 From: Cici Huang Date: Tue, 21 Mar 2023 23:46:15 +0000 Subject: [PATCH 042/272] Adding MatchConditions into ValidatingAdmissionPolicy --- .../validating-admission-policy.md | 21 ++++++++++++++++++ ...ing-admission-policy-match-conditions.yaml | 22 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 content/en/examples/access/validating-admission-policy-match-conditions.yaml diff --git a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md index 2bf6610eebd..d30c5206b5b 100644 --- a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md +++ b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md @@ -365,3 +365,24 @@ HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: `Unauthorized`, `Forbidden`, `Invalid`, `RequestEntityTooLarge`. If not set, `StatusReasonInvalid` is used in the response to the client. +### Matching requests: `matchConditions` + +You can define _match conditions_ for a `ValidatingAdmissionPolicy` if you need fine-grained request filtering. These +conditions are useful if you find that match rules, `objectSelectors` and `namespaceSelectors` still +doesn't provide the filtering you want. Match conditions are +[CEL expressions](/docs/reference/using-api/cel/). All match conditions must evaluate to true for the +resource to be evaluated. + +Here is an example illustrating a few different uses for match conditions: + +{{< codenew file="access/validating-admission-policy-match-conditions.yaml" >}} + +Match conditions have access to the same CEL variables as validation expressions. + +In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject +the request is determined as follows: + +1. If **any** match condition evaluated to `false` (regardless of other errors), the API server skips the policy. +2. Otherwise: + - for [`failurePolicy: Fail`](#failure-policy), reject the request (without evaluating the policy). + - for [`failurePolicy: Ignore`](#failure-policy), proceed with the request but skip the policy. diff --git a/content/en/examples/access/validating-admission-policy-match-conditions.yaml b/content/en/examples/access/validating-admission-policy-match-conditions.yaml new file mode 100644 index 00000000000..77d0dd61867 --- /dev/null +++ b/content/en/examples/access/validating-admission-policy-match-conditions.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + name: "demo-policy.example.com" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["*"] + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + matchConditions: + - name: 'exclude-leases' # Each match condition must have a unique name + expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources. + - name: 'exclude-kubelet-requests' + expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users. + - name: 'rbac' # Skip RBAC requests. + expression: 'request.resource.group != "rbac.authorization.k8s.io"' + validations: + - expression: "object.metadata.name.startWith('demo')" + From 350ce035a53ee85a99b84264dd76c92d3a511b20 Mon Sep 17 00:00:00 2001 From: Cici Huang Date: Wed, 22 Mar 2023 20:14:36 +0000 Subject: [PATCH 043/272] Fix previous virables in exampes --- .../validating-admission-policy.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md index d30c5206b5b..6342fd3994e 100644 --- a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md +++ b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md @@ -323,12 +323,12 @@ For example, `int` in the word “sprint” would not be escaped. Examples on escaping: -|property name | rule with escaped property name | -| ----------------| ----------------------- | -| namespace | `self.__namespace__ > 0` | -| x-prop | `self.x__dash__prop > 0` | -| redact__d | `self.redact__underscores__d > 0` | -| string | `self.startsWith('kube')` | +|property name | rule with escaped property name | +| ----------------|-----------------------------------| +| namespace | `object.__namespace__ > 0` | +| x-prop | `object.x__dash__prop > 0` | +| redact__d | `object.redact__underscores__d > 0` | +| string | `object.startsWith('kube')` | Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: From 1ee260fea500d7d2d51af94e7ea06874a89f847b Mon Sep 17 00:00:00 2001 From: Mickey Boxell Date: Wed, 22 Mar 2023 15:24:08 -0500 Subject: [PATCH 044/272] Updated config.toml for 1.27 release --- hugo.toml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/hugo.toml b/hugo.toml index c34cfa20d27..796630004c9 100644 --- a/hugo.toml +++ b/hugo.toml @@ -138,10 +138,10 @@ time_format_default = "January 02, 2006 at 3:04 PM PST" description = "Production-Grade Container Orchestration" showedit = true -latest = "v1.26" +latest = "v1.27" -fullversion = "v1.26.0" -version = "v1.26" +fullversion = "v1.27.0" +version = "v1.27" githubbranch = "main" docsbranch = "main" deprecated = false @@ -181,40 +181,40 @@ js = [ ] [[params.versions]] -fullversion = "v1.26.0" -version = "v1.26" -githubbranch = "v1.26.0" +fullversion = "v1.27.0" +version = "v1.27" +githubbranch = "v1.27.0" docsbranch = "main" url = "https://kubernetes.io" [[params.versions]] -fullversion = "v1.25.5" +fullversion = "v1.26.3" +version = "v1.26" +githubbranch = "v1.26.3" +docsbranch = "release-1.26" +url = "https://v1-26.docs.kubernetes.io" + +[[params.versions]] +fullversion = "v1.25.8" version = "v1.25" -githubbranch = "v1.25.5" +githubbranch = "v1.25.8" docsbranch = "release-1.25" url = "https://v1-25.docs.kubernetes.io" [[params.versions]] -fullversion = "v1.24.9" +fullversion = "v1.24.12" version = "v1.24" -githubbranch = "v1.24.9" +githubbranch = "v1.24.12" docsbranch = "release-1.24" url = "https://v1-24.docs.kubernetes.io" [[params.versions]] -fullversion = "v1.23.15" +fullversion = "v1.23.17" version = "v1.23" -githubbranch = "v1.23.15" +githubbranch = "v1.23.17" docsbranch = "release-1.23" url = "https://v1-23.docs.kubernetes.io" -[[params.versions]] -fullversion = "v1.22.17" -version = "v1.22" -githubbranch = "v1.22.17" -docsbranch = "release-1.22" -url = "https://v1-22.docs.kubernetes.io" - # User interface configuration [params.ui] # Enable to show the side bar menu in its compact state. From d9a2c85ba53f4cc5aece5605b7d8cff8297674de Mon Sep 17 00:00:00 2001 From: Cici Huang Date: Wed, 22 Mar 2023 20:29:16 +0000 Subject: [PATCH 045/272] Update example expression --- .../access/validating-admission-policy-match-conditions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/examples/access/validating-admission-policy-match-conditions.yaml b/content/en/examples/access/validating-admission-policy-match-conditions.yaml index 77d0dd61867..9a49adf1521 100644 --- a/content/en/examples/access/validating-admission-policy-match-conditions.yaml +++ b/content/en/examples/access/validating-admission-policy-match-conditions.yaml @@ -18,5 +18,5 @@ spec: - name: 'rbac' # Skip RBAC requests. expression: 'request.resource.group != "rbac.authorization.k8s.io"' validations: - - expression: "object.metadata.name.startWith('demo')" + - expression: "!object.metadata.name.contains('demo') || object.metadata.namespace == 'demo'" From ee72c5485320b316faa31fce62b01d9fd0b04297 Mon Sep 17 00:00:00 2001 From: ruiwen-zhao Date: Tue, 14 Mar 2023 18:36:03 +0000 Subject: [PATCH 046/272] Document update for MaxParallelImagePulls Signed-off-by: ruiwen-zhao --- content/en/docs/concepts/containers/images.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/content/en/docs/concepts/containers/images.md b/content/en/docs/concepts/containers/images.md index 6e00eb46b67..247c8309d9e 100644 --- a/content/en/docs/concepts/containers/images.md +++ b/content/en/docs/concepts/containers/images.md @@ -157,6 +157,48 @@ that Kubernetes will keep trying to pull the image, with an increasing back-off Kubernetes raises the delay between each attempt until it reaches a compiled-in limit, which is 300 seconds (5 minutes). +## Serial and parallel image pulls + +By default, kubelet pulls images serially. In other words, kubelet sends only +one image pull request to the image service at a time. Other image pull requests +have to wait until the one being processed is complete. + +Nodes make image pull decisions in isolation. Even when you use serialized image +pulls, two different nodes can pull the same image in parallel. + +If you would like to enable parallel image pulls, you can set the field +`serializeImagePulls` to false in the [kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/). +With `serializeImagePulls` set to false, image pull requests will be sent to the image service immediately, +and multiple images will be pulled at the same time. + +When enabling parallel image pulls, please make sure the image service of your +container runtime can handle parallel image pulls. + +The kubelet never pulls multiple images in parallel on behalf of one Pod. For example, +if you have a Pod that has an init container and an application container, the image +pulls for the two containers will not be parallelized. However, if you have two +Pods that use different images, the kubelet pulls the images in parallel on +behalf of the two different Pods, when parallel image pulls is enabled. + +### Maximum parallel image pulls + +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} + +When `serializeImagePulls` is set to false, the kubelet defaults to no limit on the +maximum number of images being pulled at the same time. If you would like to +limit the number of parallel image pulls, you can set the field `maxParallelImagePulls` +in kubelet configuration. With `maxParallelImagePulls` set to _n_, only _n_ images +can be pulled at the same time, and any image pull beyond _n_ will have to wait +until at least one ongoing image pull is complete. + +Limiting the number parallel image pulls would prevent image pulling from consuming +too much network bandwidth or disk I/O, when parallel image pulling is enabled. + +You can set `maxParallelImagePulls` to a positive number that is greater than or +equal to 1. If you set `maxParallelImagePulls` to be greater than or equal to 2, you +must set the `serializeImagePulls` to false. The kubelet will fail to start with invalid +`maxParallelImagePulls` settings. + ## Multi-architecture images with image indexes As well as providing binary images, a container registry can also serve a From ea3b7b44e7d010f1c59c3416e78d4533b5b8ba88 Mon Sep 17 00:00:00 2001 From: Humble Chirammal Date: Wed, 15 Mar 2023 20:30:15 +0530 Subject: [PATCH 047/272] KEP-3107 update docs for csiNodeExpand secret support This feature has moved to Beta in this release. The documentation has been updated to reflect the same. Signed-off-by: Humble Chirammal --- content/en/docs/concepts/storage/volumes.md | 7 +++++-- .../command-line-tools-reference/feature-gates.md | 3 ++- .../docs/reference/command-line-tools-reference/kubelet.md | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index 80f259aab31..e28532d90b2 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -1168,10 +1168,13 @@ persistent volume: secrets are passed. When you have configured secret data for node-initiated volume expansion, the kubelet passes that data via the `NodeExpandVolume()` call to the CSI driver. In order to use the `nodeExpandSecretRef` field, your - cluster should be running Kubernetes version 1.25 or later and you must enable + cluster should be running Kubernetes version 1.25 or later. +* If you are running Kubernetes Version 1.25 or 1.26, you must enable the [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) named `CSINodeExpandSecret` for each kube-apiserver and for the kubelet on every - node. You must also be using a CSI driver that supports or requires secret data during + node. In Kubernetes version 1.27 this feature has been enabled by default + and no explicit enablement of the feature gate is required. + You must also be using a CSI driver that supports or requires secret data during node-initiated storage resize operations. * `nodePublishSecretRef`: A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..70a2ca815a4 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -77,7 +77,8 @@ For a reference to old feature gates that are removed, please refer to | `CSIMigrationPortworx` | `false` | Alpha | 1.23 | 1.24 | | `CSIMigrationPortworx` | `false` | Beta | 1.25 | | | `CSIMigrationRBD` | `false` | Alpha | 1.23 | | -| `CSINodeExpandSecret` | `false` | Alpha | 1.25 | | +| `CSINodeExpandSecret` | `false` | Alpha | 1.25 | 1.26 | +| `CSINodeExpandSecret` | `true` | Beta | 1.27 | | | `CSIVolumeHealth` | `false` | Alpha | 1.21 | | | `ComponentSLIs` | `false` | Alpha | 1.26 | | | `ContainerCheckpoint` | `false` | Alpha | 1.25 | | diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet.md b/content/en/docs/reference/command-line-tools-reference/kubelet.md index f0ecdb0b7ff..deb186ec5f6 100644 --- a/content/en/docs/reference/command-line-tools-reference/kubelet.md +++ b/content/en/docs/reference/command-line-tools-reference/kubelet.md @@ -381,7 +381,7 @@ CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
CPUManagerPolicyOptions=true|false (BETA - default=true)
CSIMigrationPortworx=true|false (BETA - default=false)
CSIMigrationRBD=true|false (ALPHA - default=false)
-CSINodeExpandSecret=true|false (ALPHA - default=false)
+CSINodeExpandSecret=true|false (BETA - default=true)
CSIVolumeHealth=true|false (ALPHA - default=false)
ComponentSLIs=true|false (ALPHA - default=false)
ContainerCheckpoint=true|false (ALPHA - default=false)
From 35c0ef2431bafd9cbf2b650b02d048c4e645f2cc Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Thu, 23 Mar 2023 11:08:09 +0000 Subject: [PATCH 048/272] address comments and fix one bug --- .../feature-gates.md | 3 +-- .../docs/reference/networking/virtual-ips.md | 22 ++++++++++++------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 95151f0e27c..8a60fb989ff 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -626,8 +626,7 @@ Each feature gate is designed for enabling/disabling a specific feature: - `MixedProtocolLBService`: Enable using different protocols in the same `LoadBalancer` type Service instance. - `MultiCIDRRangeAllocator`: Enables the MultiCIDR range allocator. -- `MultiCIDRServiceAllocator`: Enables a new IPAddress object kind, and a new Service ClusterIP allocator. - The new allocator removes previous Service CIDR block size limitations for IPv4, and limits IPv6 size to a /64. +- `MultiCIDRServiceAllocator`: Track IP address allocations for Service cluster IPs using IPAddress objects. - `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects, allowing the selection of a port range instead of a single port. - `NetworkPolicyStatus`: Enable the `status` subresource for NetworkPolicy objects. diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md index 32ff8626f0e..555d3c8ea59 100644 --- a/content/en/docs/reference/networking/virtual-ips.md +++ b/content/en/docs/reference/networking/virtual-ips.md @@ -271,25 +271,21 @@ When clients connect to the VIP, their traffic is automatically transported to a appropriate endpoint. The environment variables and DNS for Services are actually populated in terms of the Service's virtual IP address (and port). -{{< feature-state for_k8s_version="v1.27" state="alpha" >}} -If you enable the `MultiCIDRServiceAllocator` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/), -the `ClusterIP` address associated to each `Service` will have a referenced -`IPAddress` object. - ### Avoiding collisions One of the primary philosophies of Kubernetes is that you should not be exposed to situations that could cause your actions to fail through no fault of your own. For the design of the Service resource, this means not making -you choose your own port number if that choice might collide with +you choose your own IP address if that choice might collide with someone else's choice. That is an isolation failure. -In order to allow you to choose a port number for your Services, we must +In order to allow you to choose an IP address for your Services, we must ensure that no two Services can collide. Kubernetes does that by allocating each Service its own IP address from within the `service-cluster-ip-range` CIDR range that is configured for the {{< glossary_tooltip term_id="kube-apiserver" text="API Server" >}}. +#### IP address allocation tracking + To ensure each Service receives a unique IP, an internal allocator atomically updates a global allocation map in {{< glossary_tooltip term_id="etcd" >}} prior to creating each Service. The map object must exist in the registry for @@ -302,6 +298,16 @@ in-memory locking). Kubernetes also uses controllers to check for invalid assignments (e.g. due to administrator intervention) and for cleaning up allocated IP addresses that are no longer used by any Services. +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} +If you enable the `MultiCIDRServiceAllocator` +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/), +the control plane replaces the existing etcd allocator with a new one, using IPAddress +objects instead of an internal global allocation map. The ClusterIP address +associated to each `Service` will have a referenced IPAddress object. + +The background allocator is also replaced by a new one to handle the new IPAddress +objects and the migration from the old allocator model. + #### IP address ranges for Service virtual IP addresses {#service-ip-static-sub-range} {{< feature-state for_k8s_version="v1.25" state="beta" >}} From 278215cfbac4f42507ba71bfd8911a0e80878fa9 Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Thu, 23 Mar 2023 11:24:06 +0000 Subject: [PATCH 049/272] expand on the use of IPAddress --- .../docs/reference/networking/virtual-ips.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md index 555d3c8ea59..c4d13d37ecd 100644 --- a/content/en/docs/reference/networking/virtual-ips.md +++ b/content/en/docs/reference/networking/virtual-ips.md @@ -308,6 +308,25 @@ associated to each `Service` will have a referenced IPAddress object. The background allocator is also replaced by a new one to handle the new IPAddress objects and the migration from the old allocator model. +One of the main benefits of the new allocator is that it removes the size limitations +for the `service-cluster-ip-range`, there is no limitations for IPv4 and for IPv6 +users can use masks equal or larger than /64 (previously it was /108). + +Users now will be able to inspect the IP addresses assigned to their Services, and +new network APIs, like Gateway API, can use this new object to extend the Kubernetes +networking capabilities overcoming the limitations of current Services API. + +```bash +$ kubectl get services +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +kubernetes ClusterIP 2001:db8:1:2::1 443/TCP 3d1h + +$ kubectl get ipaddresses +NAME PARENTREF +2001:db8:1:2::1 services/default/kubernetes +2001:db8:1:2::a services/kube-system/kube-dns +``` + #### IP address ranges for Service virtual IP addresses {#service-ip-static-sub-range} {{< feature-state for_k8s_version="v1.25" state="beta" >}} From a4a4d453ec34beb0d32d7fe5236bd064b8c714e1 Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Thu, 23 Mar 2023 15:58:17 +0000 Subject: [PATCH 050/272] Update content/en/docs/reference/networking/virtual-ips.md --- content/en/docs/reference/networking/virtual-ips.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md index c4d13d37ecd..a33b08da067 100644 --- a/content/en/docs/reference/networking/virtual-ips.md +++ b/content/en/docs/reference/networking/virtual-ips.md @@ -305,7 +305,7 @@ the control plane replaces the existing etcd allocator with a new one, using IPA objects instead of an internal global allocation map. The ClusterIP address associated to each `Service` will have a referenced IPAddress object. -The background allocator is also replaced by a new one to handle the new IPAddress +The background controller is also replaced by a new one to handle the new IPAddress objects and the migration from the old allocator model. One of the main benefits of the new allocator is that it removes the size limitations From bd64321a1857a2905ef79eda30bebb990bcf59d1 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Sat, 4 Mar 2023 14:11:52 +0900 Subject: [PATCH 051/272] add general section --- .../2023-04-11-topology-spread-features.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 content/en/blog/_posts/2023-04-11-topology-spread-features.md diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md new file mode 100644 index 00000000000..8d38440562c --- /dev/null +++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md @@ -0,0 +1,43 @@ +--- +layout: blog +title: "TBD" // TODO: have a cool title. +date: 2023-04-11 +slug: topology-spread-new-features +evergreen: true +--- + +**Authors:** [Alex Wang](https://github.com/denkensk)(), [Kante Yin](https://github.com/kerthcet)(), [Kensei Nakada](https://github.com/sanposhiho)(Mercari) + +In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA. +It is the feature to control how Pods are spread to each failure-domain (regions, zones, nodes etc). + +As time passes, we've got further feedbacks from users, +and we're actively working on improving the Topology Spread via three KEPs from v1.25. +All of these features have reached beta in Kubernetes v1.27 and been enabled by default. + +This blog post is going to introduce each feature and the usecase/issue behind them. + +## KEP-3022: min domains in Pod Topology Spread + +TODO(sanposhiho): write it + +## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew + +TODO(kerthcet): write it + +## KEP-3243: Respect PodTopologySpread after rolling upgrades + +TODO(denkensk): write it + +## Getting involved + +These features are managed by the [SIG/Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling). + +Please join us and share your feedback. We look forward to hearing from you! + +## How can I learn more? + +- [Pod Topology Spread Constraints | Kubernetes](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#container-resource-metrics) +- [KEP-3022: min domains in Pod Topology Spread](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3022-min-domains-in-pod-topology-spread) +- [KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3094-pod-topology-spread-considering-taints) +- [KEP-3243: Respect PodTopologySpread after rolling upgrades](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3243-respect-pod-topology-spread-after-rolling-upgrades) \ No newline at end of file From bd847326ad3febdf496104779b5c315c9c778000 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Sat, 25 Mar 2023 09:47:44 -0300 Subject: [PATCH 052/272] Add pt-br/docs/reference/glossary/daemonset.md --- .../pt-br/docs/reference/glossary/daemonset.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 content/pt-br/docs/reference/glossary/daemonset.md diff --git a/content/pt-br/docs/reference/glossary/daemonset.md b/content/pt-br/docs/reference/glossary/daemonset.md new file mode 100644 index 00000000000..ab93250efde --- /dev/null +++ b/content/pt-br/docs/reference/glossary/daemonset.md @@ -0,0 +1,18 @@ +--- +title: DaemonSet +id: daemonset +date: 2018-04-12 +full_link: /docs/concepts/workloads/controllers/daemonset +short_description: > + Garante que uma cópia de um Pod esteja sendo executada em um conjunto de nós em um cluster. + +aka: +tags: +- fundamental +- core-object +- workload +--- + Garante que uma cópia de um {{< glossary_tooltip text="Pod" term_id="pod" >}} esteja sendo executada em um conjunto de nós em um {{< glossary_tooltip text="cluster" term_id="cluster" >}}. + + +Usado para instalar daemons do sistema como coletores de log e agentes de monitoramento que normalmente devem ser executados em todos os {{< glossary_tooltip text="nós" term_id="node" >}}. \ No newline at end of file From c3d698a44370012c5f691c4dc9e82446fd94fe80 Mon Sep 17 00:00:00 2001 From: Han Kang Date: Sun, 26 Mar 2023 09:41:54 -0700 Subject: [PATCH 053/272] update APIServerTracing docs --- .../concepts/cluster-administration/system-traces.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/content/en/docs/concepts/cluster-administration/system-traces.md b/content/en/docs/concepts/cluster-administration/system-traces.md index 04bd58ce38b..e43def4436a 100644 --- a/content/en/docs/concepts/cluster-administration/system-traces.md +++ b/content/en/docs/concepts/cluster-administration/system-traces.md @@ -9,7 +9,7 @@ weight: 90 -{{< feature-state for_k8s_version="v1.22" state="alpha" >}} +{{< feature-state for_k8s_version="v1.27" state="beta" >}} System component traces record the latency of and relationships between operations in the cluster. @@ -59,14 +59,12 @@ as the kube-apiserver is often a public endpoint. #### Enabling tracing in the kube-apiserver -To enable tracing, enable the `APIServerTracing` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) -on the kube-apiserver. Also, provide the kube-apiserver with a tracing configuration file +To enable tracing, provide the kube-apiserver with a tracing configuration file with `--tracing-config-file=`. This is an example config that records spans for 1 in 10000 requests, and uses the default OpenTelemetry endpoint: ```yaml -apiVersion: apiserver.config.k8s.io/v1alpha1 +apiVersion: apiserver.config.k8s.io/v1beta1 kind: TracingConfiguration # default value #endpoint: localhost:4317 @@ -74,7 +72,7 @@ samplingRatePerMillion: 100 ``` For more information about the `TracingConfiguration` struct, see -[API server config API (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/#apiserver-k8s-io-v1alpha1-TracingConfiguration). +[API server config API (v1beta1)](/docs/reference/config-api/apiserver-config.v1beta1/#apiserver-k8s-io-v1beta1-TracingConfiguration). ### kubelet traces From e07c3d66b8552f6b61081c2806cf2de748af5780 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Mon, 27 Mar 2023 12:48:00 +0200 Subject: [PATCH 054/272] content: Remove "new" keyword in user namespaces docs While we are there, we also change pod.spec to pod spec. Signed-off-by: Rodrigo Campos --- .../en/docs/tasks/configure-pod-container/user-namespaces.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/tasks/configure-pod-container/user-namespaces.md b/content/en/docs/tasks/configure-pod-container/user-namespaces.md index 96e1ff2d01a..6c4c01234cb 100644 --- a/content/en/docs/tasks/configure-pod-container/user-namespaces.md +++ b/content/en/docs/tasks/configure-pod-container/user-namespaces.md @@ -50,8 +50,8 @@ to use this feature with Kubernetes stateless pods: * CRI-O: v1.25 has support for user namespaces. Please note that **if your container runtime doesn't support user namespaces, the -new `pod.spec` field will be silently ignored and the pod will be created without -user namespaces.** +`hostUsers` field in the pod spec will be silently ignored and the pod will be +created without user namespaces.** From 3648d983c6a227f7496fff4d0c8ff01d851ee6f8 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Fri, 10 Mar 2023 08:24:51 +0100 Subject: [PATCH 055/272] [KEP-2413] Add docs for SeccompDefault graduation Signed-off-by: Sascha Grunert --- .../feature-gates.md | 5 ++-- content/en/docs/tutorials/security/seccomp.md | 23 +++++++------------ 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 96fd5d7937c..b405731b796 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -179,8 +179,6 @@ For a reference to old feature gates that are removed, please refer to | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 | | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | | | `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | | -| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 | -| `SeccompDefault` | `true` | Beta | 1.25 | | | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | | | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | @@ -308,6 +306,9 @@ For a reference to old feature gates that are removed, please refer to | `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 | | `RemoveSelfLink` | `true` | Beta | 1.20 | 1.23 | | `RemoveSelfLink` | `true` | GA | 1.24 | - | +| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 | +| `SeccompDefault` | `true` | Beta | 1.25 | 1.26 | +| `SeccompDefault` | `true` | GA | 1.27 | - | | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 | | `ServerSideApply` | `true` | Beta | 1.16 | 1.21 | | `ServerSideApply` | `true` | GA | 1.22 | - | diff --git a/content/en/docs/tutorials/security/seccomp.md b/content/en/docs/tutorials/security/seccomp.md index bc94348f25f..7db5ffe6d3f 100644 --- a/content/en/docs/tutorials/security/seccomp.md +++ b/content/en/docs/tutorials/security/seccomp.md @@ -156,14 +156,12 @@ running within kind. ## Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads -{{< feature-state state="beta" for_k8s_version="v1.25" >}} +{{< feature-state state="stable" for_k8s_version="v1.27" >}} -To use seccomp profile defaulting, you must run the kubelet with the `SeccompDefault` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled -(this is the default). You must also explicitly enable the defaulting behavior for each -node where you want to use this with the corresponding `--seccomp-default` -[command line flag](/docs/reference/command-line-tools-reference/kubelet). -Both have to be enabled simultaneously to use the feature. +To use seccomp profile defaulting, you must run the kubelet with the +`--seccomp-default` +[command line flag](/docs/reference/command-line-tools-reference/kubelet) +enabled for each node where you want to use it. If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. @@ -200,10 +198,8 @@ in the related Kubernetes Enhancement Proposal (KEP): Kubernetes {{< skew currentVersion >}} lets you configure the seccomp profile that applies when the spec for a Pod doesn't define a specific seccomp profile. -This is a beta feature and the corresponding `SeccompDefault` [feature -gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled by -default. However, you still need to enable this defaulting for each node where -you would like to use it. +However, you still need to enable this defaulting for each node where you would +like to use it. If you are running a Kubernetes {{< skew currentVersion >}} cluster and want to enable the feature, either run the kubelet with the `--seccomp-default` command @@ -216,8 +212,6 @@ the minimum required Kubernetes version and enables the `SeccompDefault` feature ```yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - SeccompDefault: true nodes: - role: control-plane image: kindest/node:v1.23.0@sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac @@ -234,7 +228,6 @@ nodes: kind: JoinConfiguration nodeRegistration: kubeletExtraArgs: - feature-gates: SeccompDefault=true seccomp-default: "true" ``` @@ -272,7 +265,7 @@ or not. You can adopt these defaults for your workload by setting the seccomp type in the security context of a pod or container to `RuntimeDefault`. {{< note >}} -If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +If you have the `seccompDefault` [configuration](/docs/reference/config-api/kubelet-config.v1beta1/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever no other seccomp profile is specified. Otherwise, the default is `Unconfined`. {{< /note >}} From 2bf6e39053df99dad850afbe20f599a9feac4ff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wojciech=20Tyczy=C5=84ski?= Date: Tue, 14 Mar 2023 09:48:14 +0100 Subject: [PATCH 056/272] Streaming lists documentation --- .../feature-gates.md | 2 + .../docs/reference/using-api/api-concepts.md | 60 ++++++++++++++++++- 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 626cc6931f6..23059645567 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -205,6 +205,7 @@ For a reference to old feature gates that are removed, please refer to | `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | | | `ValidatingAdmissionPolicy` | `false` | Alpha | 1.26 | | | `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - | +| `WatchList` | false | Alpha | 1.27 | | | `WinDSR` | `false` | Alpha | 1.14 | | | `WinOverlay` | `false` | Alpha | 1.14 | 1.19 | | `WinOverlay` | `true` | Beta | 1.20 | | @@ -729,6 +730,7 @@ Each feature gate is designed for enabling/disabling a specific feature: - `VolumeCapacityPriority`: Enable support for prioritizing nodes in different topologies based on available PV capacity. - `WatchBookmark`: Enable support for watch bookmark events. +- `WatchList` : Enable support for [streaming initial state of objects in watch requests](/docs/reference/using-api/api-concepts/#streaming-lists). - `WinDSR`: Allows kube-proxy to create DSR loadbalancers for Windows. - `WinOverlay`: Allows kube-proxy to run in overlay mode for Windows. - `WindowsHostNetwork`: Enables support for joining Windows containers to a hosts' network namespace. diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index 3c7c0fa8ccb..7c2cc093714 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -195,7 +195,7 @@ For subscribing to collections, Kubernetes client libraries typically offer some of standard tool for this **list**-then-**watch** logic. (In the Go client library, this is called a `Reflector` and is located in the `k8s.io/client-go/tools/cache` package.) -### Watch bookmarks +### Watch bookmarks {#watch-bookmarks} To mitigate the impact of short history window, the Kubernetes API provides a watch event named `BOOKMARK`. It is a special kind of event to mark that all changes up @@ -226,6 +226,64 @@ As a client, you can request `BOOKMARK` events by setting the assume bookmarks are returned at any specific interval, nor can clients assume that the API server will send any `BOOKMARK` event even when requested. +## Streaming lists + +{{< feature-state for_k8s_version="v1.27" state="alpha" >}} + +On large clusters, retrieving the collection of some resource types may result in +a significant increase of resource usage (primarily RAM) on the control plane. +In order to alleviate its impact and simplify the user experience of the **list** + **watch** +pattern, Kubernetes v1.27 introduces as an alpha feature the support +for requesting the initial state (previously requested via the **list** request) as part of +the **watch** request. + +Provided that the `WatchList` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +is enabled, this can be achieved by specifying `sendInitialEvents=true` as query string parameter +in a **watch** request. If set, the API server starts the watch stream with synthetic init +events (of type `ADDED`) to build the whole state of all existing objects followed by a +[`BOOKMARK` event](/docs/reference/using-api/api-concepts/#watch-bookmarks) +(if requested via `allowWatchBookmarks=true` option). The bookmark event includes the resource version +to which is synced. After sending the bookmark event, the API server continues as for any other **watch** +request. + +When you set `sendInitialEvents=true` in the query string, Kubernetes also requires that you set +`resourceVersionMatch` to `NotOlderThan` value. +If you provided `resourceVersion` in the query string without providing a value or don't provide +it at all, this is interpreted as a request for _consistent read_; +the bookmark event is sent when the state is synced at least to the moment of a consistent read +from when the request started to be processed. If you specify `resourceVersion` (in the query string), +the bookmark event is sent when the state is synced at least to the provided resource version. + +### Example {#example-streaming-lists} + +An example: you want to watch a collection of Pods. For that collection, the current resource version +is 10245 and there are two pods: `foo` and `bar`. Then sending the following request (explicitly requesting +_consistent read_ by setting empty resource version using `resourceVersion=`) could result +in the following sequence of events: + +```console +GET /api/v1/namespaces/test/pods?watch=1&sendInitialEvents=true&allowWatchBookmarks=true&resourceVersion=&resourceVersionMatch=NotOlderThan +--- +200 OK +Transfer-Encoding: chunked +Content-Type: application/json + +{ + "type": "ADDED", + "object": {"kind": "Pod", "apiVersion": "v1", "metadata": {"resourceVersion": "8467", "name": "foo"}, ...} +} +{ + "type": "ADDED", + "object": {"kind": "Pod", "apiVersion": "v1", "metadata": {"resourceVersion": "5726", "name": "bar"}, ...} +} +{ + "type": "BOOKMARK", + "object": {"kind": "Pod", "apiVersion": "v1", "metadata": {"resourceVersion": "10245"} } +} +... + +``` + ## Retrieving large results sets in chunks {{< feature-state for_k8s_version="v1.9" state="beta" >}} From 66906fd6e68a6e5f1875691fe1e2dd1c2ae840b5 Mon Sep 17 00:00:00 2001 From: Han Kang Date: Mon, 27 Mar 2023 06:43:08 -0700 Subject: [PATCH 057/272] add tracing feature flag update --- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 96fd5d7937c..56c8782b450 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -65,7 +65,8 @@ For a reference to old feature gates that are removed, please refer to | `APISelfSubjectReview` | `false` | Alpha | 1.26 | | | `APIServerIdentity` | `false` | Alpha | 1.20 | 1.25 | | `APIServerIdentity` | `true` | Beta | 1.26 | | -| `APIServerTracing` | `false` | Alpha | 1.22 | | +| `APIServerTracing` | `false` | Alpha | 1.22 | 1.26 | +| `APIServerTracing` | `true` | Beta | 1.27 | | | `AggregatedDiscoveryEndpoint` | `false` | Alpha | 1.26 | | | `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 | | `AnyVolumeDataSource` | `true` | Beta | 1.24 | | From a36e0381fe7417e7655fca71d07882ff82433dd5 Mon Sep 17 00:00:00 2001 From: Jefftree Date: Tue, 21 Mar 2023 21:52:01 +0000 Subject: [PATCH 058/272] Update OpenAPI V3 for GA --- .../en/docs/concepts/overview/kubernetes-api.md | 14 ++++++-------- .../command-line-tools-reference/feature-gates.md | 5 +++-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/content/en/docs/concepts/overview/kubernetes-api.md b/content/en/docs/concepts/overview/kubernetes-api.md index 27e4829ba55..725d47778bd 100644 --- a/content/en/docs/concepts/overview/kubernetes-api.md +++ b/content/en/docs/concepts/overview/kubernetes-api.md @@ -82,17 +82,13 @@ packages that define the API objects. ### OpenAPI V3 -{{< feature-state state="beta" for_k8s_version="v1.24" >}} +{{< feature-state state="stable" for_k8s_version="v1.27" >}} -Kubernetes {{< param "version" >}} offers beta support for publishing its APIs as OpenAPI v3; this is a -beta feature that is enabled by default. -You can disable the beta feature by turning off the -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) named `OpenAPIV3` -for the kube-apiserver component. +Kubernetes {{< param "version" >}} offers stable support for publishing its APIs as OpenAPI v3. A discovery endpoint `/openapi/v3` is provided to see a list of all -group/versions available. This endpoint only returns JSON. These group/versions -are provided in the following format: +group/versions available. This endpoint only returns JSON. These +group/versions are provided in the following format: ```yaml { @@ -153,6 +149,8 @@ Refer to the table below for accepted request headers. +A golang implementation to fetch the OpenAPI V3 is provided in the package `k8s.io/client-go/openapi3`. + ## Persistence Kubernetes stores the serialized state of objects by writing them into diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 08666007a13..719fce6f1bc 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -151,8 +151,6 @@ For a reference to old feature gates that are removed, please refer to | `NodeSwap` | `false` | Alpha | 1.22 | | | `OpenAPIEnums` | `false` | Alpha | 1.23 | 1.23 | | `OpenAPIEnums` | `true` | Beta | 1.24 | | -| `OpenAPIV3` | `false` | Alpha | 1.23 | 1.23 | -| `OpenAPIV3` | `true` | Beta | 1.24 | | | `PDBUnhealthyPodEvictionPolicy` | `false` | Alpha | 1.26 | | | `PodAndContainerStatsFromCRI` | `false` | Alpha | 1.23 | | | `PodDeletionCost` | `false` | Alpha | 1.21 | 1.21 | @@ -315,6 +313,9 @@ For a reference to old feature gates that are removed, please refer to | `ServerSideFieldValidation` | `false` | Alpha | 1.23 | 1.24 | | `ServerSideFieldValidation` | `true` | Beta | 1.25 | 1.26 | | `ServerSideFieldValidation` | `true` | GA | 1.27 | - | +| `OpenAPIV3` | `false` | Alpha | 1.23 | 1.23 | +| `OpenAPIV3` | `true` | Beta | 1.24 | 1.26 | +| `OpenAPIV3` | `true` | GA | 1.27 | - | | `ServiceIPStaticSubrange` | `false` | Alpha | 1.24 | 1.24 | | `ServiceIPStaticSubrange` | `true` | Beta | 1.25 | 1.25 | | `ServiceIPStaticSubrange` | `true` | GA | 1.26 | - | From af3e11936b59660e2005c1b8600008e212638bee Mon Sep 17 00:00:00 2001 From: Jefftree Date: Tue, 21 Mar 2023 22:16:30 +0000 Subject: [PATCH 059/272] Update OpenAPI V3 section for CRDs --- .../custom-resources/custom-resource-definitions.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md index c439aa35dfd..4e08b9f1149 100644 --- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md +++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md @@ -1346,19 +1346,19 @@ with `foo` pruned and defaulted because the field is non-nullable, `bar` maintai value due to `nullable: true`, and `baz` pruned because the field is non-nullable and has no default. -### Publish Validation Schema in OpenAPI v2 +### Publish Validation Schema in OpenAPI CustomResourceDefinition [OpenAPI v3 validation schemas](#validation) which are [structural](#specifying-a-structural-schema) and [enable pruning](#field-pruning) are published -as part of the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) -from Kubernetes API server. +as [OpenAPI v3](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) and OpenAPI v2 from Kubernetes API server. It is recommended to use the OpenAPI v3 document as it is a lossless representation of the CustomResourceDefinition OpenAPI v3 validation schema while OpenAPI v2 represents a lossy conversion. The [kubectl](/docs/reference/kubectl/) command-line tool consumes the published schema to perform client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`) on custom resources. The published schema can be consumed for other purposes as well, like client generation or documentation. -The OpenAPI v3 validation schema is converted to OpenAPI v2 schema, and -show up in `definitions` and `paths` fields in the +#### Compatibility with OpenAPI V2 + +For compatibility with OpenAPI V2, the OpenAPI v3 validation schema performs a lossy conversion to the OpenAPI v2 schema. The schema show up in `definitions` and `paths` fields in the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions). The following modifications are applied during the conversion to keep backwards compatibility with @@ -1366,8 +1366,7 @@ kubectl in previous 1.13 version. These modifications prevent kubectl from being valid OpenAPI schemas that it doesn't understand. The conversion won't modify the validation schema defined in CRD, and therefore won't affect [validation](#validation) in the API server. -1. The following fields are removed as they aren't supported by OpenAPI v2 - (in future versions OpenAPI v3 will be used without these restrictions) +1. The following fields are removed as they aren't supported by OpenAPI v2. - The fields `allOf`, `anyOf`, `oneOf` and `not` are removed From eb417b7128830a6035b59d09fccda62d115677a2 Mon Sep 17 00:00:00 2001 From: Jefftree Date: Tue, 21 Mar 2023 22:16:48 +0000 Subject: [PATCH 060/272] Whitespace fix --- .../custom-resource-definitions.md | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md index 4e08b9f1149..de6106e50a4 100644 --- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md +++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md @@ -765,7 +765,7 @@ For example: required: - minReplicas - replicas - - maxReplicas + - maxReplicas ``` will reject a request to create this custom resource: @@ -788,7 +788,7 @@ The CronTab "my-new-cron-object" is invalid: * spec: Invalid value: map[string]interface {}{"maxReplicas":10, "minReplicas":0, "replicas":20}: replicas should be smaller than or equal to maxReplicas. ``` -`x-kubernetes-validations` could have multiple rules. +`x-kubernetes-validations` could have multiple rules. The `rule` under `x-kubernetes-validations` represents the expression which will be evaluated by CEL. The `message` represents the message displayed when validation fails. If message is unset, the above response would be: @@ -798,22 +798,22 @@ The CronTab "my-new-cron-object" is invalid: * spec: Invalid value: map[string]interface {}{"maxReplicas":10, "minReplicas":0, "replicas":20}: failed rule: self.replicas <= self.maxReplicas ``` -Validation rules are compiled when CRDs are created/updated. -The request of CRDs create/update will fail if compilation of validation rules fail. +Validation rules are compiled when CRDs are created/updated. +The request of CRDs create/update will fail if compilation of validation rules fail. Compilation process includes type checking as well. The compilation failure: - `no_matching_overload`: this function has no overload for the types of the arguments. - + For example, a rule like `self == true` against a field of integer type will get error: ```none Invalid value: apiextensions.ValidationRule{Rule:"self == true", Message:""}: compilation failed: ERROR: \:1:6: found no matching overload for '_==_' applied to '(int, bool)' ``` - + - `no_such_field`: does not contain the desired field. - + For example, a rule like `self.nonExistingField > 0` against a non-existing field will return the following error: @@ -822,7 +822,7 @@ The compilation failure: ``` - `invalid argument`: invalid argument to macros. - + For example, a rule like `has(self)` will return error: ```none @@ -961,7 +961,7 @@ Examples: The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object and from any `x-kubernetes-embedded-resource` annotated objects. No other metadata properties are accessible. - + Unknown data preserved in custom resources via `x-kubernetes-preserve-unknown-fields` is not accessible in CEL expressions. This includes: @@ -1007,7 +1007,7 @@ the list type: - `map`: `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with non-intersecting keys are appended, retaining their partial order. - + Here is the declarations type mapping between OpenAPIv3 and CEL type: @@ -1100,8 +1100,8 @@ estimated to be prohibitively expensive to execute, the API server rejects the c or update operation, and returns an error message. A similar system is used at runtime that observes the actions the interpreter takes. If the interpreter executes too many instructions, execution of the rule will be halted, and an error will result. -Each CustomResourceDefinition is also allowed a certain amount of resources to finish executing all of -its validation rules. If the sum total of its rules are estimated at creation time to go over that limit, +Each CustomResourceDefinition is also allowed a certain amount of resources to finish executing all of +its validation rules. If the sum total of its rules are estimated at creation time to go over that limit, then a validation error will also occur. You are unlikely to encounter issues with the resource budget for validation if you only @@ -1114,7 +1114,7 @@ Another example would be if `foo` were an array, and you specified a validation The cost system always assumes the worst-case scenario if a limit on the length of `foo` is not given, and this will happen for anything that can be iterated over (lists, maps, etc.). -Because of this, it is considered best practice to put a limit via `maxItems`, `maxProperties`, and +Because of this, it is considered best practice to put a limit via `maxItems`, `maxProperties`, and `maxLength` for anything that will be processed in a validation rule in order to prevent validation errors during cost estimation. For example, given this schema with one rule: @@ -1133,8 +1133,8 @@ openAPIV3Schema: then the API server rejects this rule on validation budget grounds with error: ``` -spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden: -CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and +spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden: +CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are used) ``` @@ -1177,7 +1177,7 @@ openAPIV3Schema: maxLength: 10 ``` -If a list inside of a list has a validation rule that uses `self.all`, that is significantly more expensive +If a list inside of a list has a validation rule that uses `self.all`, that is significantly more expensive than a non-nested list with the same rule. A rule that would have been allowed on a non-nested list might need lower limits set on both nested lists in order to be allowed. For example, even without having limits set, the following rule is allowed: @@ -1768,4 +1768,3 @@ crontabs/my-new-cron-object 3s * Serve [multiple versions](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/) of a CustomResourceDefinition. - From a67328526b958a365bf39f29484e3b49e715f227 Mon Sep 17 00:00:00 2001 From: Paco Xu Date: Tue, 28 Mar 2023 10:42:07 +0800 Subject: [PATCH 061/272] update IdentifyPodOS as it is removed --- content/en/docs/concepts/windows/intro.md | 4 ---- content/en/docs/concepts/windows/user-guide.md | 4 ---- .../command-line-tools-reference/feature-gates-removed.md | 8 ++++++++ .../command-line-tools-reference/feature-gates.md | 7 ------- 4 files changed, 8 insertions(+), 15 deletions(-) diff --git a/content/en/docs/concepts/windows/intro.md b/content/en/docs/concepts/windows/intro.md index 16a7ea3d8a1..19a9c2c7888 100644 --- a/content/en/docs/concepts/windows/intro.md +++ b/content/en/docs/concepts/windows/intro.md @@ -89,10 +89,6 @@ section refers to several key workload abstractions and how they map to Windows. The `.spec.os.name` field should be set to `windows` to indicate that the current Pod uses Windows containers. - {{< note >}} - Starting from 1.25, the `IdentifyPodOS` feature gate is in GA stage and defaults to be enabled. - {{< /note >}} - If you set the `.spec.os.name` field to `windows`, you must not set the following fields in the `.spec` of that Pod: diff --git a/content/en/docs/concepts/windows/user-guide.md b/content/en/docs/concepts/windows/user-guide.md index df3306f01ab..53f78951efc 100644 --- a/content/en/docs/concepts/windows/user-guide.md +++ b/content/en/docs/concepts/windows/user-guide.md @@ -162,10 +162,6 @@ that the containers in that Pod are designed for. For Pods that run Linux contai `.spec.os.name` to `linux`. For Pods that run Windows containers, set `.spec.os.name` to `windows`. -{{< note >}} -Starting from 1.25, the `IdentifyPodOS` feature is in GA stage and defaults to be enabled. -{{< /note >}} - The scheduler does not use the value of `.spec.os.name` when assigning Pods to nodes. You should use normal Kubernetes mechanisms for [assigning pods to nodes](/docs/concepts/scheduling-eviction/assign-pod-node/) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md index 67939e8e45b..50d1dd29bfc 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md @@ -169,6 +169,9 @@ In the following table: | `IPv6DualStack` | `false` | Alpha | 1.15 | 1.20 | | `IPv6DualStack` | `true` | Beta | 1.21 | 1.22 | | `IPv6DualStack` | `true` | GA | 1.23 | 1.24 | +| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 | +| `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 | +| `IdentifyPodOS` | `true` | GA | 1.25 | 1.27 | | `ImmutableEphemeralVolumes` | `false` | Alpha | 1.18 | 1.18 | | `ImmutableEphemeralVolumes` | `true` | Beta | 1.19 | 1.20 | | `ImmutableEphemeralVolumes` | `true` | GA | 1.21 | 1.24 | @@ -575,6 +578,11 @@ In the following table: - `IPv6DualStack`: Enable [dual stack](/docs/concepts/services-networking/dual-stack/) support for IPv6. +- `IdentifyPodOS`: Allows the Pod OS field to be specified. This helps in identifying + the OS of the pod authoritatively during the API server admission time. + In Kubernetes {{< skew currentVersion >}}, the allowed values for the `pod.spec.os.name` + are `windows` and `linux`. + - `ImmutableEphemeralVolumes`: Allows for marking individual Secrets and ConfigMaps as immutable for better safety and performance. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 08666007a13..e90baeebcf6 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -282,9 +282,6 @@ For a reference to old feature gates that are removed, please refer to | `EphemeralContainers` | `true` | Beta | 1.23 | 1.24 | | `EphemeralContainers` | `true` | GA | 1.25 | - | | `ExecProbeTimeout` | `true` | GA | 1.20 | - | -| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 | -| `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 | -| `IdentifyPodOS` | `true` | GA | 1.25 | - | | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 | | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 | | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 | @@ -543,10 +540,6 @@ Each feature gate is designed for enabling/disabling a specific feature: - `HPAScaleToZero`: Enables setting `minReplicas` to 0 for `HorizontalPodAutoscaler` resources when using custom or external metrics. - `IPTablesOwnershipCleanup`: This causes kubelet to no longer create legacy iptables rules. -- `IdentifyPodOS`: Allows the Pod OS field to be specified. This helps in identifying - the OS of the pod authoritatively during the API server admission time. - In Kubernetes {{< skew currentVersion >}}, the allowed values for the `pod.spec.os.name` - are `windows` and `linux`. - `InTreePluginAWSUnregister`: Stops registering the aws-ebs in-tree plugin in kubelet and volume controllers. - `InTreePluginAzureDiskUnregister`: Stops registering the azuredisk in-tree plugin in kubelet From 448e70ff20a0196c7bd57db45761f2b90a51112d Mon Sep 17 00:00:00 2001 From: Han Kang Date: Tue, 21 Mar 2023 09:05:25 -0700 Subject: [PATCH 062/272] add autogenerated documentation for metrics --- .../docs/reference/instrumentation/metrics.md | 1809 ++++++++++++----- 1 file changed, 1310 insertions(+), 499 deletions(-) diff --git a/content/en/docs/reference/instrumentation/metrics.md b/content/en/docs/reference/instrumentation/metrics.md index 196c9b97d3e..0cc90d8d78e 100644 --- a/content/en/docs/reference/instrumentation/metrics.md +++ b/content/en/docs/reference/instrumentation/metrics.md @@ -1,18 +1,22 @@ --- title: Kubernetes Metrics Reference content_type: reference +auto_generated: true description: >- Details of the metric data that Kubernetes components export. --- +## Metrics (v1.27) -## Metrics (auto-generated 2022 Nov 01) - + + This page details the metrics that different Kubernetes components export. You can query the metrics endpoint for these components using an HTTP scrape, and fetch the current metrics data in Prometheus format. ### List of Stable Kubernetes Metrics +Stable metrics observe strict API contracts and no labels can be added or removed from stable metrics during their lifetime. + @@ -22,6 +26,7 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu + @@ -31,126 +36,219 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + - + + - + - + + - - + + + - + + - - + + + - - + + + - + + - + + - + + + +
Help Labels Const LabelsDeprecated Version
Histogram Admission controller latency histogram in seconds, identified by name and broken out for each operation and API resource and type (validate or admit).
name
operation
rejected
type
None
apiserver_admission_step_admission_duration_seconds STABLE Histogram Admission sub-step latency histogram in seconds, broken out for each operation and API resource and step type (validate or admit).
operation
rejected
type
None
apiserver_admission_webhook_admission_duration_seconds STABLE Histogram Admission webhook latency histogram in seconds, identified by name and broken out for each operation and API resource and type (validate or admit).
name
operation
rejected
type
None
apiserver_current_inflight_requests STABLE Gauge Maximal number of currently used inflight request limit of this apiserver per request kind in last second.
request_kind
None
apiserver_longrunning_requests STABLE Gauge Gauge of all active long-running apiserver requests broken out by verb, group, version, resource, scope and component. Not all requests are tracked this way.
component
group
resource
scope
subresource
verb
version
None
apiserver_request_duration_seconds STABLE Histogram Response latency distribution in seconds for each verb, dry run value, group, version, resource, subresource, scope and component.
component
dry_run
group
resource
scope
subresource
verb
version
None
apiserver_request_total STABLE Counter Counter of apiserver requests broken out for each verb, dry run value, group, version, resource, scope, component, and HTTP response code.
code
component
dry_run
group
resource
scope
subresource
verb
version
None
apiserver_requested_deprecated_apis STABLE Gauge Gauge of deprecated APIs that have been requested, broken out by API group, version, resource, subresource, and removed_release.
group
removed_release
resource
subresource
version
None
apiserver_response_sizes STABLE Histogram Response size distribution in bytes for each group, version, verb, resource, subresource, scope and component.
component
group
resource
scope
subresource
verb
version
None
apiserver_storage_objects STABLE Gauge Number of stored objects at the time of last check split by kind.
resource
None
cronjob_controller_job_creation_skew_duration_secondsSTABLEHistogramTime between when a cronjob is scheduled to be run, and when the corresponding job is created
job_controller_job_pods_finished_totalSTABLECounterThe number of finished Pods that are fully tracked
completion_mode
result
job_controller_job_sync_duration_secondsSTABLEHistogramThe time it took to sync a job
action
completion_mode
result
job_controller_job_syncs_totalSTABLECounterThe number of job syncs
action
completion_mode
result
job_controller_jobs_finished_totalSTABLECounterThe number of finished jobs
completion_mode
reason
result
kube_pod_resource_limitSTABLECustomResources limit for workloads on the cluster, broken down by pod. This shows the resource usage the scheduler and kubelet expect per pod for resources along with the unit for the resource if any.
namespace
pod
node
scheduler
priority
resource
unit
kube_pod_resource_requestSTABLECustomResources requested by workloads on the cluster, broken down by pod. This shows the resource usage the scheduler and kubelet expect per pod for resources along with the unit for the resource if any.
namespace
pod
node
scheduler
priority
resource
unit
node_collector_evictions_total STABLE Counter Number of Node evictions that happened since current instance of NodeController started.
zone
None
scheduler_framework_extension_point_duration_seconds STABLE Histogram Latency for running all plugins of a specific extension point.
extension_point
profile
status
None
scheduler_pending_pods STABLE GaugeNumber of pending pods, by the queue type. 'active' means number of pods in activeQ; 'backoff' means number of pods in backoffQ; 'unschedulable' means number of pods in unschedulablePods.Number of pending pods, by the queue type. 'active' means number of pods in activeQ; 'backoff' means number of pods in backoffQ; 'unschedulable' means number of pods in unschedulablePods that the scheduler attempted to schedule and failed; 'gated' is the number of unschedulable pods that the scheduler never attempted to schedule because they are gated.
queue
None
scheduler_pod_scheduling_attempts STABLE Histogram Number of attempts to successfully schedule a pod.NoneNone
scheduler_pod_scheduling_duration_seconds STABLE Histogram E2e latency for a pod being scheduled which may include multiple scheduling attempts.
attempts
None
scheduler_preemption_attempts_total STABLE Counter Total preemption attempts in the cluster till nowNoneNone
scheduler_preemption_victims STABLE Histogram Number of selected preemption victimsNoneNone
scheduler_queue_incoming_pods_total STABLE Counter Number of pods added to scheduling queues by event and queue type.
event
queue
None
scheduler_schedule_attempts_total STABLE Counter Number of attempts to schedule pods, by the result. 'unschedulable' means a pod could not be scheduled, while 'error' means an internal scheduler problem.
profile
result
None
scheduler_scheduling_attempt_duration_seconds STABLE Histogram Scheduling attempt latency in seconds (scheduling algorithm + binding)
profile
result
None
+ +### List of Beta Kubernetes Metrics + +Beta metrics observe a looser API contract than its stable counterparts. No labels can be removed from beta metrics during their lifetime, however, labels can be added while the metric is in the beta stage. This offers the assurance that beta metrics will honor existing dashboards and alerts, while allowing for amendments in the future. + + + + + + + + + + + + + + + +
NameStability LevelTypeHelpLabelsConst LabelsDeprecated Version
### List of Alpha Kubernetes Metrics +Alpha metrics do not have any API guarantees. These metrics must be used at your own risk, subsequent versions of Kubernetes may remove these metrics altogether, or mutate the API in such a way that breaks existing dashboards and alerts. + @@ -160,1887 +258,2600 @@ components using an HTTP scrape, and fetch the current metrics data in Prometheu + + + + + + + + - + + - + + - + + - + + - + + - + + + + + + + + + - + + - + + - + + - + + - + + - - + + + - + + - - + + + - + + - + + - + + - - - + + + + - - - + + + + - + + - + + - - + + + - + + - + + - + + - + + - + + - + + - + + - + + + + + + + + + - - + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + - + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + - + + - + + - + + + + + + + + + - + + - + + + + + + + + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + + + + + + + + + + + + + + + + + + + + + + - + + - + + - + + - - + + + - - + + + - + + - + + - + + - + + + + + + + + + - + - + + - + + - + + - + + - - + + + - - + + + - + + + + + + + + + - - + + + + + + + + + + - + + - + + - + + - + + - - + + + - + + - + + - - + + + - - - + + + + - - - + + + + - + + - + + + + + + + + + - + + - + + - + + - - + + + - - + + + - - + + + - + + - + + - + + - + + - + + - + + - + + - - + + + - - - - + + + + + - - - - - - - - - + + + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - - - - - - - + + - + + - + + - - + + + - - + + + - - + + + - - + + + - + + - - + + + - + + - - + + + - + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - + + - - + + + - + + - + + - - - + + + + + + + + + + + + + + + + + + - - + + + - - + + + - - - - - - - - - - - - - - - + + + + - - - - + + + + + - - - + + + + + + + + + + + + + + + + + + - + + - + + - + + - + + - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + - - + + + - - - - - - - - - - + + + + + - - + + + - - + + + - - + + + - - + + + - + + - + + - - + + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + - + + - + + + + + + + + + + + + + + + + + + + + + + + - + + - + + - - + + + - - + + + - + + - + + - - - - - - - - - - - - - + + - - + + + - - - + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - + + + - - + + + - - + + + - - + + + + + + + + + + - + + - + + + + + + + + + - + + - + + - + + - - + + + + + + + + + + - - + + + - + + - - + + + - + + + + + + + + + - + + - + + - + + - - + + + - + + - + + - + + - - + + + - + + - + + - + + - + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + - + + - + + - + + - + + - + + - + + - + + - + + + + + + + + + - - + + + - - + + + - - + + + - - + + + + + + + + + + - - + + + - + + - - + + + - - + + + - + + - - + + + - - + + + - + + - + + - + + - + + - + + - - - - - - - + + - + + + + + + + + + + + + + + + + - + + - + + - - + + + - + + - + + - + + - + + + + + + + + + - + + - + + - + + - + + + + + + + + + - - + + + - + + - + + - + + + + + + + + + + + + + + + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + - + + - - + + + - - + + + - + + - + + + + + + + + + - + + - + + - + + - - + + + - - + + + - + + - + + - - - - - - - + + - + + - + + + + + + + + + - + + - + + - + + - - + + + - + + - + + - + + - - + + + + + + + + + + + + + + + + + - - + + + - - + + + - - + + + - - + + + - - + + + - + + - + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - - + + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + +
Help Labels Const LabelsDeprecated Version
aggregator_discovery_aggregation_count_totalALPHACounterCounter of number of times discovery was aggregated
aggregator_openapi_v2_regeneration_count ALPHA Counter Counter of OpenAPI v2 spec regeneration count broken down by causing APIService name and reason.
apiservice
reason
None
aggregator_openapi_v2_regeneration_duration ALPHA Gauge Gauge of OpenAPI v2 spec regeneration duration in seconds.
reason
None
aggregator_unavailable_apiservice ALPHA Custom Gauge of APIServices which are marked as unavailable broken down by APIService name.
name
None
aggregator_unavailable_apiservice_total ALPHA Counter Counter of APIServices which are marked as unavailable broken down by APIService name and reason.
name
reason
None
apiextensions_openapi_v2_regeneration_count ALPHA Counter Counter of OpenAPI v2 spec regeneration count broken down by causing CRD name and reason.
crd
reason
None
apiextensions_openapi_v3_regeneration_count ALPHA Counter Counter of OpenAPI v3 spec regeneration count broken down by group, version, causing CRD and reason.
crd
group
reason
version
None
apiserver_admission_admission_match_condition_evaluation_errors_totalALPHACounterAdmission match condition evaluation errors count, identified by name of resource containing the match condition and broken out for each admission type (validating or mutating).
name
type
apiserver_admission_step_admission_duration_seconds_summary ALPHA Summary Admission sub-step latency summary in seconds, broken out for each operation and API resource and step type (validate or admit).
operation
rejected
type
None
apiserver_admission_webhook_fail_open_count ALPHA Counter Admission webhook fail open count, identified by name and broken out for each admission type (validating or mutating).
name
type
None
apiserver_admission_webhook_rejection_count ALPHA Counter Admission webhook rejection count, identified by name and broken out for each admission type (validating or admit) and operation. Additional labels specify an error type (calling_webhook_error or apiserver_internal_error if an error occurred; no_error otherwise) and optionally a non-zero rejection code if the webhook rejects the request with an HTTP status code (honored by the apiserver when the code is greater or equal to 400). Codes greater than 600 are truncated to 600, to keep the metrics cardinality bounded.
error_type
name
operation
rejection_code
type
None
apiserver_admission_webhook_request_total ALPHA Counter Admission webhook request total, identified by name and broken out for each admission type (validating or mutating) and operation. Additional labels specify whether the request was rejected or not and an HTTP status code. Codes greater than 600 are truncated to 600, to keep the metrics cardinality bounded.
code
name
operation
rejected
type
None
apiserver_audit_error_total ALPHA Counter Counter of audit events that failed to be audited properly. Plugin identifies the plugin affected by the error.
plugin
None
apiserver_audit_event_total ALPHA Counter Counter of audit events generated and sent to the audit backend.NoneNone
apiserver_audit_level_total ALPHA Counter Counter of policy levels for audit events (1 per request).
level
None
apiserver_audit_requests_rejected_total ALPHA Counter Counter of apiserver requests rejected due to an error in audit logging backend.NoneNone
apiserver_cache_list_fetched_objects_total ALPHA Counter Number of objects read from watch cache in the course of serving a LIST request
index
resource_prefix
None
apiserver_cache_list_returned_objects_total ALPHA Counter Number of objects returned for a LIST request from watch cache
resource_prefix
None
apiserver_cache_list_total ALPHA Counter Number of LIST requests served from watch cache
index
resource_prefix
None
apiserver_cel_compilation_duration_seconds ALPHA HistogramNoneNone
CEL compilation time in seconds.
apiserver_cel_evaluation_duration_seconds ALPHA HistogramNoneNone
CEL evaluation time in seconds.
apiserver_certificates_registry_csr_honored_duration_total ALPHA Counter Total number of issued CSRs with a requested duration that was honored, sliced by signer (only kubernetes.io signer names are specifically identified)
signerName
None
apiserver_certificates_registry_csr_requested_duration_total ALPHA Counter Total number of issued CSRs with a requested duration, sliced by signer (only kubernetes.io signer names are specifically identified)
signerName
None
apiserver_client_certificate_expiration_seconds ALPHA Histogram Distribution of the remaining lifetime on the certificate used to authenticate a request.NoneNone
apiserver_crd_webhook_conversion_duration_seconds ALPHA Histogram CRD webhook conversion duration in seconds
crd_name
from_version
succeeded
to_version
None
apiserver_current_inqueue_requests ALPHA Gauge Maximal number of queued requests in this apiserver per request kind in last second.
request_kind
None
apiserver_delegated_authn_request_duration_seconds ALPHA Histogram Request latency in seconds. Broken down by status code.
code
None
apiserver_delegated_authn_request_total ALPHA Counter Number of HTTP requests partitioned by status code.
code
None
apiserver_delegated_authz_request_duration_seconds ALPHA Histogram Request latency in seconds. Broken down by status code.
code
None
apiserver_delegated_authz_request_total ALPHA Counter Number of HTTP requests partitioned by status code.
code
None
apiserver_egress_dialer_dial_duration_seconds ALPHA Histogram Dial latency histogram in seconds, labeled by the protocol (http-connect or grpc), transport (tcp or uds)
protocol
transport
None
apiserver_egress_dialer_dial_failure_count ALPHA Counter Dial failure count, labeled by the protocol (http-connect or grpc), transport (tcp or uds), and stage (connect or proxy). The stage indicates at which stage the dial failed
protocol
stage
transport
None
apiserver_egress_dialer_dial_start_totalALPHACounterDial starts, labeled by the protocol (http-connect or grpc) and transport (tcp or uds).
protocol
transport
apiserver_envelope_encryption_dek_cache_fill_percent ALPHA Gauge Percent of the cache slots currently occupied by cached DEKs.NoneNone
apiserver_envelope_encryption_dek_cache_inter_arrival_time_seconds ALPHA Histogram Time (in seconds) of inter arrival of transformation requests.
transformation_type
None
apiserver_envelope_encryption_invalid_key_id_from_status_totalALPHACounterNumber of times an invalid keyID is returned by the Status RPC call split by error.
error
provider_name
apiserver_envelope_encryption_key_id_hash_last_timestamp_secondsALPHAGaugeThe last time in seconds when a keyID was used.
key_id_hash
provider_name
transformation_type
apiserver_envelope_encryption_key_id_hash_status_last_timestamp_secondsALPHAGaugeThe last time in seconds when a keyID was returned by the Status RPC call.
key_id_hash
provider_name
apiserver_envelope_encryption_key_id_hash_totalALPHACounterNumber of times a keyID is used split by transformation type and provider.
key_id_hash
provider_name
transformation_type
apiserver_envelope_encryption_kms_operations_latency_secondsALPHAHistogramKMS operation duration with gRPC error code status total.
grpc_status_code
method_name
provider_name
apiserver_flowcontrol_current_executing_requests ALPHA Gauge Number of requests in initial (for a WATCH) or any (for a non-WATCH) execution stage in the API Priority and Fairness subsystem
flow_schema
priority_level
None
apiserver_flowcontrol_current_inqueue_requests ALPHA Gauge Number of requests currently pending in queues of the API Priority and Fairness subsystem
flow_schema
priority_level
None
apiserver_flowcontrol_current_limit_seatsALPHAGaugecurrent derived number of execution seats available to each priority level
priority_level
apiserver_flowcontrol_current_r ALPHA Gauge R(time of last change)
priority_level
None
apiserver_flowcontrol_demand_seatsALPHATimingRatioHistogramObservations, at the end of every nanosecond, of (the number of seats each priority level could use) / (nominal number of seats for that level)
priority_level
apiserver_flowcontrol_demand_seats_averageALPHAGaugeTime-weighted average, over last adjustment period, of demand_seats
priority_level
apiserver_flowcontrol_demand_seats_high_watermarkALPHAGaugeHigh watermark, over last adjustment period, of demand_seats
priority_level
apiserver_flowcontrol_demand_seats_smoothedALPHAGaugeSmoothed seat demands
priority_level
apiserver_flowcontrol_demand_seats_stdevALPHAGaugeTime-weighted standard deviation, over last adjustment period, of demand_seats
priority_level
apiserver_flowcontrol_dispatch_r ALPHA Gauge R(time of last dispatch)
priority_level
None
apiserver_flowcontrol_dispatched_requests_total ALPHA Counter Number of requests executed by API Priority and Fairness subsystem
flow_schema
priority_level
None
apiserver_flowcontrol_epoch_advance_total ALPHA Counter Number of times the queueset's progress meter jumped backward
priority_level
success
None
apiserver_flowcontrol_latest_s ALPHA Gauge S(most recently dispatched request)
priority_level
None
apiserver_flowcontrol_lower_limit_seatsALPHAGaugeConfigured lower bound on number of execution seats available to each priority level
priority_level
apiserver_flowcontrol_next_discounted_s_bounds ALPHA Gauge min and max, over queues, of S(oldest waiting request in queue) - estimated work in progress
bound
priority_level
None
apiserver_flowcontrol_next_s_bounds ALPHA Gauge min and max, over queues, of S(oldest waiting request in queue)
bound
priority_level
None
apiserver_flowcontrol_nominal_limit_seatsALPHAGaugeNominal number of execution seats configured for each priority level
priority_level
apiserver_flowcontrol_priority_level_request_utilization ALPHA TimingRatioHistogram Observations, at the end of every nanosecond, of number of requests (as a fraction of the relevant limit) waiting or in any stage of execution (but only initial stage for WATCHes)
phase
priority_level
None
apiserver_flowcontrol_priority_level_seat_utilization ALPHA TimingRatioHistogram Observations, at the end of every nanosecond, of utilization of seats for any stage of execution (but only initial stage for WATCHes)
priority_level
map[phase:executing]
phase:executing
apiserver_flowcontrol_read_vs_write_current_requests ALPHA TimingRatioHistogram Observations, at the end of every nanosecond, of the number of requests (as a fraction of the relevant limit) waiting or in regular stage of execution
phase
request_kind
None
apiserver_flowcontrol_rejected_requests_total ALPHA Counter Number of requests rejected by API Priority and Fairness subsystem
flow_schema
priority_level
reason
None
apiserver_flowcontrol_request_concurrency_in_use ALPHA Gauge Concurrency (number of seats) occupied by the currently executing (initial stage for a WATCH, any stage otherwise) requests in the API Priority and Fairness subsystem
flow_schema
priority_level
None
apiserver_flowcontrol_request_concurrency_limit ALPHA Gauge Shared concurrency limit in the API Priority and Fairness subsystem
priority_level
None
apiserver_flowcontrol_request_dispatch_no_accommodation_total ALPHA Counter Number of times a dispatch attempt resulted in a non accommodation due to lack of available seats
flow_schema
priority_level
None
apiserver_flowcontrol_request_execution_seconds ALPHA Histogram Duration of initial stage (for a WATCH) or any (for a non-WATCH) stage of request execution in the API Priority and Fairness subsystem
flow_schema
priority_level
type
None
apiserver_flowcontrol_request_queue_length_after_enqueue ALPHA Histogram Length of queue in the API Priority and Fairness subsystem, as seen by each request after it is enqueued
flow_schema
priority_level
None
apiserver_flowcontrol_request_wait_duration_seconds ALPHA Histogram Length of time a request spent waiting in its queue
execute
flow_schema
priority_level
None
apiserver_flowcontrol_seat_fair_fracALPHAGaugeFair fraction of server's concurrency to allocate to each priority level that can use it
apiserver_flowcontrol_target_seatsALPHAGaugeSeat allocation targets
priority_level
apiserver_flowcontrol_upper_limit_seatsALPHAGaugeConfigured upper bound on number of execution seats available to each priority level
priority_level
apiserver_flowcontrol_watch_count_samples ALPHA Histogram count of watchers for mutating requests in API Priority and Fairness
flow_schema
priority_level
None
apiserver_flowcontrol_work_estimated_seats ALPHA Histogram Number of estimated seats (maximum of initial and final seats) associated with requests in API Priority and Fairness
flow_schema
priority_level
None
apiserver_init_events_total ALPHA Counter Counter of init events processed in watch cache broken by resource type.
resource
None
apiserver_kube_aggregator_x509_insecure_sha1_total ALPHA Counter Counts the number of requests to servers with insecure SHA1 signatures in their serving certificate OR the number of connection failures due to the insecure SHA1 signatures (either/or, based on the runtime environment)NoneNone
apiserver_kube_aggregator_x509_missing_san_total ALPHA Counter Counts the number of requests to servers missing SAN extension in their serving certificate OR the number of connection failures due to the lack of x509 certificate SAN extension missing (either/or, based on the runtime environment)NoneNone
apiserver_request_aborts_total ALPHA Counter Number of requests which apiserver aborted possibly due to a timeout, for each group, version, verb, resource, subresource and scope
group
resource
scope
subresource
verb
version
None
apiserver_request_body_sizes ALPHA Histogram Apiserver request body sizes broken out by size.
resource
verb
None
apiserver_request_filter_duration_seconds ALPHA Histogram Request filter latency distribution in seconds, for each filter type
filter
None
apiserver_request_post_timeout_total ALPHA Counter Tracks the activity of the request handlers after the associated requests have been timed out by the apiserver
source
status
None
apiserver_request_sli_duration_secondsALPHAHistogramResponse latency distribution (not counting webhook duration and priority & fairness queue wait times) in seconds for each verb, group, version, resource, subresource, scope and component.
component
group
resource
scope
subresource
verb
version
apiserver_request_slo_duration_seconds ALPHA HistogramResponse latency distribution (not counting webhook duration) in seconds for each verb, group, version, resource, subresource, scope and component.Response latency distribution (not counting webhook duration and priority & fairness queue wait times) in seconds for each verb, group, version, resource, subresource, scope and component.
component
group
resource
scope
subresource
verb
version
None
1.27.0
apiserver_request_terminations_total ALPHA Counter Number of requests which apiserver terminated in self-defense.
code
component
group
resource
scope
subresource
verb
version
None
apiserver_request_timestamp_comparison_time ALPHA Histogram Time taken for comparison of old vs new objects in UPDATE or PATCH requests
code_path
None
apiserver_selfrequest_total ALPHA Counter Counter of apiserver self-requests broken out for each verb, API resource and subresource.
resource
subresource
verb
None
apiserver_storage_data_key_generation_duration_seconds ALPHA Histogram Latencies in seconds of data encryption key(DEK) generation operations.NoneNone
apiserver_storage_data_key_generation_failures_total ALPHA Counter Total number of failed data encryption key(DEK) generation operations.NoneNone
apiserver_storage_db_total_size_in_bytes ALPHA Gauge Total size of the storage database file physically allocated in bytes.
endpoint
None
apiserver_storage_decode_errors_totalALPHACounterNumber of stored object decode errors split by object type
resource
apiserver_storage_envelope_transformation_cache_misses_total ALPHA Counter Total number of cache misses while accessing key decryption key(KEK).NoneNone
apiserver_storage_events_received_totalALPHACounterNumber of etcd events received split by kind.
resource
apiserver_storage_list_evaluated_objects_total ALPHA Counter Number of objects tested in the course of serving a LIST request from storage
resource
None
apiserver_storage_list_fetched_objects_total ALPHA Counter Number of objects read from storage in the course of serving a LIST request
resource
None
apiserver_storage_list_returned_objects_total ALPHA Counter Number of objects returned for a LIST request from storage
resource
None
apiserver_storage_list_total ALPHA Counter Number of LIST requests served from storage
resource
None
apiserver_storage_transformation_duration_seconds ALPHA Histogram Latencies in seconds of value transformation operations.
transformation_type
None
transformation_type
transformer_prefix
apiserver_storage_transformation_operations_total ALPHA Counter Total number of transformations.
status
transformation_type
transformer_prefix
None
apiserver_terminated_watchers_total ALPHA Counter Counter of watchers closed due to unresponsiveness broken by resource type.
resource
None
apiserver_tls_handshake_errors_total ALPHA Counter Number of requests dropped with 'TLS handshake error from' errorNoneNone
apiserver_validating_admission_policy_check_duration_seconds ALPHA HistogramValidation admission latency for individual validation expressions in seconds, labeled by policy and param resource, further including binding, state and enforcement action taken.
enforcement_action
params
policy
policy_binding
state
validation_expression
None
Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.
enforcement_action
policy
policy_binding
state
apiserver_validating_admission_policy_check_total ALPHA CounterValidation admission policy check total, labeled by policy and param resource, and further identified by binding, validation expression, enforcement action taken, and state.
enforcement_action
params
policy
policy_binding
state
validation_expression
None
Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.
enforcement_action
policy
policy_binding
state
apiserver_validating_admission_policy_definition_total ALPHA Counter Validation admission policy count total, labeled by state and enforcement action.
enforcement_action
state
None
apiserver_watch_cache_events_dispatched_total ALPHA Counter Counter of events dispatched in watch cache broken by resource type.
resource
None
apiserver_watch_cache_events_received_totalALPHACounterCounter of events received in watch cache broken by resource type.
resource
apiserver_watch_cache_initializations_total ALPHA Counter Counter of watch cache initializations broken by resource type.
resource
None
apiserver_watch_events_sizes ALPHA Histogram Watch event size distribution in bytes
group
kind
version
None
apiserver_watch_events_total ALPHA Counter Number of events sent in watch clients
group
kind
version
None
apiserver_webhooks_x509_insecure_sha1_total ALPHA Counter Counts the number of requests to servers with insecure SHA1 signatures in their serving certificate OR the number of connection failures due to the insecure SHA1 signatures (either/or, based on the runtime environment)NoneNone
apiserver_webhooks_x509_missing_san_total ALPHA Counter Counts the number of requests to servers missing SAN extension in their serving certificate OR the number of connection failures due to the lack of x509 certificate SAN extension missing (either/or, based on the runtime environment)NoneNone
attachdetach_controller_forced_detaches ALPHA Counter Number of times the A/D Controller performed a forced detachNoneNone
attachdetach_controller_total_volumes ALPHA Custom Number of volumes in A/D Controller
plugin_name
state
None
authenticated_user_requests ALPHA Counter Counter of authenticated requests broken out by username.
username
None
authentication_attempts ALPHA Counter Counter of authenticated attempts.
result
None
authentication_duration_seconds ALPHA Histogram Authentication duration in seconds broken out by result.
result
None
authentication_token_cache_active_fetch_count ALPHA Gauge
status
None
authentication_token_cache_fetch_total ALPHA Counter
status
None
authentication_token_cache_request_duration_seconds ALPHA Histogram
status
None
authentication_token_cache_request_total ALPHA Counter
status
None
cloudprovider_aws_api_request_duration_seconds
cloud_provider_webhook_request_duration_seconds ALPHA HistogramLatency of AWS API calls
request
None
cloudprovider_aws_api_request_errorsRequest latency in seconds. Broken down by status code.
code
webhook
cloud_provider_webhook_request_total ALPHA CounterAWS API errors
request
None
cloudprovider_aws_api_throttled_requests_totalALPHACounterAWS API throttled requests
operation_name
None
Number of HTTP requests partitioned by status code.
code
webhook
cloudprovider_azure_api_request_duration_seconds ALPHA Histogram Latency of an Azure API call
request
resource_group
source
subscription_id
None
cloudprovider_azure_api_request_errors ALPHA Counter Number of errors for an Azure API call
request
resource_group
source
subscription_id
None
cloudprovider_azure_api_request_ratelimited_count ALPHA Counter Number of rate limited Azure API calls
request
resource_group
source
subscription_id
None
cloudprovider_azure_api_request_throttled_count ALPHA Counter Number of throttled Azure API calls
request
resource_group
source
subscription_id
None
cloudprovider_azure_op_duration_seconds ALPHA Histogram Latency of an Azure service operation
request
resource_group
source
subscription_id
None
cloudprovider_azure_op_failure_count ALPHA Counter Number of failed Azure service operations
request
resource_group
source
subscription_id
None
cloudprovider_gce_api_request_duration_seconds ALPHA Histogram Latency of a GCE API call
region
request
version
zone
None
cloudprovider_gce_api_request_errors ALPHA Counter Number of errors for an API call
region
request
version
zone
None
cloudprovider_vsphere_api_request_duration_seconds ALPHA Histogram Latency of vsphere api call
request
None
cloudprovider_vsphere_api_request_errors ALPHA Counter vsphere Api errors
request
None
cloudprovider_vsphere_operation_duration_seconds ALPHA Histogram Latency of vsphere operation call
operation
None
cloudprovider_vsphere_operation_errors ALPHA Counter vsphere operation errors
operation
None
cloudprovider_vsphere_vcenter_versions ALPHA Custom Versions for connected vSphere vCenters
hostname
version
build
None
container_cpu_usage_seconds_total ALPHA Custom Cumulative cpu time consumed by the container in core-seconds
container
pod
namespace
None
container_memory_working_set_bytes ALPHA Custom Current working set of the container in bytes
container
pod
namespace
None
container_start_time_seconds ALPHA Custom Start time of the container since unix epoch in seconds
container
pod
namespace
None
cronjob_controller_cronjob_job_creation_skew_duration_secondsALPHAHistogramTime between when a cronjob is scheduled to be run, and when the corresponding job is createdNoneNone
csi_operations_seconds ALPHA Histogram Container Storage Interface operation duration with gRPC error code status total
driver_name
grpc_status_code
method_name
migrated
None
endpoint_slice_controller_changes ALPHA Counter Number of EndpointSlice changes
operation
None
endpoint_slice_controller_desired_endpoint_slices ALPHA Gauge Number of EndpointSlices that would exist with perfect endpoint allocationNoneNone
endpoint_slice_controller_endpoints_added_per_sync ALPHA Histogram Number of endpoints added on each Service syncNoneNone
endpoint_slice_controller_endpoints_desired ALPHA Gauge Number of endpoints desiredNoneNone
endpoint_slice_controller_endpoints_removed_per_sync ALPHA Histogram Number of endpoints removed on each Service syncNoneNone
endpoint_slice_controller_endpointslices_changed_per_sync ALPHA Histogram Number of EndpointSlices changed on each Service sync
topology
None
endpoint_slice_controller_num_endpoint_slices ALPHA Gauge Number of EndpointSlicesNoneNone
endpoint_slice_controller_syncs ALPHA Counter Number of EndpointSlice syncs
result
None
endpoint_slice_mirroring_controller_addresses_skipped_per_sync ALPHA Histogram Number of addresses skipped on each Endpoints sync due to being invalid or exceeding MaxEndpointsPerSubsetNoneNone
endpoint_slice_mirroring_controller_changes ALPHA Counter Number of EndpointSlice changes
operation
None
endpoint_slice_mirroring_controller_desired_endpoint_slices ALPHA Gauge Number of EndpointSlices that would exist with perfect endpoint allocationNoneNone
endpoint_slice_mirroring_controller_endpoints_added_per_sync ALPHA Histogram Number of endpoints added on each Endpoints syncNoneNone
endpoint_slice_mirroring_controller_endpoints_desired ALPHA Gauge Number of endpoints desiredNoneNone
endpoint_slice_mirroring_controller_endpoints_removed_per_sync ALPHA Histogram Number of endpoints removed on each Endpoints syncNoneNone
endpoint_slice_mirroring_controller_endpoints_sync_duration ALPHA Histogram Duration of syncEndpoints() in secondsNoneNone
endpoint_slice_mirroring_controller_endpoints_updated_per_sync ALPHA Histogram Number of endpoints updated on each Endpoints syncNoneNone
endpoint_slice_mirroring_controller_num_endpoint_slices ALPHA Gauge Number of EndpointSlicesNoneNone
ephemeral_volume_controller_create_failures_total ALPHA Counter Number of PersistenVolumeClaims creation requestsNoneNone
ephemeral_volume_controller_create_total ALPHA Counter Number of PersistenVolumeClaims creation requestsNoneNone
etcd_bookmark_counts ALPHA Gauge Number of etcd bookmarks (progress notify events) split by kind.
resource
None
etcd_lease_object_counts ALPHA Histogram Number of objects attached to a single etcd lease.NoneNone
etcd_request_duration_seconds ALPHA Histogram Etcd request latency in seconds for each operation and object type.
operation
type
None
etcd_version_info ALPHA Gauge Etcd server's binary version
binary_version
None
field_validation_request_duration_seconds ALPHA HistogramResponse latency distribution in seconds for each field validation value and whether field validation is enabled or not
enabled
field_validation
None
Response latency distribution in seconds for each field validation value
field_validation
force_cleaned_failed_volume_operation_errors_totalALPHACounterThe number of volumes that failed force cleanup after their reconstruction failed during kubelet startup.
force_cleaned_failed_volume_operations_totalALPHACounterThe number of volumes that were force cleaned after their reconstruction failed during kubelet startup. This includes both successful and failed cleanups.
garbagecollector_controller_resources_sync_error_total ALPHA Counter Number of garbage collector resources sync errorsNoneNone
get_token_count ALPHA Counter Counter of total Token() requests to the alternate token sourceNoneNone
get_token_fail_count ALPHA Counter Counter of failed Token() requests to the alternate token sourceNoneNone
job_controller_job_finished_totalALPHACounterThe number of finished job
completion_mode
reason
result
None
job_controller_job_pods_finished_totalALPHACounterThe number of finished Pods that are fully tracked
completion_mode
result
None
job_controller_job_sync_duration_seconds
horizontal_pod_autoscaler_controller_metric_computation_duration_seconds ALPHA HistogramThe time it took to sync a job
action
completion_mode
result
None
job_controller_job_sync_totalThe time(seconds) that the HPA controller takes to calculate one metric. The label 'action' should be either 'scale_down', 'scale_up', or 'none'. The label 'error' should be either 'spec', 'internal', or 'none'. The label 'metric_type' corresponds to HPA.spec.metrics[*].type
action
error
metric_type
horizontal_pod_autoscaler_controller_metric_computation_total ALPHA CounterThe number of job syncs
action
completion_mode
result
None
Number of metric computations. The label 'action' should be either 'scale_down', 'scale_up', or 'none'. Also, the label 'error' should be either 'spec', 'internal', or 'none'. The label 'metric_type' corresponds to HPA.spec.metrics[*].type
action
error
metric_type
horizontal_pod_autoscaler_controller_reconciliation_duration_secondsALPHAHistogramThe time(seconds) that the HPA controller takes to reconcile once. The label 'action' should be either 'scale_down', 'scale_up', or 'none'. Also, the label 'error' should be either 'spec', 'internal', or 'none'. Note that if both spec and internal errors happen during a reconciliation, the first one to occur is reported in `error` label.
action
error
horizontal_pod_autoscaler_controller_reconciliations_totalALPHACounterNumber of reconciliations of HPA controller. The label 'action' should be either 'scale_down', 'scale_up', or 'none'. Also, the label 'error' should be either 'spec', 'internal', or 'none'. Note that if both spec and internal errors happen during a reconciliation, the first one to occur is reported in `error` label.
action
error
job_controller_pod_failures_handled_by_failure_policy_total ALPHA Counter `The number of failed Pods handled by failure policy with, respect to the failure policy action applied based on the matched, rule. Possible values of the action label correspond to the, possible values for the failure policy rule action, which are:, "FailJob", "Ignore" and "Count".`
action
None
job_controller_terminated_pods_tracking_finalizer_total ALPHA Counter `The number of terminated pods (phase=Failed|Succeeded), that have the finalizer batch.kubernetes.io/job-tracking, The event label can be "add" or "delete".`
event
None
kube_apiserver_clusterip_allocator_allocated_ips ALPHA Gauge Gauge measuring the number of allocated IPs for Services
cidr
None
kube_apiserver_clusterip_allocator_allocation_errors_total ALPHA Counter Number of errors trying to allocate Cluster IPs
cidr
scope
None
kube_apiserver_clusterip_allocator_allocation_total ALPHA Counter Number of Cluster IPs allocations
cidr
scope
None
kube_apiserver_clusterip_allocator_available_ips ALPHA Gauge Gauge measuring the number of available IPs for Services
cidr
None
kube_apiserver_nodeport_allocator_allocated_portsALPHAGaugeGauge measuring the number of allocated NodePorts for Services
kube_apiserver_nodeport_allocator_allocation_errors_totalALPHACounterNumber of errors trying to allocate NodePort
scope
kube_apiserver_nodeport_allocator_allocation_totalALPHACounterNumber of NodePort allocations
scope
kube_apiserver_nodeport_allocator_available_portsALPHAGaugeGauge measuring the number of available NodePorts for Services
kube_apiserver_pod_logs_backend_tls_failure_totalALPHACounterTotal number of requests for pods/logs that failed due to kubelet server TLS verification
kube_apiserver_pod_logs_insecure_backend_totalALPHACounterTotal number of requests for pods/logs sliced by usage type: enforce_tls, skip_tls_allowed, skip_tls_denied
usage
kube_apiserver_pod_logs_pods_logs_backend_tls_failure_total ALPHA Counter Total number of requests for pods/logs that failed due to kubelet server TLS verificationNoneNone
1.27.0
kube_apiserver_pod_logs_pods_logs_insecure_backend_total ALPHA Counter Total number of requests for pods/logs sliced by usage type: enforce_tls, skip_tls_allowed, skip_tls_denied
usage
None
kube_pod_resource_limit1.27.0
kubelet_active_pods ALPHACustomResources limit for workloads on the cluster, broken down by pod. This shows the resource usage the scheduler and kubelet expect per pod for resources along with the unit for the resource if any.
namespace
pod
node
scheduler
priority
resource
unit
None
kube_pod_resource_requestALPHACustomResources requested by workloads on the cluster, broken down by pod. This shows the resource usage the scheduler and kubelet expect per pod for resources along with the unit for the resource if any.
namespace
pod
node
scheduler
priority
resource
unit
None
GaugeThe number of pods the kubelet considers active and which are being considered when admitting new pods. static is true if the pod is not from the apiserver.
static
kubelet_certificate_manager_client_expiration_renew_errors ALPHA Counter Counter of certificate renewal errors.NoneNone
kubelet_certificate_manager_client_ttl_seconds ALPHA Gauge Gauge of the TTL (time-to-live) of the Kubelet's client certificate. The value is in seconds until certificate expiry (negative if already expired). If client certificate is invalid or unused, the value will be +INF.NoneNone
kubelet_certificate_manager_server_rotation_seconds ALPHA Histogram Histogram of the number of seconds the previous certificate lived before being rotated.NoneNone
kubelet_certificate_manager_server_ttl_seconds ALPHA Gauge Gauge of the shortest TTL (time-to-live) of the Kubelet's serving certificate. The value is in seconds until certificate expiry (negative if already expired). If serving certificate is invalid or unused, the value will be +INF.NoneNone
kubelet_cgroup_manager_duration_seconds ALPHA Histogram Duration in seconds for cgroup manager operations. Broken down by method.
operation_type
None
kubelet_container_log_filesystem_used_bytes ALPHA Custom Bytes used by the container's logs on the filesystem.
uid
namespace
pod
container
None
kubelet_containers_per_pod_count ALPHA Histogram The number of containers per pod.NoneNone
kubelet_cpu_manager_pinning_errors_total ALPHA Counter The number of cpu core allocations which required pinning failed.NoneNone
kubelet_cpu_manager_pinning_requests_total ALPHA Counter The number of cpu core allocations which required pinning.NoneNone
kubelet_credential_provider_plugin_durationALPHAHistogramDuration of execution in seconds for credential provider plugin
plugin_name
kubelet_credential_provider_plugin_errorsALPHACounterNumber of errors from credential provider plugin
plugin_name
kubelet_desired_podsALPHAGaugeThe number of pods the kubelet is being instructed to run. static is true if the pod is not from the apiserver.
static
kubelet_device_plugin_alloc_duration_seconds ALPHA Histogram Duration in seconds to serve a device plugin Allocation request. Broken down by resource name.
resource_name
None
kubelet_device_plugin_registration_total ALPHA Counter Cumulative number of device plugin registrations. Broken down by resource name.
resource_name
None
kubelet_evented_pleg_connection_error_countALPHACounterThe number of errors encountered during the establishment of streaming connection with the CRI runtime.
kubelet_evented_pleg_connection_latency_secondsALPHAHistogramThe latency of streaming connection with the CRI runtime, measured in seconds.
kubelet_evented_pleg_connection_success_countALPHACounterThe number of times a streaming client was obtained to receive CRI Events.
kubelet_eviction_stats_age_seconds ALPHA Histogram Time between when stats are collected, and when pod is evicted based on those stats by eviction signal
eviction_signal
None
kubelet_evictions ALPHA Counter Cumulative number of pod evictions by eviction signal
eviction_signal
None
kubelet_graceful_shutdown_end_time_seconds ALPHA Gauge Last graceful shutdown start time since unix epoch in secondsNoneNone
kubelet_graceful_shutdown_start_time_seconds ALPHA Gauge Last graceful shutdown start time since unix epoch in secondsNoneNone
kubelet_http_inflight_requests ALPHA Gauge Number of the inflight http requests
long_running
method
path
server_type
None
kubelet_http_requests_duration_seconds ALPHA Histogram Duration in seconds to serve http requests
long_running
method
path
server_type
None
kubelet_http_requests_total ALPHA Counter Number of the http requests received since the server started
long_running
method
path
server_type
None
kubelet_kubelet_credential_provider_plugin_durationALPHAHistogramDuration of execution in seconds for credential provider plugin
plugin_name
None
kubelet_kubelet_credential_provider_plugin_errorsALPHACounterNumber of errors from credential provider plugin
plugin_name
None
kubelet_lifecycle_handler_http_fallbacks_total ALPHA Counter The number of times lifecycle handlers successfully fell back to http from https.NoneNone
kubelet_managed_ephemeral_containers ALPHA GaugeCurrent number of ephemeral containers in pods managed by this kubelet. Ephemeral containers will be ignored if disabled by the EphemeralContainers feature gate, and this number will be 0.NoneNone
Current number of ephemeral containers in pods managed by this kubelet.
kubelet_mirror_podsALPHAGaugeThe number of mirror pods the kubelet will try to create (one per admitted static pod)
kubelet_node_name ALPHA Gauge The node's name. The count is always 1.
node
None
kubelet_orphan_pod_cleaned_volumesALPHAGaugeThe total number of orphaned Pods whose volumes were cleaned in the last periodic sweep.
kubelet_orphan_pod_cleaned_volumes_errorsALPHAGaugeThe number of orphaned Pods whose volumes failed to be cleaned in the last periodic sweep.
kubelet_orphaned_runtime_pods_totalALPHACounterNumber of pods that have been detected in the container runtime without being already known to the pod worker. This typically indicates the kubelet was restarted while a pod was force deleted in the API or in the local configuration, which is unusual.
kubelet_pleg_discard_events ALPHA Counter The number of discard events in PLEG.NoneNone
kubelet_pleg_last_seen_seconds ALPHA Gauge Timestamp in seconds when PLEG was last seen active.NoneNone
kubelet_pleg_relist_duration_seconds ALPHA Histogram Duration in seconds for relisting pods in PLEG.NoneNone
kubelet_pleg_relist_interval_seconds ALPHA Histogram Interval in seconds between relisting in PLEG.NoneNone
kubelet_pod_resources_endpoint_errors_getALPHACounterNumber of requests to the PodResource Get endpoint which returned error. Broken down by server api version.
server_api_version
kubelet_pod_resources_endpoint_errors_get_allocatable ALPHA Counter Number of requests to the PodResource GetAllocatableResources endpoint which returned error. Broken down by server api version.
server_api_version
None
kubelet_pod_resources_endpoint_errors_list ALPHA Counter Number of requests to the PodResource List endpoint which returned error. Broken down by server api version.
server_api_version
None
kubelet_pod_resources_endpoint_requests_getALPHACounterNumber of requests to the PodResource Get endpoint. Broken down by server api version.
server_api_version
kubelet_pod_resources_endpoint_requests_get_allocatable ALPHA Counter Number of requests to the PodResource GetAllocatableResources endpoint. Broken down by server api version.
server_api_version
None
kubelet_pod_resources_endpoint_requests_list ALPHA Counter Number of requests to the PodResource List endpoint. Broken down by server api version.
server_api_version
None
kubelet_pod_resources_endpoint_requests_total ALPHA Counter Cumulative number of requests to the PodResource endpoint. Broken down by server api version.
server_api_version
None
kubelet_pod_start_duration_seconds ALPHA Histogram Duration in seconds from kubelet seeing a pod for the first time to the pod starting to runNoneNone
kubelet_pod_start_sli_duration_secondsALPHAHistogramDuration in seconds to start a pod, excluding time to pull images and run init containers, measured from pod creation timestamp to when all its containers are reported as started and observed via watch
kubelet_pod_status_sync_duration_seconds ALPHA Histogram Duration in seconds to sync a pod status update. Measures time from detection of a change to pod status until the API is successfully updated for that pod, even if multiple intevening changes to pod status occur.NoneNone
kubelet_pod_worker_duration_seconds ALPHA Histogram Duration in seconds to sync a single pod. Broken down by operation type: create, update, or sync
operation_type
None
kubelet_pod_worker_start_duration_seconds ALPHA Histogram Duration in seconds from kubelet seeing a pod to starting a worker.NoneNone
kubelet_preemptions ALPHA Counter Cumulative number of pod preemptions by preemption resource
preemption_signal
None
kubelet_restarted_pods_totalALPHACounterNumber of pods that have been restarted because they were deleted and recreated with the same UID while the kubelet was watching them (common for static pods, extremely uncommon for API pods)
static
kubelet_run_podsandbox_duration_seconds ALPHA Histogram Duration in seconds of the run_podsandbox operations. Broken down by RuntimeClass.Handler.
runtime_handler
None
kubelet_run_podsandbox_errors_total ALPHA Counter Cumulative number of the run_podsandbox operation errors by RuntimeClass.Handler.
runtime_handler
None
kubelet_running_containers ALPHA Gauge Number of containers currently running
container_state
None
kubelet_running_pods ALPHA Gauge Number of pods that have a running pod sandboxNoneNone
kubelet_runtime_operations_duration_seconds ALPHA Histogram Duration in seconds of runtime operations. Broken down by operation type.
operation_type
None
kubelet_runtime_operations_errors_total ALPHA Counter Cumulative number of runtime operation errors by operation type.
operation_type
None
kubelet_runtime_operations_total ALPHA Counter Cumulative number of runtime operations by operation type.
operation_type
None
kubelet_server_expiration_renew_errors ALPHA Counter Counter of certificate renewal errors.NoneNone
kubelet_started_containers_errors_total ALPHA Counter Cumulative number of errors when starting containers
code
container_type
None
kubelet_started_containers_total ALPHA Counter Cumulative number of containers started
container_type
None
kubelet_started_host_process_containers_errors_total ALPHA Counter Cumulative number of errors when starting hostprocess containers. This metric will only be collected on Windows and requires WindowsHostProcessContainers feature gate to be enabled.
code
container_type
None
kubelet_started_host_process_containers_total ALPHA Counter Cumulative number of hostprocess containers started. This metric will only be collected on Windows and requires WindowsHostProcessContainers feature gate to be enabled.
container_type
None
kubelet_started_pods_errors_total ALPHA Counter Cumulative number of errors when starting podsNoneNone
kubelet_started_pods_total ALPHA Counter Cumulative number of pods startedNoneNone
kubelet_topology_manager_admission_duration_msALPHAHistogramDuration in milliseconds to serve a pod admission request.
kubelet_topology_manager_admission_errors_totalALPHACounterThe number of admission request failures where resources could not be aligned.
kubelet_topology_manager_admission_requests_totalALPHACounterThe number of admission requests where resources have to be aligned.
kubelet_volume_metric_collection_duration_seconds ALPHA Histogram Duration in seconds to calculate volume stats
metric_source
None
kubelet_volume_stats_available_bytes ALPHA Custom Number of available bytes in the volume
namespace
persistentvolumeclaim
None
kubelet_volume_stats_capacity_bytes ALPHA Custom Capacity in bytes of the volume
namespace
persistentvolumeclaim
None
kubelet_volume_stats_health_status_abnormal ALPHA Custom Abnormal volume health status. The count is either 1 or 0. 1 indicates the volume is unhealthy, 0 indicates volume is healthy
namespace
persistentvolumeclaim
None
kubelet_volume_stats_inodes ALPHA Custom Maximum number of inodes in the volume
namespace
persistentvolumeclaim
None
kubelet_volume_stats_inodes_free ALPHA Custom Number of free inodes in the volume
namespace
persistentvolumeclaim
None
kubelet_volume_stats_inodes_used ALPHA Custom Number of used inodes in the volume
namespace
persistentvolumeclaim
None
kubelet_volume_stats_used_bytes ALPHA Custom Number of used bytes in the volume
namespace
persistentvolumeclaim
None
kubelet_working_podsALPHAGaugeNumber of pods the kubelet is actually running, broken down by lifecycle phase, whether the pod is desired, orphaned, or runtime only (also orphaned), and whether the pod is static. An orphaned pod has been removed from local configuration or force deleted in the API and consumes resources that are not otherwise visible.
config
lifecycle
static
kubeproxy_network_programming_duration_seconds ALPHA Histogram In Cluster Network Programming Latency in secondsNoneNone
kubeproxy_sync_proxy_rules_duration_seconds ALPHA Histogram SyncProxyRules latency in secondsNoneNone
kubeproxy_sync_proxy_rules_endpoint_changes_pending ALPHA Gauge Pending proxy rules Endpoint changesNoneNone
kubeproxy_sync_proxy_rules_endpoint_changes_total ALPHA Counter Cumulative proxy rules Endpoint changesNoneNone
kubeproxy_sync_proxy_rules_iptables_partial_restore_failures_totalALPHACounterCumulative proxy iptables partial restore failures
kubeproxy_sync_proxy_rules_iptables_restore_failures_total ALPHA Counter Cumulative proxy iptables restore failuresNoneNone
kubeproxy_sync_proxy_rules_iptables_total ALPHA Gauge Number of proxy iptables rules programmed
table
None
kubeproxy_sync_proxy_rules_last_queued_timestamp_seconds ALPHA Gauge The last time a sync of proxy rules was queuedNoneNone
kubeproxy_sync_proxy_rules_last_timestamp_seconds ALPHA Gauge The last time proxy rules were successfully syncedNoneNone
kubeproxy_sync_proxy_rules_no_local_endpoints_total ALPHA Gauge Number of services with a Local traffic policy and no endpoints
traffic_policy
None
kubeproxy_sync_proxy_rules_service_changes_pending ALPHA Gauge Pending proxy rules Service changesNoneNone
kubeproxy_sync_proxy_rules_service_changes_total ALPHA Counter Cumulative proxy rules Service changesNoneNone
kubernetes_build_info ALPHA Gauge A metric with a constant '1' value labeled by major, minor, git version, git commit, git tree state, build date, Go version, and compiler from which Kubernetes was built, and platform on which it is running.
build_date
compiler
git_commit
git_tree_state
git_version
go_version
major
minor
platform
None
kubernetes_feature_enabled ALPHA Gauge This metric records the data about the stage and enablement of a k8s feature.
name
stage
None
kubernetes_healthcheck ALPHA Gauge This metric records the result of a single healthcheck.
name
type
None
kubernetes_healthchecks_total ALPHA Counter This metric records the results of all healthcheck.
name
status
type
None
leader_election_master_status ALPHA Gauge Gauge of if the reporting system is master of the relevant lease, 0 indicates backup, 1 indicates master. 'name' is the string used to identify the lease. Please make sure to group by name.
name
None
node_authorizer_graph_actions_duration_seconds ALPHA Histogram Histogram of duration of graph actions in node authorizer.
operation
None
node_collector_evictions_numberALPHACounterNumber of Node evictions that happened since current instance of NodeController started, This metric is replaced by node_collector_evictions_total.
zone
None
node_collector_unhealthy_nodes_in_zone ALPHA Gauge Gauge measuring number of not Ready Nodes per zones.
zone
None
node_collector_update_all_nodes_health_duration_secondsALPHAHistogramDuration in seconds for NodeController to update the health of all nodes.
node_collector_update_node_health_duration_secondsALPHAHistogramDuration in seconds for NodeController to update the health of a single node.
node_collector_zone_health ALPHA Gauge Gauge measuring percentage of healthy nodes per zone.
zone
None
node_collector_zone_size ALPHA Gauge Gauge measuring number of registered Nodes per zones.
zone
None
node_cpu_usage_seconds_total ALPHA Custom Cumulative cpu time consumed by the node in core-secondsNoneNone
node_ipam_controller_cidrset_allocation_tries_per_request ALPHA Histogram Number of endpoints added on each Service sync
clusterCIDR
None
node_ipam_controller_cidrset_cidrs_allocations_total ALPHA Counter Counter measuring total number of CIDR allocations.
clusterCIDR
None
node_ipam_controller_cidrset_cidrs_releases_total ALPHA Counter Counter measuring total number of CIDR releases.
clusterCIDR
None
node_ipam_controller_cidrset_usage_cidrs ALPHA Gauge Gauge measuring percentage of allocated CIDRs.
clusterCIDR
None
node_ipam_controller_cirdset_max_cidrsALPHAGaugeMaximum number of CIDRs that can be allocated.
clusterCIDR
node_ipam_controller_multicidrset_allocation_tries_per_request ALPHA Histogram Histogram measuring CIDR allocation tries per request.
clusterCIDR
None
node_ipam_controller_multicidrset_cidrs_allocations_total ALPHA Counter Counter measuring total number of CIDR allocations.
clusterCIDR
None
node_ipam_controller_multicidrset_cidrs_releases_total ALPHA Counter Counter measuring total number of CIDR releases.
clusterCIDR
None
node_ipam_controller_multicidrset_usage_cidrs ALPHA Gauge Gauge measuring percentage of allocated CIDRs.
clusterCIDR
None
node_ipam_controller_multicirdset_max_cidrsALPHAGaugeMaximum number of CIDRs that can be allocated.
clusterCIDR
node_memory_working_set_bytes ALPHA Custom Current working set of the node in bytesNoneNone
number_of_l4_ilbs ALPHA Gauge Number of L4 ILBs
feature
None
plugin_manager_total_plugins ALPHA Custom Number of plugins in Plugin Manager
socket_path
state
None
pod_cpu_usage_seconds_total ALPHA Custom Cumulative cpu time consumed by the pod in core-seconds
pod
namespace
None
pod_gc_collector_force_delete_pod_errors_totalALPHACounterNumber of errors encountered when forcefully deleting the pods since the Pod GC Controller started.
pod_gc_collector_force_delete_pods_totalALPHACounterNumber of pods that are being forcefully deleted since the Pod GC Controller started.
pod_memory_working_set_bytes ALPHA Custom Current working set of the pod in bytes
pod
namespace
None
pod_security_errors_total ALPHA Counter Number of errors preventing normal evaluation. Non-fatal errors may result in the latest restricted profile being used for evaluation.
fatal
request_operation
resource
subresource
None
pod_security_evaluations_total ALPHA Counter Number of policy evaluations that occurred, not counting ignored or exempt requests.
decision
mode
policy_level
policy_version
request_operation
resource
subresource
None
pod_security_exemptions_total ALPHA Counter Number of exempt requests, not counting ignored or out of scope requests.
request_operation
resource
subresource
None
prober_probe_duration_seconds ALPHA Histogram Duration in seconds for a probe response.
container
namespace
pod
probe_type
None
prober_probe_total ALPHA Counter Cumulative number of a liveness, readiness or startup probe for a container by result.
container
namespace
pod
pod_uid
probe_type
result
None
pv_collector_bound_pv_count ALPHA Custom Gauge measuring number of persistent volume currently bound
storage_class
None
pv_collector_bound_pvc_count ALPHA Custom Gauge measuring number of persistent volume claim currently bound
namespace
None
pv_collector_total_pv_count ALPHA Custom Gauge measuring total number of persistent volumes
plugin_name
volume_mode
None
pv_collector_unbound_pv_count ALPHA Custom Gauge measuring number of persistent volume currently unbound
storage_class
None
pv_collector_unbound_pvc_count ALPHA Custom Gauge measuring number of persistent volume claim currently unbound
namespace
None
reconstruct_volume_operations_errors_totalALPHACounterThe number of volumes that failed reconstruction from the operating system during kubelet startup.
reconstruct_volume_operations_totalALPHACounterThe number of volumes that were attempted to be reconstructed from the operating system during kubelet startup. This includes both successful and failed reconstruction.
replicaset_controller_sorting_deletion_age_ratio ALPHA Histogram The ratio of chosen deleted pod's ages to the current youngest pod's age (at the time). Should be <2.The intent of this metric is to measure the rough efficacy of the LogarithmicScaleDown feature gate's effect onthe sorting (and deletion) of pods when a replicaset scales down. This only considers Ready pods when calculating and reporting.NoneNone
resourceclaim_controller_create_attempts_totalALPHACounterNumber of ResourceClaims creation requests
resourceclaim_controller_create_failures_totalALPHACounterNumber of ResourceClaims creation request failures
rest_client_exec_plugin_call_total ALPHA Counter Number of calls to an exec plugin, partitioned by the type of event encountered (no_error, plugin_execution_error, plugin_not_found_error, client_internal_error) and an optional exit code. The exit code will be set to 0 if and only if the plugin call was successful.
call_status
code
None
rest_client_exec_plugin_certificate_rotation_age ALPHA Histogram Histogram of the number of seconds the last auth exec plugin client certificate lived before being rotated. If auth exec plugin client certificates are unused, histogram will contain no data.NoneNone
rest_client_exec_plugin_ttl_seconds ALPHA Gauge Gauge of the shortest TTL (time-to-live) of the client certificate(s) managed by the auth exec plugin. The value is in seconds until certificate expiry (negative if already expired). If auth exec plugins are unused or manage no TLS certificates, the value will be +INF.NoneNone
rest_client_rate_limiter_duration_seconds ALPHA Histogram Client side rate limiter latency in seconds. Broken down by verb, and host.
host
verb
None
rest_client_request_duration_seconds ALPHA Histogram Request latency in seconds. Broken down by verb, and host.
host
verb
None
rest_client_request_retries_totalALPHACounterNumber of request retries, partitioned by status code, verb, and host.
code
host
verb
rest_client_request_size_bytes ALPHA Histogram Request size in bytes. Broken down by verb and host.
host
verb
None
rest_client_requests_total ALPHA Counter Number of HTTP requests, partitioned by status code, method, and host.
code
host
method
None
rest_client_response_size_bytes ALPHA Histogram Response size in bytes. Broken down by verb and host.
host
verb
None
retroactive_storageclass_errors_total ALPHA Counter Total number of failed retroactive StorageClass assignments to persistent volume claimNoneNone
retroactive_storageclass_total ALPHA Counter Total number of retroactive StorageClass assignments to persistent volume claimNoneNone
root_ca_cert_publisher_sync_duration_seconds ALPHA Histogram Number of namespace syncs happened in root ca cert publisher.
code
None
root_ca_cert_publisher_sync_total ALPHA Counter Number of namespace syncs happened in root ca cert publisher.
code
None
running_managed_controllers ALPHA Gauge Indicates where instances of a controller are currently running
manager
name
None
scheduler_e2e_scheduling_duration_secondsALPHAHistogramE2e scheduling latency in seconds (scheduling algorithm + binding). This metric is replaced by scheduling_attempt_duration_seconds.
profile
result
None
scheduler_goroutines ALPHA Gauge Number of running goroutines split by the work they do such as binding.
operation
None
scheduler_permit_wait_duration_seconds ALPHA Histogram Duration of waiting on permit.
result
None
scheduler_plugin_evaluation_totalALPHACounterNumber of attempts to schedule pods by each plugin and the extension point (available only in PreFilter and Filter.).
extension_point
plugin
profile
scheduler_plugin_execution_duration_seconds ALPHA Histogram Duration for running a plugin at a specific extension point.
extension_point
plugin
status
None
scheduler_scheduler_cache_size ALPHA Gauge Number of nodes, pods, and assumed (bound) pods in the scheduler cache.
type
None
scheduler_scheduler_goroutines ALPHA Gauge Number of running goroutines split by the work they do such as binding. This metric is replaced by the \"goroutines\" metric.
work
None
1.26.0
scheduler_scheduling_algorithm_duration_seconds ALPHA Histogram Scheduling algorithm latency in secondsNoneNone
scheduler_unschedulable_pods ALPHA Gauge The number of unschedulable pods broken down by plugin name. A pod will increment the gauge for all plugins that caused it to not schedule and so this metric have meaning only when broken down by plugin.
plugin
profile
None
scheduler_volume_binder_cache_requests_total ALPHA Counter Total number for request volume binding cache
operation
None
scheduler_volume_scheduling_stage_error_total ALPHA Counter Volume scheduling stage error count
operation
None
scrape_error ALPHA Custom 1 if there was an error while getting container metrics, 0 otherwiseNoneNone
service_controller_loadbalancer_sync_totalALPHACounterA metric counting the amount of times any load balancer has been configured, as an effect of service/node changes on the cluster
service_controller_nodesync_error_totalALPHACounterA metric counting the amount of times any load balancer has been configured and errored, as an effect of node changes on the cluster
service_controller_nodesync_latency_seconds ALPHA Histogram A metric measuring the latency for nodesync which updates loadbalancer hosts on cluster node updates.NoneNone
service_controller_update_loadbalancer_host_latency_seconds ALPHA Histogram A metric measuring the latency for updating each load balancer hosts.NoneNone
serviceaccount_legacy_tokens_total ALPHA Counter Cumulative legacy service account tokens usedNoneNone
serviceaccount_stale_tokens_total ALPHA Counter Cumulative stale projected service account tokens usedNoneNone
serviceaccount_valid_tokens_total ALPHA Counter Cumulative valid projected service account tokens usedNoneNone
storage_count_attachable_volumes_in_use ALPHA Custom Measure number of volumes in use
node
volume_plugin
None
storage_operation_duration_seconds ALPHA Histogram Storage operation duration
migrated
operation_name
status
volume_plugin
None
ttl_after_finished_controller_job_deletion_duration_seconds ALPHA Histogram The time it took to delete the job since it became eligible for deletionNoneNone
volume_manager_selinux_container_errors_total ALPHA Gauge Number of errors when kubelet cannot compute SELinux context for a container. Kubelet can't start such a Pod then and it will retry, therefore value of this metric may not represent the actual nr. of containers.NoneNone
volume_manager_selinux_container_warnings_total ALPHA Gauge Number of errors when kubelet cannot compute SELinux context for a container that are ignored. They will become real errors when SELinuxMountReadWriteOncePod feature is expanded to all volume access modes.NoneNone
volume_manager_selinux_pod_context_mismatch_errors_total ALPHA Gauge Number of errors when a Pod defines different SELinux contexts for its containers that use the same volume. Kubelet can't start such a Pod then and it will retry, therefore value of this metric may not represent the actual nr. of Pods.NoneNone
volume_manager_selinux_pod_context_mismatch_warnings_total ALPHA Gauge Number of errors when a Pod defines different SELinux contexts for its containers that use the same volume. They are not errors yet, but they will become real errors when SELinuxMountReadWriteOncePod feature is expanded to all volume access modes.NoneNone
volume_manager_selinux_volume_context_mismatch_errors_total ALPHA Gauge Number of errors when a Pod uses a volume that is already mounted with a different SELinux context than the Pod needs. Kubelet can't start such a Pod then and it will retry, therefore value of this metric may not represent the actual nr. of Pods.NoneNone
volume_manager_selinux_volume_context_mismatch_warnings_total ALPHA Gauge Number of errors when a Pod uses a volume that is already mounted with a different SELinux context than the Pod needs. They are not errors yet, but they will become real errors when SELinuxMountReadWriteOncePod feature is expanded to all volume access modes.NoneNone
volume_manager_selinux_volumes_admitted_total ALPHA Gauge Number of volumes whose SELinux context was fine and will be mounted with mount -o context option.NoneNone
volume_manager_total_volumes ALPHA Custom Number of volumes in Volume Manager
plugin_name
state
None
volume_operation_total_errors ALPHA Counter Total volume operation errors
operation_name
plugin_name
None
volume_operation_total_seconds ALPHA Histogram Storage operation end to end duration in seconds
operation_name
plugin_name
None
watch_cache_capacity ALPHA Gauge Total capacity of watch cache broken by resource type.
resource
None
watch_cache_capacity_decrease_total ALPHA Counter Total number of watch cache capacity decrease events broken by resource type.
resource
None
watch_cache_capacity_increase_total ALPHA Counter Total number of watch cache capacity increase events broken by resource type.
resource
None
workqueue_adds_total ALPHA Counter Total number of adds handled by workqueue
name
None
workqueue_depth ALPHA Gauge Current depth of workqueue
name
None
workqueue_longest_running_processor_seconds ALPHA Gauge How many seconds has the longest running processor for workqueue been running.
name
None
workqueue_queue_duration_seconds ALPHA Histogram How long in seconds an item stays in workqueue before being requested.
name
None
workqueue_retries_total ALPHA Counter Total number of retries handled by workqueue
name
None
workqueue_unfinished_work_seconds ALPHA Gauge How many seconds of work has done that is in progress and hasn't been observed by work_duration. Large values indicate stuck threads. One can deduce the number of stuck threads by observing the rate at which this increases.
name
None
workqueue_work_duration_seconds ALPHA Histogram How long in seconds processing an item from workqueue takes.
name
None
From 6054c6c8d282f0bd59d8f0b39e8e12b7875a58bb Mon Sep 17 00:00:00 2001 From: ystkfujii Date: Wed, 29 Mar 2023 01:19:27 +0900 Subject: [PATCH 063/272] [ja] remove IdentifyPodOS in feature-gates --- .../reference/command-line-tools-reference/feature-gates.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md index 436a80752da..153bd8fb104 100644 --- a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md @@ -264,9 +264,6 @@ content_type: concept | `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 | | `ExpandPersistentVolumes` | `true` | Beta | 1.11 | 1.23 | | `ExpandPersistentVolumes` | `true` | GA | 1.24 |- | -| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 | -| `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 | -| `IdentifyPodOS` | `true` | GA | 1.25 | - | | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 | | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 | | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 | From 7168071c756138180001d48f8c36a6908e84d247 Mon Sep 17 00:00:00 2001 From: Alexander Zielenski <351783+alexzielenski@users.noreply.github.com> Date: Tue, 21 Mar 2023 14:55:55 -0700 Subject: [PATCH 065/272] regenerate cli docs --- .../generated/kubectl/kubectl-commands.html | 1270 ++++++----------- .../reference/generated/kubectl/navData.js | 2 +- .../jquery.scrollto/jquery.scrollTo.min.js | 14 +- .../node_modules/jquery/dist/jquery.min.js | 4 +- 4 files changed, 411 insertions(+), 879 deletions(-) diff --git a/static/docs/reference/generated/kubectl/kubectl-commands.html b/static/docs/reference/generated/kubectl/kubectl-commands.html index d2a59477231..4fff80b171a 100644 --- a/static/docs/reference/generated/kubectl/kubectl-commands.html +++ b/static/docs/reference/generated/kubectl/kubectl-commands.html @@ -12,7 +12,7 @@ - +
  • example

GETTING STARTED

@@ -38,11 +38,12 @@ inspect them.

cat pod.json | kubectl create -f -
-

Edit the data in registry.yaml in JSON then create the resource using the edited data

+

Edit the data in docker-registry.yaml in JSON then create the resource using the edited data

-
kubectl create -f registry.yaml --edit -o json
+
kubectl create -f docker-registry.yaml --edit -o json
 

-
Create a resource from a file or from stdin.

 JSON and YAML formats are accepted.

+
Create a resource from a file or from stdin.

+
 JSON and YAML formats are accepted.

 
Usage

 
$ kubectl create -f FILENAME

 
Flags

@@ -96,7 +97,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 raw
@@ -126,7 +127,7 @@ inspect them.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-managed-fields
@@ -143,8 +144,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 windows-line-endings
@@ -169,7 +170,7 @@ inspect them.

 

 
 Create a cluster role named "foo" with API Group specified

 

-
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps
+
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
 

 

 
 Create a cluster role named "foo" with SubResource specified

@@ -234,7 +235,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 resource
@@ -269,8 +270,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 verb
@@ -329,13 +330,13 @@ inspect them.

 group
 
 []
-Groups to bind to the clusterrole. The flag can be repeated to add multiple groups. 
+Groups to bind to the clusterrole 
 
 
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -347,7 +348,7 @@ inspect them.

 serviceaccount
 
 []
-Service accounts to bind to the clusterrole, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. 
+Service accounts to bind to the clusterrole, in the format <namespace>:<name> 
 
 
 show-managed-fields
@@ -362,16 +363,10 @@ inspect them.

 Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. 
 
 
-user
-
-[]
-Usernames to bind to the clusterrole. The flag can be repeated to add multiple users. 
-
-
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -400,7 +395,7 @@ inspect them.

 

 
 Create a new config map named my-config from an env file

 

-
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
+
kubectl create configmap my-config --from-env-file=path/to/bar.env
 

 
Create a config map based on a file, directory, or specified literal value.

 
 A single config map may package one or more key/value pairs.

@@ -446,8 +441,8 @@ inspect them.

 
 from-env-file
 
-[]
-Specify the path to a file to read lines of key=val pairs to create a configmap. 
+
+Specify the path to a file to read lines of key=val pairs to create a configmap (i.e. a Docker .env file). 
 
 
 from-file
@@ -465,7 +460,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -488,8 +483,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -547,7 +542,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 restart
@@ -582,8 +577,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -651,7 +646,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 port
@@ -686,8 +681,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -798,7 +793,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 rule
@@ -827,8 +822,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -897,7 +892,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -920,8 +915,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -968,7 +963,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -991,8 +986,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -1056,7 +1051,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -1085,8 +1080,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -1155,7 +1150,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 preemption-policy
@@ -1184,8 +1179,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 value
@@ -1249,7 +1244,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -1278,8 +1273,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -1298,7 +1293,7 @@ inspect them.

 

 
 Create a role named "foo" with API Group specified

 

-
kubectl create role foo --verb=get,list,watch --resource=rs.apps
+
kubectl create role foo --verb=get,list,watch --resource=rs.extensions
 

 

 
 Create a role named "foo" with SubResource specified

@@ -1341,7 +1336,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 resource
@@ -1376,8 +1371,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 verb
@@ -1436,13 +1431,13 @@ inspect them.

 group
 
 []
-Groups to bind to the role. The flag can be repeated to add multiple groups. 
+Groups to bind to the role 
 
 
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 role
@@ -1460,7 +1455,7 @@ inspect them.

 serviceaccount
 
 []
-Service accounts to bind to the role, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. 
+Service accounts to bind to the role, in the format <namespace>:<name> 
 
 
 show-managed-fields
@@ -1475,16 +1470,10 @@ inspect them.

 Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. 
 
 
-user
-
-[]
-Usernames to bind to the role. The flag can be repeated to add multiple users. 
-
-
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -1508,13 +1497,13 @@ inspect them.

 
Create a new secret for use with Docker registries.

 
  Dockercfg secrets are used to authenticate against Docker registries.

 
  When using the Docker command line to push images, you can authenticate to a given registry by running:
-  '$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.

+    '$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.

 
 That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate to the registry. The email address is optional.

 
  When creating applications, you may have a Docker registry that requires authentication.  In order for the
   nodes to pull images on your behalf, they must have the credentials.  You can provide this information
   by creating a dockercfg secret and attaching it to your service account.

 
Usage

-
$ kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none]

+
$ kubectl create docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none]

 
Flags

 
@@ -1584,7 +1573,7 @@ inspect them.

-
+
@@ -1607,8 +1596,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -1635,16 +1624,16 @@ inspect them.

 
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
 

 

-
 Create a new secret named my-secret from env files

+
 Create a new secret named my-secret from an env file

 

-
kubectl create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
+
kubectl create secret generic my-secret --from-env-file=path/to/bar.env
 

 
Create a secret based on a file, directory, or specified literal value.

 
 A single secret may package one or more key/value pairs.

 
 When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.

 
 When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).

 
Usage

-
$ kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]

+
$ kubectl create generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]

 
Flags

 
@@ -1683,8 +1672,8 @@ inspect them.

-
-
+
+
@@ -1702,7 +1691,7 @@ inspect them.

-
+
@@ -1731,8 +1720,8 @@ inspect them.

-
-
+
+

 
 

 from-env-file
 []Specify the path to a file to read lines of key=val pairs to create a secret. Specify the path to a file to read lines of key=val pairs to create a secret (i.e. a Docker .env file). 
 

 

 from-file
 output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -1746,7 +1735,7 @@ inspect them.

 
Create a TLS secret from the given public/private key pair.

 
 The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.

 
Usage

-
$ kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]

+
$ kubectl create tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]

 
Flags

 
@@ -1798,7 +1787,7 @@ inspect them.

-
+
@@ -1821,8 +1810,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -1845,7 +1834,7 @@ inspect them.

 

 
Create a ClusterIP service with the specified name.

 
Usage

-
$ kubectl create service clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]

+
$ kubectl create clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]

 
Flags

 
@@ -1885,7 +1874,7 @@ inspect them.

-
+
@@ -1914,8 +1903,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -1929,7 +1918,7 @@ inspect them.

 
Create an ExternalName service with the specified name.

 
 ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally.

 
Usage

-
$ kubectl create service externalname NAME --external-name external.name [--dry-run=server|client|none]

+
$ kubectl create externalname NAME --external-name external.name [--dry-run=server|client|none]

 
Flags

 
@@ -1969,7 +1958,7 @@ inspect them.

-
+
@@ -1998,8 +1987,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -2012,7 +2001,7 @@ inspect them.

 

 
Create a LoadBalancer service with the specified name.

 
Usage

-
$ kubectl create service loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

+
$ kubectl create loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

 
Flags

 
@@ -2046,7 +2035,7 @@ inspect them.

-
+
@@ -2075,8 +2064,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -2089,7 +2078,7 @@ inspect them.

 

 
Create a NodePort service with the specified name.

 
Usage

-
$ kubectl create service nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

+
$ kubectl create nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

 
Flags

 
@@ -2129,7 +2118,7 @@ inspect them.

-
+
@@ -2158,8 +2147,8 @@ inspect them.

-
-
+
+

 
 
output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 save-config
 

 validate
 strictMust be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 		trueIf true, use a schema to validate the input before sending it 
 

 
 

@@ -2206,7 +2195,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 save-config
@@ -2229,110 +2218,8 @@ inspect them.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
-
-
-
-

-
token

-

-
 Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace

-

-
kubectl create token myapp
-

-

-
 Request a token for a service account in a custom namespace

-

-
kubectl create token myapp --namespace myns
-

-

-
 Request a token with a custom expiration

-

-
kubectl create token myapp --duration 10m
-

-

-
 Request a token with a custom audience

-

-
kubectl create token myapp --audience https://example.com
-

-

-
 Request a token bound to an instance of a Secret object

-

-
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret
-

-

-
 Request a token bound to an instance of a Secret object with a specific uid

-

-
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc
-

-
Request a service account token.

-
Usage

-
$ kubectl create token SERVICE_ACCOUNT_NAME

-
Flags

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
NameShorthandDefaultUsage
allow-missing-template-keys
 trueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. 
audience[]Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences. 
bound-object-kindKind of an object to bind the token to. Supported kinds are Pod, Secret. If set, --bound-object-name must be provided. 
bound-object-nameName of an object to bind the token to. The token will expire when the object is deleted. Requires --bound-object-kind. 
bound-object-uidUID of an object to bind the token to. Requires --bound-object-kind and --bound-object-name. If unset, the UID of the existing object is used. 
duration0sRequested lifetime of the issued token. The server may return a token with a longer or shorter lifetime. 
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format. 
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. If true, use a schema to validate the input before sending it 
 

 
 

@@ -2393,12 +2280,11 @@ inspect them.

 

 
kubectl get rc/web service/frontend pods/web-pod-13je7
 

-

-
 List status subresource for a single pod.

-

-
kubectl get pod web-pod-13je7 --subresource status
-

-
Display one or many resources.

 Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.

 By specifying the output as 'template' and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.

Use "kubectl api-resources" for a complete list of supported resources.

+
Display one or many resources.

+
 Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.

+
 Uninitialized objects are not shown unless --include-uninitialized is passed.

+
 By specifying the output as 'template' and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.

+
Use "kubectl api-resources" for a complete list of supported resources.

 
Usage

 
$ kubectl get [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns|custom-columns-file|wide] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]

 
Flags

@@ -2470,7 +2356,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file, custom-columns, custom-columns-file, wide). See custom columns [https://kubernetes.io/docs/reference/kubectl/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [https://kubernetes.io/docs/reference/kubectl/jsonpath/]. 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns-file|custom-columns|wide See custom columns [https://kubernetes.io/docs/reference/kubectl/overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [https://kubernetes.io/docs/reference/kubectl/jsonpath/]. 
 
 
 output-watch-events
@@ -2494,7 +2380,7 @@ inspect them.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 server-print
@@ -2527,12 +2413,6 @@ inspect them.

 If non-empty, sort list types using this field specification.  The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. 
 
 
-subresource
-
-
-If specified, gets the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future. 
-
-
 template
 
 
@@ -2548,7 +2428,7 @@ inspect them.

 watch
 w
 false
-After listing/getting the requested object, watch for changes. 
+After listing/getting the requested object, watch for changes. Uninitialized objects are excluded if no object name is provided. 
 
 
 watch-only
@@ -2665,7 +2545,7 @@ inspect them.

 expose
 
 false
-If true, create a ClusterIP service associated with the pod.  Requires --port. 
+If true, service is created for the container(s) which are run 
 
 
 field-manager
@@ -2692,6 +2572,12 @@ inspect them.

 Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). 
 
 
+hostport
+
+-1
+The host port mapping for the container port. To demonstrate a single-machine container. 
+
+
 image
 
 
@@ -2701,7 +2587,7 @@ inspect them.

 image-pull-policy
 
 
-The image pull policy for the container.  If left empty, this value will not be specified by the client and defaulted by the server. 
+The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server 
 
 
 kustomize
@@ -2713,7 +2599,7 @@ inspect them.

 labels
 l
 
-Comma separated labels to apply to the pod. Will override previous values. 
+Comma separated labels to apply to the pod(s). Will override previous values. 
 
 
 leave-stdin-open
@@ -2722,16 +2608,16 @@ inspect them.

 If the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes. 
 
 
+limits
+
+
+The resource requirement limits for this container.  For example, 'cpu=200m,memory=512Mi'.  Note that server side components may assign limits depending on the server configuration, such as limit ranges. 
+
+
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
-
-
-override-type
-
-merge
-The method used to override the generated object: json, merge, or strategic. 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overrides
@@ -2776,6 +2662,12 @@ inspect them.

 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
 
+requests
+
+
+The resource requirement requests for this container.  For example, 'cpu=100m,memory=256Mi'.  Note that server side components may assign requests depending on the server configuration, such as limit ranges. 
+
+
 restart
 
 Always
@@ -2785,7 +2677,7 @@ inspect them.

 rm
 
 false
-If true, delete the pod after it exits.  Only valid when attaching to the container, e.g. with '--attach' or with '-i/--stdin'. 
+If true, delete resources created in this command for attached containers. 
 
 
 save-config
@@ -2794,6 +2686,12 @@ inspect them.

 If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. 
 
 
+serviceaccount
+
+
+Service account to set in the pod spec. 
+
+
 show-managed-fields
 
 false
@@ -2803,7 +2701,7 @@ inspect them.

 stdin
 i
 false
-Keep stdin open on the container in the pod, even if nothing is attached. 
+Keep stdin open on the container(s) in the pod, even if nothing is attached. 
 
 
 template
@@ -2821,7 +2719,7 @@ inspect them.

 tty
 t
 false
-Allocate a TTY for the container in the pod. 
+Allocated a TTY for each container in the pod. 
 
 
 wait
@@ -2868,7 +2766,10 @@ inspect them.

 
 
kubectl expose deployment nginx --port=80 --target-port=8000
 

-
Expose a resource as a new Kubernetes service.

 Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.

 Possible resources include (case insensitive):

 pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)

+
Expose a resource as a new Kubernetes service.

+
 Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.

+
 Possible resources include (case insensitive):

+
 pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)

 
Usage

 
$ kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]

 
Flags

@@ -2895,6 +2796,12 @@ inspect them.

 ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to 'None' to create a headless service. 
 
 
+container-port
+
+
+Synonym for --target-port 
+
+
 dry-run
 
 none
@@ -2919,6 +2826,12 @@ inspect them.

 Filename, directory, or URL to files identifying the resource to expose a service 
 
 
+generator
+
+service/v2
+The name of the API generator to use. There are 2 generators: 'service/v1' and 'service/v2'. The only difference between them is that service port in v1 is named 'default', while it is left unnamed in v2. Default is 'service/v2'. 
+
+
 kustomize
 k
 
@@ -2946,13 +2859,7 @@ inspect them.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
-
-
-override-type
-
-merge
-The method used to override the generated object: json, merge, or strategic. 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overrides
@@ -3041,11 +2948,6 @@ inspect them.

 
kubectl delete -k dir
 

 

-
 Delete resources from all files that end with '.json' - i.e. expand wildcard characters in file names

-

-
kubectl delete -f '*.json'
-

-

 
 Delete a pod based on the type and name in the JSON passed into stdin

 

 
cat pod.json | kubectl delete -f -
@@ -3075,7 +2977,11 @@ inspect them.

 
 
kubectl delete pods --all
 

-
Delete resources by file names, stdin, resources and names, or by resources and label selector.

 JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.

 Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the --grace-period flag is ignored.

 IMPORTANT: Force deleting pods does not wait for confirmation that the pod's processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.

 Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.

 After a CustomResourceDefinition is deleted, invalidation of discovery cache may take up to 6 hours. If you don't want to wait, you might want to run "kubectl api-resources" to refresh the discovery cache.

+
Delete resources by file names, stdin, resources and names, or by resources and label selector.

+
 JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.

+
 Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the --grace-period flag is ignored.

+
 IMPORTANT: Force deleting pods does not wait for confirmation that the pod's processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.

+
 Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.

 
Usage

 
$ kubectl delete ([-f FILENAME] | [-k DIRECTORY] | TYPE [(NAME | -l label | --all)])

 
Flags

@@ -3093,7 +2999,7 @@ inspect them.

 all
 
 false
-Delete all resources, in the namespace of the specified resource types. 
+Delete all resources, including uninitialized ones, in the namespace of the specified resource types. 
 
 
 all-namespaces
@@ -3177,7 +3083,7 @@ inspect them.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones. 
 
 
 timeout
@@ -3214,11 +3120,6 @@ viewing your workloads in a Kubernetes cluster.

 
cat pod.json | kubectl apply -f -
 

 

-
 Apply the configuration from all files that end with '.json' - i.e. expand wildcard characters in file names

-

-
kubectl apply -f '*.json'
-

-

 
 Note: --prune is still in Alpha # Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx

 

 
kubectl apply --prune -f manifest.yaml -l app=nginx
@@ -3226,9 +3127,11 @@ viewing your workloads in a Kubernetes cluster.

 

 
 Apply the configuration in manifest.yaml and delete all the other config maps that are not in the file

 

-
kubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/ConfigMap
+
kubectl apply --prune -f manifest.yaml --all --prune-whitelist=core/v1/ConfigMap
 

-
Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn't exist yet. To use 'apply', always create the resource initially with either 'apply' or 'create --save-config'.

 JSON and YAML formats are accepted.

 Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See https://issues.k8s.io/34274.

+
Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn't exist yet. To use 'apply', always create the resource initially with either 'apply' or 'create --save-config'.

+
 JSON and YAML formats are accepted.

+
 Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See https://issues.k8s.io/34274.

 
Usage

 
$ kubectl apply (-f FILENAME | -k DIRECTORY)

 
Flags

@@ -3276,7 +3179,7 @@ viewing your workloads in a Kubernetes cluster.

 filename
 f
 []
-The files that contain the configurations to apply. 
+that contains the configuration to apply 
 
 
 force
@@ -3312,7 +3215,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overwrite
@@ -3324,13 +3227,7 @@ viewing your workloads in a Kubernetes cluster.

 prune
 
 false
-Automatically delete resource objects, that do not appear in the configs and are created by either apply or create --save-config. Should be used with either -l or --all. 
-
-
-prune-allowlist
-
-[]
-Overwrite the default allowlist with <group/version/kind> for --prune 
+Automatically delete resource objects, including the uninitialized ones, that do not appear in the configs and are created by either apply or create --save-config. Should be used with either -l or --all. 
 
 
 prune-whitelist
@@ -3354,7 +3251,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 server-side
@@ -3383,8 +3280,8 @@ viewing your workloads in a Kubernetes cluster.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 wait
@@ -3452,7 +3349,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -3479,12 +3376,6 @@ viewing your workloads in a Kubernetes cluster.

 Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. 
 
 
-validate
-
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
-
-
 windows-line-endings
 
 false
@@ -3551,7 +3442,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 show-managed-fields
@@ -3616,7 +3507,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 yaml
-Output format. Must be one of (yaml, json) 
+Output format. Must be one of yaml|json 
 
 
 recursive
@@ -3628,7 +3519,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 
@@ -3664,7 +3555,10 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl annotate pods foo description-
 

-
Update the annotations on one or more resources.

 All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.

 Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.

Use "kubectl api-resources" for a complete list of supported resources.

+
Update the annotations on one or more resources.

+
 All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.

+
 Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.

+
Use "kubectl api-resources" for a complete list of supported resources.

 
Usage

 
$ kubectl annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]

 
Flags

@@ -3682,7 +3576,7 @@ viewing your workloads in a Kubernetes cluster.

 all
 
 false
-Select all resources, in the namespace of the specified resource types. 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types. 
 
 
 all-namespaces
@@ -3742,7 +3636,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overwrite
@@ -3772,7 +3666,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). 
 
 
 show-managed-fields
@@ -3800,7 +3694,8 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl autoscale rc foo --max=5 --cpu-percent=80
 

-
Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.

 Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.

+
Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.

+
 Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.

 
Usage

 
$ kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU]

 
Flags

@@ -3872,7 +3767,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -3943,7 +3838,14 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl debug node/mynode -it --image=busybox
 

-
Debug cluster resources using interactive debugging containers.

 'debug' provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.

 The action taken by 'debug' varies depending on what resource is specified. Supported actions include:

    Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version.
    Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
  *  Node: Create a new pod that runs in the node's host namespaces and can access the node's filesystem.

+
Debug cluster resources using interactive debugging containers.

+
 'debug' provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.

+
 The action taken by 'debug' varies depending on what resource is specified. Supported actions include:

+
    
+
  • Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version.
    • 
+
  • Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
    • 
+
  • Node: Create a new pod that runs in the node's host namespaces and can access the node's filesystem.
    • 
+

 
Usage

 
$ kubectl debug (POD | TYPE[[.VERSION].GROUP]/NAME) [ -- COMMAND [args...] ]

 
Flags

@@ -4000,12 +3902,6 @@ viewing your workloads in a Kubernetes cluster.

 The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server. 
 
 
-profile
-
-legacy
-Debugging profile. 
-
-
 quiet
 q
 false
@@ -4067,7 +3963,12 @@ viewing your workloads in a Kubernetes cluster.

 
 
cat service.yaml | kubectl diff -f -
 

-
Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.

 The output is always YAML.

 KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF="colordiff -N -u"

 By default, the "diff" command available in your path will be run with the "-u" (unified diff) and "-N" (treat absent files as empty) options.

 Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.

 Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.

+
Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.

+
 The output is always YAML.

+
 KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF="colordiff -N -u"

+
 By default, the "diff" command available in your path will be run with the "-u" (unified diff) and "-N" (treat absent files as empty) options.

+
 Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.

+
 Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.

 
Usage

 
$ kubectl diff -f FILENAME

 
Flags

@@ -4106,18 +4007,6 @@ viewing your workloads in a Kubernetes cluster.

 Process the kustomization directory. This flag can't be used together with -f or -R. 
 
 
-prune
-
-false
-Include resources that would be deleted by pruning. Can be used with -l and default shows all resources would be pruned 
-
-
-prune-allowlist
-
-[]
-Overwrite the default whitelist with <group/version/kind> for --prune 
-
-
 recursive
 R
 false
@@ -4127,7 +4016,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 server-side
@@ -4135,25 +4024,19 @@ viewing your workloads in a Kubernetes cluster.

 false
 If true, apply runs in the server instead of the client. 
 
-
-show-managed-fields
-
-false
-If true, include managed fields in the diff. 
-
 
 
 

 
edit

 

-
 Edit the service named 'registry'

+
 Edit the service named 'docker-registry'

 

-
kubectl edit svc/registry
+
kubectl edit svc/docker-registry
 

 

 
 Use an alternative editor

 

-
KUBE_EDITOR="nano" kubectl edit svc/registry
+
KUBE_EDITOR="nano" kubectl edit svc/docker-registry
 

 

 
 Edit the job 'myjob' in JSON using the v1 API format

@@ -4165,12 +4048,12 @@ viewing your workloads in a Kubernetes cluster.

 

 
kubectl edit deployment/mydeployment -o yaml --save-config
 

-

-
 Edit the deployment/mydeployment's status subresource

-

-
kubectl edit deployment mydeployment --subresource='status'
-

-
Edit a resource from the default editor.

 The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.

 Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.

 The default format is YAML. To edit in JSON, specify "-o json".

 The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.

 In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.

+
Edit a resource from the default editor.

+
 The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.

+
 Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.

+
 The default format is YAML. To edit in JSON, specify "-o json".

+
 The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.

+
 In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.

 
Usage

 
$ kubectl edit (RESOURCE/NAME | -f FILENAME)

 
Flags

@@ -4212,7 +4095,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 output-patch
@@ -4245,12 +4128,6 @@ viewing your workloads in a Kubernetes cluster.

 If true, keep the managedFields when printing objects in JSON or YAML format. 
 
 
-subresource
-
-
-If specified, edit will operate on the subresource of the requested object. Must be one of [status]. This flag is alpha and may change in the future. 
-
-
 template
 
 
@@ -4259,8 +4136,8 @@ viewing your workloads in a Kubernetes cluster.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 windows-line-endings
@@ -4407,7 +4284,13 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl label pods foo bar-
 

-
Update the labels on a resource.

    A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters each.
    Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
    If --overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error.
    If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.

+
Update the labels on a resource.

+
    
+
  • A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters each.
    • 
+
  • Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
    • 
+
  • If --overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error.
    • 
+
  • If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.
    • 
+

 
Usage

 
$ kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]

 
Flags

@@ -4425,7 +4308,7 @@ viewing your workloads in a Kubernetes cluster.

 all
 
 false
-Select all resources, in the namespace of the specified resource types 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types 
 
 
 all-namespaces
@@ -4485,7 +4368,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overwrite
@@ -4515,7 +4398,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). 
 
 
 show-managed-fields
@@ -4558,12 +4441,8 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
 

-

-
 Update a deployment's replicas through the scale subresource using a merge patch.

-

-
kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
-

-
Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.

 JSON and YAML formats are accepted.

 Note: Strategic merge patch is not supported for custom resources.

+
Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.

+
 JSON and YAML formats are accepted.

 
Usage

 
$ kubectl patch (-f FILENAME | TYPE NAME) [-p PATCH|--patch-file FILE]

 
Flags

@@ -4617,7 +4496,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 patch
@@ -4650,12 +4529,6 @@ viewing your workloads in a Kubernetes cluster.

 If true, keep the managedFields when printing objects in JSON or YAML format. 
 
 
-subresource
-
-
-If specified, patch will operate on the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future. 
-
-
 template
 
 
@@ -4691,7 +4564,9 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl replace --force -f ./pod.json
 

-
Replace a resource by file name or stdin.

 JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by

  $ kubectl get TYPE NAME -o yaml

+
Replace a resource by file name or stdin.

+
 JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by

+
  $ kubectl get TYPE NAME -o yaml

 
Usage

 
$ kubectl replace -f FILENAME

 
Flags

@@ -4733,7 +4608,7 @@ viewing your workloads in a Kubernetes cluster.

 filename
 f
 []
-The files that contain the configurations to replace. 
+to use to replace the resource. 
 
 
 force
@@ -4757,7 +4632,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 raw
@@ -4784,12 +4659,6 @@ viewing your workloads in a Kubernetes cluster.

 If true, keep the managedFields when printing objects in JSON or YAML format. 
 
 
-subresource
-
-
-If specified, replace will operate on the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future. 
-
-
 template
 
 
@@ -4804,8 +4673,8 @@ viewing your workloads in a Kubernetes cluster.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 wait
@@ -4827,17 +4696,13 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl rollout status daemonset/foo
 

-

-
 Restart a deployment

-

-
kubectl rollout restart deployment/abc
-

-

-
 Restart deployments with the app=nginx label

-

-
kubectl rollout restart deployment --selector=app=nginx
-

-
Manage the rollout of one or many resources.
  
 Valid resource types include:

    deployments
    daemonsets
  *  statefulsets

+
Manage the rollout of a resource.

+
 Valid resource types include:

+
    
+
  • deployments
    • 
+
  • daemonsets
    • 
+
  • statefulsets
    • 
+

 
Usage

 
$ kubectl rollout SUBCOMMAND

 

@@ -4888,7 +4753,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -4903,12 +4768,6 @@ viewing your workloads in a Kubernetes cluster.

 See the details, including podTemplate of the revision specified 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 show-managed-fields
 
 false
@@ -4972,7 +4831,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -4981,12 +4840,6 @@ viewing your workloads in a Kubernetes cluster.

 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 show-managed-fields
 
 false
@@ -5012,13 +4865,8 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl rollout restart daemonset/abc
 

-

-
 Restart deployments with the app=nginx label

-

-
kubectl rollout restart deployment --selector=app=nginx
-

 
Restart a resource.

-
  Resource rollout will be restarted.

+
   Resource rollout will be restarted.

 
Usage

 
$ kubectl rollout restart RESOURCE

 
Flags

@@ -5060,7 +4908,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -5069,12 +4917,6 @@ viewing your workloads in a Kubernetes cluster.

 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 show-managed-fields
 
 false
@@ -5138,7 +4980,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -5147,12 +4989,6 @@ viewing your workloads in a Kubernetes cluster.

 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 show-managed-fields
 
 false
@@ -5213,12 +5049,6 @@ viewing your workloads in a Kubernetes cluster.

 Pin to a specific revision for showing its status. Defaults to 0 (last revision). 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 timeout
 
 0s
@@ -5291,7 +5121,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -5300,12 +5130,6 @@ viewing your workloads in a Kubernetes cluster.

 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
 
-selector
-l
-
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
 show-managed-fields
 
 false
@@ -5352,7 +5176,9 @@ viewing your workloads in a Kubernetes cluster.

 
 
kubectl scale --replicas=3 statefulset/web
 

-
Set a new size for a deployment, replica set, replication controller, or stateful set.

 Scale also allows users to specify one or more preconditions for the scale action.

 If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.

+
Set a new size for a deployment, replica set, replication controller, or stateful set.

+
 Scale also allows users to specify one or more preconditions for the scale action.

+
 If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.

 
Usage

 
$ kubectl scale [--resource-version=version] [--current-replicas=count] --replicas=COUNT (-f FILENAME | TYPE NAME)

 
Flags

@@ -5406,7 +5232,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -5436,7 +5262,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-managed-fields
@@ -5460,7 +5286,8 @@ viewing your workloads in a Kubernetes cluster.

 
 

 
set

-
Configure application resources.

 These commands help you make changes to existing application resources.

+
Configure application resources.

+
 These commands help you make changes to existing application resources.

 
Usage

 
$ kubectl set SUBCOMMAND

 

@@ -5614,7 +5441,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overwrite
@@ -5644,7 +5471,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on 
 
 
 show-managed-fields
@@ -5702,7 +5529,7 @@ viewing your workloads in a Kubernetes cluster.

 all
 
 false
-Select all resources, in the namespace of the specified resource types 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types 
 
 
 allow-missing-template-keys
@@ -5744,7 +5571,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -5762,7 +5589,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-managed-fields
@@ -5820,7 +5647,7 @@ viewing your workloads in a Kubernetes cluster.

 all
 
 false
-Select all resources, in the namespace of the specified resource types 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types 
 
 
 allow-missing-template-keys
@@ -5874,7 +5701,7 @@ viewing your workloads in a Kubernetes cluster.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -5898,7 +5725,7 @@ viewing your workloads in a Kubernetes cluster.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones,supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-managed-fields
@@ -5923,7 +5750,7 @@ viewing your workloads in a Kubernetes cluster.

 kubectl create deployment my-dep -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -
 

 
Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of 'set selector'.

-
 A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.

+
 A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.

 
Usage

 
$ kubectl set selector (-f FILENAME | TYPE NAME) EXPRESSIONS [--resource-version=version]

 
Flags

@@ -5977,7 +5804,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -6043,7 +5870,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 all
 
 false
-Select all resources, in the namespace of the specified resource types 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types 
 
 
 allow-missing-template-keys
@@ -6085,7 +5912,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 record
@@ -6148,7 +5975,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 all
 
 false
-Select all resources, in the namespace of the specified resource types 
+Select all resources, including uninitialized ones, in the namespace of the specified resource types 
 
 
 allow-missing-template-keys
@@ -6196,7 +6023,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -6208,7 +6035,7 @@ kubectl create deployment my-dep -o yaml --dry-run<
 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 serviceaccount
@@ -6228,12 +6055,6 @@ kubectl create deployment my-dep -o yaml --dry-run<
 
 Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. 
 
-
-user
-
-[]
-Usernames to bind to the role 
-
 
 
 

@@ -6244,24 +6065,22 @@ kubectl create deployment my-dep -o yaml --dry-run<
 
kubectl wait --for=condition=Ready pod/busybox1
 

 

-
 The default value of status condition is true; you can wait for other targets after an equal delimiter (compared after Unicode simple case folding, which is a more general form of case-insensitivity):

+
 The default value of status condition is true; you can set it to false

 

 
kubectl wait --for=condition=Ready=false pod/busybox1
 

 

-
 Wait for the pod "busybox1" to contain the status phase to be "Running".

-

-
kubectl wait --for=jsonpath='{.status.phase}'=Running pod/busybox1
-

-

 
 Wait for the pod "busybox1" to be deleted, with a timeout of 60s, after having issued the "delete" command

 

 
kubectl delete pod/busybox1
 kubectl wait --for=delete pod/busybox1 --timeout=60s
 

-
Experimental: Wait for a specific condition on one or many resources.

 The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.

 Alternatively, the command can wait for the given set of resources to be deleted by providing the "delete" keyword as the value to the --for flag.

 A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.

+
Experimental: Wait for a specific condition on one or many resources.

+
 The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.

+
 Alternatively, the command can wait for the given set of resources to be deleted by providing the "delete" keyword as the value to the --for flag.

+
 A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.

 
Usage

-
$ kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available|--for=jsonpath='{}'=value]

+
$ kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available]

 
Flags

 
@@ -6307,7 +6126,7 @@ kubectl wait --for=delete pod/busybox1 for
 
-
+
@@ -6319,7 +6138,7 @@ kubectl wait --for=delete pod/busybox1 output
 
-
+
@@ -6472,7 +6291,7 @@ applications.
kubectl auth can-i --list --namespace=foo
 
Check whether an action is allowed.

-
 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag.

+
 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a particular Kubernetes resource.
Usage
$ kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
Flags

@@ -6571,7 +6390,7 @@ applications.

-
+
@@ -6663,12 +6482,6 @@ applications.

-
-
-
-
-
-

 

 The condition to wait on: [delete|condition=condition-name[=condition-value]|jsonpath='{JSONPath expression}'=JSONPath Condition]. The default condition-value is true.  Condition values are compared after Unicode simple case folding, which is a more general form of case-insensitivity. The condition to wait on: [delete|condition=condition-name]. The default status value of condition-name is true, you can set false with condition=condition-name=false 
 

 

 localo
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 recursive
 
 
 
 
 
 output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 

 

 recursive
 false
 The copied file/directory's ownership and permissions will not be preserved in the container 
 
retries0Set number of retries to complete a copy operation from a container. Specify 0 to disable or any negative value for infinite retrying. The default is 0 (no retry). 

 
 

 

@@ -6699,11 +6512,15 @@ applications.

 
kubectl describe po -l name=myLabel
 

 

-
 Describe all pods managed by the 'frontend' replication controller # (rc-created pods get the name of the rc as a prefix in the pod name)

+
 Describe all pods managed by the 'frontend' replication controller (rc-created pods # get the name of the rc as a prefix in the pod the name)

 

 
kubectl describe pods frontend
 

-
Show details of a specific resource or group of resources.

 Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:

  $ kubectl describe TYPE NAME_PREFIX
  
 will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.

Use "kubectl api-resources" for a complete list of supported resources.

+
Show details of a specific resource or group of resources.

+
 Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:

+
  $ kubectl describe TYPE NAME_PREFIX

+
 will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.

+
Use "kubectl api-resources" for a complete list of supported resources.

 
Usage

 
$ kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME)

 
Flags

@@ -6751,7 +6568,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-events
@@ -6762,109 +6579,6 @@ applications.

 
 
 

-
events

-

-
 List recent events in the default namespace.

-

-
kubectl events
-

-

-
 List recent events in all namespaces.

-

-
kubectl events --all-namespaces
-

-

-
 List recent events for the specified pod, then wait for more events and list them as they arrive.

-

-
kubectl events --for pod/web-pod-13je7 --watch
-

-

-
 List recent events in given format. Supported ones, apart from default, are json and yaml.

-

-
kubectl events -oyaml
-

-

-
 List recent only events in given event types

-

-
kubectl events --types=Warning,Normal
-

-
Display events

 Prints a table of the most important information about events. You can request events for a namespace, for all namespace, or filtered to only those pertaining to a specified resource.

-
Usage

-
$ kubectl events [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file] [--for TYPE/NAME] [--watch] [--event=Normal,Warning]

-
Flags

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameShorthandDefaultUsage
all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. 
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. 
chunk-size500Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. 
forFilter events to only those pertaining to the specified resource. 
no-headersfalseWhen using the default output format, don't print headers. 
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format. 
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. 
types[]Output only events of given types. 
watchwfalseAfter listing the requested events, watch for more events. 

-

 
exec

 

 
 Get output from running the 'date' command from pod mypod, using the first container by default

@@ -7083,7 +6797,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on. 
 
 
 since
@@ -7148,7 +6862,9 @@ applications.

 

 
kubectl port-forward pod/mypod :5000
 

-
Forward one or more local ports to a pod.

 Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to 'pod' if omitted.

 If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.

+
Forward one or more local ports to a pod.

+
 Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to 'pod' if omitted.

+
 If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.

 
Usage

 
$ kubectl port-forward TYPE/NAME [options] [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N]

 
Flags

@@ -7247,12 +6963,6 @@ applications.

 Prefix to serve the proxied API under. 
 
 
-append-server-path
-
-false
-If true, enables automatic path appending of the kube context server path to each request. 
-
-
 disable-filter
 
 false
@@ -7304,7 +7014,9 @@ applications.

 
 

 
top

-
Display Resource (CPU/Memory) usage.

 The top command allows you to see the resource consumption for nodes or pods.

 This command requires Metrics Server to be correctly configured and working on the server.

+
Display Resource (CPU/Memory) usage.

+
 The top command allows you to see the resource consumption for nodes or pods.

+
 This command requires Metrics Server to be correctly configured and working on the server.

 
Usage

 
$ kubectl top

 

@@ -7344,13 +7056,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
-
-
-show-capacity
-
-false
-Print node resources based on Capacity instead of Allocatable(default) of the nodes. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 sort-by
@@ -7432,7 +7138,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 sort-by
@@ -7441,12 +7147,6 @@ applications.

 If non-empty, sort pods list using specified field. The field can be either 'cpu' or 'memory'. 
 
 
-sum
-
-false
-Print the sum of the resource usage 
-
-
 use-protocol-buffers
 
 true
@@ -7466,102 +7166,6 @@ applications.

 
Usage

 
$ kubectl api-versions

 

-
api-resources

-

-
 Print the supported API resources

-

-
kubectl api-resources
-

-

-
 Print the supported API resources with more information

-

-
kubectl api-resources -o wide
-

-

-
 Print the supported API resources sorted by a column

-

-
kubectl api-resources --sort-by=name
-

-

-
 Print the supported namespaced resources

-

-
kubectl api-resources --namespaced=true
-

-

-
 Print the supported non-namespaced resources

-

-
kubectl api-resources --namespaced=false
-

-

-
 Print the supported API resources with a specific APIGroup

-

-
kubectl api-resources --api-group=rbac.authorization.k8s.io
-

-
Print the supported API resources on the server.

-
Usage

-
$ kubectl api-resources

-
Flags

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameShorthandDefaultUsage
api-groupLimit to resources in the specified API group. 
cachedfalseUse the cached list of resources if available. 
categories[]Limit to resources that belong the the specified categories. 
namespacedtrueIf false, non-namespaced resources will be returned, otherwise returning namespaced resources by default. 
no-headersfalseWhen using the default or custom-column output format, don't print headers (default print headers). 
outputoOutput format. One of: (wide, name). 
sort-byIf non-empty, sort list of resources using specified field. The field can be either 'name' or 'kind'. 
verbs[]Limit to resources that support the specified verbs. 

-

 
certificate

 
Modify certificate resources.

 
Usage

@@ -7617,7 +7221,7 @@ applications.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -7689,7 +7293,7 @@ applications.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 recursive
@@ -7780,7 +7384,7 @@ applications.

 output
 o
 json
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 output-directory
@@ -7839,7 +7443,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on 
 
 
 
@@ -7855,7 +7459,11 @@ applications.

 
 
kubectl drain foo --grace-period=900
 

-
Drain node in preparation for maintenance.

 The given node will be marked unschedulable to prevent new pods from arriving. 'drain' evicts the pods if the API server supports https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ eviction https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ . Otherwise, it will use normal DELETE to delete the pods. The 'drain' evicts or deletes all pods except mirror pods (which cannot be deleted through the API server).  If there are daemon set-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings.  If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use --force.  --force will also allow deletion to proceed if the managing resource of one or more pods is missing.

 'drain' waits for graceful termination. You should not operate on the machine until the command completes.

 When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.

https://kubernetes.io/images/docs/kubectl_drain.svg Workflowhttps://kubernetes.io/images/docs/kubectl_drain.svg

+
Drain node in preparation for maintenance.

+
 The given node will be marked unschedulable to prevent new pods from arriving. 'drain' evicts the pods if the API server supports https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ . Otherwise, it will use normal DELETE to delete the pods. The 'drain' evicts or deletes all pods except mirror pods (which cannot be deleted through the API server).  If there are daemon set-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings.  If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use --force.  --force will also allow deletion to proceed if the managing resource of one or more pods is missing.

+
 'drain' waits for graceful termination. You should not operate on the machine until the command completes.

+
 When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.

+
 https://kubernetes.io/images/docs/kubectl_drain.svg

 
Usage

 
$ kubectl drain NODE

 
Flags

@@ -7903,7 +7511,7 @@ applications.

 force
 
 false
-Continue even if there are pods that do not declare a controller. 
+Continue even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet. 
 
 
 grace-period
@@ -7918,6 +7526,12 @@ applications.

 Ignore DaemonSet-managed pods. 
 
 
+ignore-errors
+
+false
+Ignore errors occurred between drain nodes in group. 
+
+
 pod-selector
 
 
@@ -7927,7 +7541,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on 
 
 
 skip-wait-for-delete-timeout
@@ -7970,7 +7584,15 @@ applications.

 
 
kubectl taint nodes foo bar:NoSchedule
 

-
Update the taints on one or more nodes.

    A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.
    The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters.
    Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
    The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.
    The effect must be NoSchedule, PreferNoSchedule or NoExecute.
    Currently taint can only apply to node.

+
Update the taints on one or more nodes.

+
    
+
  • A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.
    • 
+
  • The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  253 characters.
    • 
+
  • Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
    • 
+
  • The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters.
    • 
+
  • The effect must be NoSchedule, PreferNoSchedule or NoExecute.
    • 
+
  • Currently taint can only apply to node.
    • 
+

 
Usage

 
$ kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N

 
Flags

@@ -8012,7 +7634,7 @@ applications.

 output
 o
 
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 overwrite
@@ -8024,7 +7646,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) 
 
 
 show-managed-fields
@@ -8041,8 +7663,8 @@ applications.

 
 validate
 
-strict
-Must be one of: strict (or true), warn, ignore (or false).
        "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
        "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
        "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. 
+true
+If true, use a schema to validate the input before sending it 
 
 
 
@@ -8077,7 +7699,7 @@ applications.

 selector
 l
 
-Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. 
+Selector (label query) to filter on 
 
 
 
@@ -8088,28 +7710,40 @@ applications.

 
Usage

 
$ kubectl alpha

 

-
auth

-
Inspect authorization

-
Usage

-
$ kubectl alpha auth

-

-
auth whoami

+
api-resources

 

-
 Get your subject attributes.

+
 Print the supported API resources

 

-
kubectl alpha auth whoami
+
kubectl api-resources
 

 

-
 Get your subject attributes in JSON format.

+
 Print the supported API resources with more information

 

-
kubectl alpha auth whoami -o json
+
kubectl api-resources -o wide
 

-
Experimental: Check who you are and your attributes (groups, extra).

-
  This command is helpful to get yourself aware of the current user attributes,
-  especially when dynamic authentication, e.g., token webhook, auth proxy, or OIDC provider,
-  is enabled in the Kubernetes cluster.

+

+
 Print the supported API resources sorted by a column

+

+
kubectl api-resources --sort-by=name
+

+

+
 Print the supported namespaced resources

+

+
kubectl api-resources --namespaced=true
+

+

+
 Print the supported non-namespaced resources

+

+
kubectl api-resources --namespaced=false
+

+

+
 Print the supported API resources with a specific APIGroup

+

+
kubectl api-resources --api-group=extensions
+

+
Print the supported API resources on the server.

 
Usage

-
$ kubectl alpha auth whoami

+
$ kubectl api-resources

 
Flags

 
@@ -8122,28 +7756,46 @@ applications.

-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
-
+
-
+
-
-
+
+
-
+
-
-
+
+

 
 
 
 
allow-missing-template-keysapi-groupLimit to resources in the specified API group. 
cachedfalseUse the cached list of resources if available. 
namespaced
 
 trueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. If false, non-namespaced resources will be returned, otherwise returning namespaced resources by default. 
no-headersfalseWhen using the default or custom-column output format, don't print headers (default print headers). 
 

 

 output
 o
 Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). Output format. One of: wide|name. 
 

 
show-managed-fieldssort-by
 falseIf true, keep the managedFields when printing objects in JSON or YAML format. If non-empty, sort list of resources using specified field. The field can be either 'name' or 'kind'. 
 

 
templateverbs
 Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. []Limit to resources that support the specified verbs. 
 

 
 

@@ -8192,66 +7844,28 @@ source $HOME/.bash_profile
 
 
kubectl completion zsh > "${fpath[1]}/_kubectl"
 

-

-
 Load the kubectl completion code for fish[2] into the current shell

-

-
kubectl completion fish | source
-

-

-
 To load completions for each session, execute once:

-

-
kubectl completion fish > ~/.config/fish/completions/kubectl.fish
-

-

-
 Load the kubectl completion code for powershell into the current shell

-

-
kubectl completion powershell | Out-String | Invoke-Expression
-

-

-
 Set kubectl completion code for powershell to run on startup ## Save completion code to a script and execute in the profile

-

-
kubectl completion powershell > $HOME\.kube\completion.ps1
-Add-Content $PROFILE "$HOME\.kube\completion.ps1"
-

-

-
 Execute completion code in the profile

-

-
Add-Content $PROFILE "if (Get-Command kubectl -ErrorAction SilentlyContinue) {
-kubectl completion powershell | Out-String | Invoke-Expression
-}"
-

-

-
 Add completion code directly to the $PROFILE script

-

-
kubectl completion powershell >> $PROFILE
-

-
Output shell completion code for the specified shell (bash, zsh, fish, or powershell). The shell code must be evaluated to provide interactive completion of kubectl commands.  This can be done by sourcing it from the .bash_profile.

 Detailed instructions on how to do this are available here:

  for macOS:
  https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion
  
  for linux:
  https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion
  
  for windows:
  https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion
  
 Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2.

+
Output shell completion code for the specified shell (bash or zsh). The shell code must be evaluated to provide interactive completion of kubectl commands.  This can be done by sourcing it from the .bash_profile.

+
 Detailed instructions on how to do this are available here:

+
  for macOS:
+  https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion

+
  for linux:
+  https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion

+
  for windows:
+  https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion

+
 Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2.

 
Usage

 
$ kubectl completion SHELL

 

 
config

-
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

 The loading order follows these rules:

  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.
  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

+
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

+
 The loading order follows these rules:

+
    
+
  1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
    2. 
+
  2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.
    3. 
+
  3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.
    4. 
+

 
Usage

 
$ kubectl config SUBCOMMAND

-
Flags

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameShorthandDefaultUsage
kubeconfiguse a particular kubeconfig file 

 

 
current-context

 

@@ -8338,7 +7952,7 @@ kubectl completion powershell | Out-String | Invoke-Ex
 output
 o
 
-Output format. One of: (name). 
+Output format. One of: name 
 
 
 
@@ -8425,7 +8039,7 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
 

 

-
 Disable cert checking for the e2e cluster entry

+
 Disable cert checking for the dev cluster entry

 

 
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
 

@@ -8434,11 +8048,6 @@ kubectl completion powershell | Out-String | Invoke-Ex
 

 
kubectl config set-cluster e2e --tls-server-name=my-cluster-name
 

-

-
 Set proxy url for the e2e cluster entry

-

-
kubectl config set-cluster e2e --proxy-url=https://1.2.3.4
-

 
Set a cluster entry in kubeconfig.

 
 Specifying a name that already exists will merge new fields on top of existing values for those fields.

 
Usage

@@ -8455,41 +8064,11 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
 
 
-certificate-authority
-
-
-Path to certificate-authority file for the cluster entry in kubeconfig 
-
-
 embed-certs
 
 false
 embed-certs for the cluster entry in kubeconfig 
 
-
-insecure-skip-tls-verify
-
-false
-insecure-skip-tls-verify for the cluster entry in kubeconfig 
-
-
-proxy-url
-
-
-proxy-url for the cluster entry in kubeconfig 
-
-
-server
-
-
-server for the cluster entry in kubeconfig 
-
-
-tls-server-name
-
-
-tls-server-name for the cluster entry in kubeconfig 
-
 
 
 

@@ -8515,29 +8094,11 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
 
 
-cluster
-
-
-cluster for the context entry in kubeconfig 
-
-
 current
 
 false
 Modify the current context 
 
-
-namespace
-
-
-namespace for the context entry in kubeconfig 
-
-
-user
-
-
-user for the context entry in kubeconfig 
-
 
 
 

@@ -8627,18 +8188,6 @@ kubectl completion powershell | Out-String | Invoke-Ex
 'key=value' arguments for the auth provider 
 
 
-client-certificate
-
-
-Path to client-certificate file for the user entry in kubeconfig 
-
-
-client-key
-
-
-Path to client-key file for the user entry in kubeconfig 
-
-
 embed-certs
 
 false
@@ -8668,24 +8217,6 @@ kubectl completion powershell | Out-String | Invoke-Ex
 []
 'key=value' environment values for the exec credential plugin 
 
-
-password
-
-
-password for the user entry in kubeconfig 
-
-
-token
-
-
-token for the user entry in kubeconfig 
-
-
-username
-
-
-username for the user entry in kubeconfig 
-
 
 
 

@@ -8722,7 +8253,7 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
kubectl config view
 

 

-
 Show merged kubeconfig settings and raw certificate data and exposed secrets

+
 Show merged kubeconfig settings and raw certificate data

 

 
kubectl config view --raw
 

@@ -8774,13 +8305,13 @@ kubectl completion powershell | Out-String | Invoke-Ex
 output
 o
 yaml
-Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). 
+Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. 
 
 
 raw
 
 false
-Display raw byte data and sensitive data 
+Display raw byte data 
 
 
 show-managed-fields
@@ -8808,7 +8339,11 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
 
kubectl explain pods.spec.containers
 

-
List the fields for supported resources.

 This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:

  <type>.<fieldName>[.<fieldName>]
  
 Add the --recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.

Use "kubectl api-resources" for a complete list of supported resources.

+
List the fields for supported resources.

+
 This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:

+
  <type>.<fieldName>[.<fieldName>]

+
 Add the --recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.

+
Use "kubectl api-resources" for a complete list of supported resources.

 
Usage

 
$ kubectl explain RESOURCE

 
Flags

@@ -8848,16 +8383,13 @@ kubectl completion powershell | Out-String | Invoke-Ex
 
$ kubectl options

 

 
plugin

-
Provides utilities for interacting with plugins.

 Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.

 The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit https://krew.sigs.k8s.io/docs/user-guide/setup/install/ krew.sigs.k8s.io https://krew.sigs.k8s.io/docs/user-guide/setup/install/

+
Provides utilities for interacting with plugins.

+
 Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.

+
 The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit https://krew.sigs.k8s.io/docs/user-guide/setup/install/

 
Usage

 
$ kubectl plugin [flags]

 

 
list

-

-
 List all available plugins

-

-
kubectl plugin list
-

 
List all available plugin files on a user's PATH.

 
 Available plugin files are those that are: - executable - anywhere on the user's PATH - begin with "kubectl-"

 
Usage

diff --git a/static/docs/reference/generated/kubectl/navData.js b/static/docs/reference/generated/kubectl/navData.js
index 636aa29b90f..e6f8f066deb 100644
--- a/static/docs/reference/generated/kubectl/navData.js
+++ b/static/docs/reference/generated/kubectl/navData.js
@@ -1 +1 @@
-(function(){navData = {"toc":[{"section":"version","subsections":[]},{"section":"plugin","subsections":[{"section":"-em-list-em-"}]},{"section":"options","subsections":[]},{"section":"explain","subsections":[]},{"section":"config","subsections":[{"section":"-em-view-em-"},{"section":"-em-use-context-em-"},{"section":"-em-unset-em-"},{"section":"-em-set-credentials-em-"},{"section":"-em-set-context-em-"},{"section":"-em-set-cluster-em-"},{"section":"-em-set-em-"},{"section":"-em-rename-context-em-"},{"section":"-em-get-users-em-"},{"section":"-em-get-contexts-em-"},{"section":"-em-get-clusters-em-"},{"section":"-em-delete-user-em-"},{"section":"-em-delete-context-em-"},{"section":"-em-delete-cluster-em-"},{"section":"-em-current-context-em-"}]},{"section":"completion","subsections":[]},{"section":"alpha","subsections":[{"section":"-em-auth-whoami-em-"},{"section":"-em-auth-em-"}]},{"section":"-strong-kubectl-settings-and-usage-strong-","subsections":[]},{"section":"uncordon","subsections":[]},{"section":"taint","subsections":[]},{"section":"drain","subsections":[]},{"section":"cordon","subsections":[]},{"section":"cluster-info","subsections":[{"section":"-em-dump-em-"}]},{"section":"certificate","subsections":[{"section":"-em-deny-em-"},{"section":"-em-approve-em-"}]},{"section":"api-resources","subsections":[]},{"section":"api-versions","subsections":[]},{"section":"-strong-cluster-management-strong-","subsections":[]},{"section":"top","subsections":[{"section":"-em-pod-em-"},{"section":"-em-node-em-"}]},{"section":"proxy","subsections":[]},{"section":"port-forward","subsections":[]},{"section":"logs","subsections":[]},{"section":"exec","subsections":[]},{"section":"events","subsections":[]},{"section":"describe","subsections":[]},{"section":"cp","subsections":[]},{"section":"auth","subsections":[{"section":"-em-reconcile-em-"},{"section":"-em-can-i-em-"}]},{"section":"attach","subsections":[]},{"section":"-strong-working-with-apps-strong-","subsections":[]},{"section":"wait","subsections":[]},{"section":"set","subsections":[{"section":"-em-subject-em-"},{"section":"-em-serviceaccount-em--1"},{"section":"-em-selector-em-"},{"section":"-em-resources-em-"},{"section":"-em-image-em-"},{"section":"-em-env-em-"}]},{"section":"scale","subsections":[]},{"section":"rollout","subsections":[{"section":"-em-undo-em-"},{"section":"-em-status-em-"},{"section":"-em-resume-em-"},{"section":"-em-restart-em-"},{"section":"-em-pause-em-"},{"section":"-em-history-em-"}]},{"section":"replace","subsections":[]},{"section":"patch","subsections":[]},{"section":"label","subsections":[]},{"section":"kustomize","subsections":[]},{"section":"edit","subsections":[]},{"section":"diff","subsections":[]},{"section":"debug","subsections":[]},{"section":"autoscale","subsections":[]},{"section":"annotate","subsections":[]},{"section":"apply","subsections":[{"section":"-em-view-last-applied-em-"},{"section":"-em-set-last-applied-em-"},{"section":"-em-edit-last-applied-em-"}]},{"section":"-strong-app-management-strong-","subsections":[]},{"section":"delete","subsections":[]},{"section":"expose","subsections":[]},{"section":"run","subsections":[]},{"section":"get","subsections":[]},{"section":"create","subsections":[{"section":"-em-token-em-"},{"section":"-em-serviceaccount-em-"},{"section":"-em-service-nodeport-em-"},{"section":"-em-service-loadbalancer-em-"},{"section":"-em-service-externalname-em-"},{"section":"-em-service-clusterip-em-"},{"section":"-em-service-em-"},{"section":"-em-secret-tls-em-"},{"section":"-em-secret-generic-em-"},{"section":"-em-secret-docker-registry-em-"},{"section":"-em-secret-em-"},{"section":"-em-rolebinding-em-"},{"section":"-em-role-em-"},{"section":"-em-quota-em-"},{"section":"-em-priorityclass-em-"},{"section":"-em-poddisruptionbudget-em-"},{"section":"-em-namespace-em-"},{"section":"-em-job-em-"},{"section":"-em-ingress-em-"},{"section":"-em-deployment-em-"},{"section":"-em-cronjob-em-"},{"section":"-em-configmap-em-"},{"section":"-em-clusterrolebinding-em-"},{"section":"-em-clusterrole-em-"}]},{"section":"-strong-getting-started-strong-","subsections":[]}],"flatToc":["version","-em-list-em-","plugin","options","explain","-em-view-em-","-em-use-context-em-","-em-unset-em-","-em-set-credentials-em-","-em-set-context-em-","-em-set-cluster-em-","-em-set-em-","-em-rename-context-em-","-em-get-users-em-","-em-get-contexts-em-","-em-get-clusters-em-","-em-delete-user-em-","-em-delete-context-em-","-em-delete-cluster-em-","-em-current-context-em-","config","completion","-em-auth-whoami-em-","-em-auth-em-","alpha","-strong-kubectl-settings-and-usage-strong-","uncordon","taint","drain","cordon","-em-dump-em-","cluster-info","-em-deny-em-","-em-approve-em-","certificate","api-resources","api-versions","-strong-cluster-management-strong-","-em-pod-em-","-em-node-em-","top","proxy","port-forward","logs","exec","events","describe","cp","-em-reconcile-em-","-em-can-i-em-","auth","attach","-strong-working-with-apps-strong-","wait","-em-subject-em-","-em-serviceaccount-em--1","-em-selector-em-","-em-resources-em-","-em-image-em-","-em-env-em-","set","scale","-em-undo-em-","-em-status-em-","-em-resume-em-","-em-restart-em-","-em-pause-em-","-em-history-em-","rollout","replace","patch","label","kustomize","edit","diff","debug","autoscale","annotate","-em-view-last-applied-em-","-em-set-last-applied-em-","-em-edit-last-applied-em-","apply","-strong-app-management-strong-","delete","expose","run","get","-em-token-em-","-em-serviceaccount-em-","-em-service-nodeport-em-","-em-service-loadbalancer-em-","-em-service-externalname-em-","-em-service-clusterip-em-","-em-service-em-","-em-secret-tls-em-","-em-secret-generic-em-","-em-secret-docker-registry-em-","-em-secret-em-","-em-rolebinding-em-","-em-role-em-","-em-quota-em-","-em-priorityclass-em-","-em-poddisruptionbudget-em-","-em-namespace-em-","-em-job-em-","-em-ingress-em-","-em-deployment-em-","-em-cronjob-em-","-em-configmap-em-","-em-clusterrolebinding-em-","-em-clusterrole-em-","create","-strong-getting-started-strong-"]};})();
\ No newline at end of file
+(function(){navData = {"toc":[{"section":"version","subsections":[]},{"section":"plugin","subsections":[{"section":"-em-list-em-"}]},{"section":"options","subsections":[]},{"section":"explain","subsections":[]},{"section":"config","subsections":[{"section":"-em-view-em-"},{"section":"-em-use-context-em-"},{"section":"-em-unset-em-"},{"section":"-em-set-credentials-em-"},{"section":"-em-set-context-em-"},{"section":"-em-set-cluster-em-"},{"section":"-em-set-em-"},{"section":"-em-rename-context-em-"},{"section":"-em-get-users-em-"},{"section":"-em-get-contexts-em-"},{"section":"-em-get-clusters-em-"},{"section":"-em-delete-user-em-"},{"section":"-em-delete-context-em-"},{"section":"-em-delete-cluster-em-"},{"section":"-em-current-context-em-"}]},{"section":"completion","subsections":[]},{"section":"api-resources","subsections":[]},{"section":"alpha","subsections":[]},{"section":"-strong-kubectl-settings-and-usage-strong-","subsections":[]},{"section":"uncordon","subsections":[]},{"section":"taint","subsections":[]},{"section":"drain","subsections":[]},{"section":"cordon","subsections":[]},{"section":"cluster-info","subsections":[{"section":"-em-dump-em-"}]},{"section":"certificate","subsections":[{"section":"-em-deny-em-"},{"section":"-em-approve-em-"}]},{"section":"api-versions","subsections":[]},{"section":"-strong-cluster-management-strong-","subsections":[]},{"section":"top","subsections":[{"section":"-em-pod-em-"},{"section":"-em-node-em-"}]},{"section":"proxy","subsections":[]},{"section":"port-forward","subsections":[]},{"section":"logs","subsections":[]},{"section":"exec","subsections":[]},{"section":"describe","subsections":[]},{"section":"cp","subsections":[]},{"section":"auth","subsections":[{"section":"-em-reconcile-em-"},{"section":"-em-can-i-em-"}]},{"section":"attach","subsections":[]},{"section":"-strong-working-with-apps-strong-","subsections":[]},{"section":"wait","subsections":[]},{"section":"set","subsections":[{"section":"-em-subject-em-"},{"section":"-em-serviceaccount-em--1"},{"section":"-em-selector-em-"},{"section":"-em-resources-em-"},{"section":"-em-image-em-"},{"section":"-em-env-em-"}]},{"section":"scale","subsections":[]},{"section":"rollout","subsections":[{"section":"-em-undo-em-"},{"section":"-em-status-em-"},{"section":"-em-resume-em-"},{"section":"-em-restart-em-"},{"section":"-em-pause-em-"},{"section":"-em-history-em-"}]},{"section":"replace","subsections":[]},{"section":"patch","subsections":[]},{"section":"label","subsections":[]},{"section":"kustomize","subsections":[]},{"section":"edit","subsections":[]},{"section":"diff","subsections":[]},{"section":"debug","subsections":[]},{"section":"autoscale","subsections":[]},{"section":"annotate","subsections":[]},{"section":"apply","subsections":[{"section":"-em-view-last-applied-em-"},{"section":"-em-set-last-applied-em-"},{"section":"-em-edit-last-applied-em-"}]},{"section":"-strong-app-management-strong-","subsections":[]},{"section":"delete","subsections":[]},{"section":"expose","subsections":[]},{"section":"run","subsections":[]},{"section":"get","subsections":[]},{"section":"create","subsections":[{"section":"-em-serviceaccount-em-"},{"section":"-em-service-nodeport-em-"},{"section":"-em-service-loadbalancer-em-"},{"section":"-em-service-externalname-em-"},{"section":"-em-service-clusterip-em-"},{"section":"-em-service-em-"},{"section":"-em-secret-tls-em-"},{"section":"-em-secret-generic-em-"},{"section":"-em-secret-docker-registry-em-"},{"section":"-em-secret-em-"},{"section":"-em-rolebinding-em-"},{"section":"-em-role-em-"},{"section":"-em-quota-em-"},{"section":"-em-priorityclass-em-"},{"section":"-em-poddisruptionbudget-em-"},{"section":"-em-namespace-em-"},{"section":"-em-job-em-"},{"section":"-em-ingress-em-"},{"section":"-em-deployment-em-"},{"section":"-em-cronjob-em-"},{"section":"-em-configmap-em-"},{"section":"-em-clusterrolebinding-em-"},{"section":"-em-clusterrole-em-"}]},{"section":"-strong-getting-started-strong-","subsections":[]}],"flatToc":["version","-em-list-em-","plugin","options","explain","-em-view-em-","-em-use-context-em-","-em-unset-em-","-em-set-credentials-em-","-em-set-context-em-","-em-set-cluster-em-","-em-set-em-","-em-rename-context-em-","-em-get-users-em-","-em-get-contexts-em-","-em-get-clusters-em-","-em-delete-user-em-","-em-delete-context-em-","-em-delete-cluster-em-","-em-current-context-em-","config","completion","api-resources","alpha","-strong-kubectl-settings-and-usage-strong-","uncordon","taint","drain","cordon","-em-dump-em-","cluster-info","-em-deny-em-","-em-approve-em-","certificate","api-versions","-strong-cluster-management-strong-","-em-pod-em-","-em-node-em-","top","proxy","port-forward","logs","exec","describe","cp","-em-reconcile-em-","-em-can-i-em-","auth","attach","-strong-working-with-apps-strong-","wait","-em-subject-em-","-em-serviceaccount-em--1","-em-selector-em-","-em-resources-em-","-em-image-em-","-em-env-em-","set","scale","-em-undo-em-","-em-status-em-","-em-resume-em-","-em-restart-em-","-em-pause-em-","-em-history-em-","rollout","replace","patch","label","kustomize","edit","diff","debug","autoscale","annotate","-em-view-last-applied-em-","-em-set-last-applied-em-","-em-edit-last-applied-em-","apply","-strong-app-management-strong-","delete","expose","run","get","-em-serviceaccount-em-","-em-service-nodeport-em-","-em-service-loadbalancer-em-","-em-service-externalname-em-","-em-service-clusterip-em-","-em-service-em-","-em-secret-tls-em-","-em-secret-generic-em-","-em-secret-docker-registry-em-","-em-secret-em-","-em-rolebinding-em-","-em-role-em-","-em-quota-em-","-em-priorityclass-em-","-em-poddisruptionbudget-em-","-em-namespace-em-","-em-job-em-","-em-ingress-em-","-em-deployment-em-","-em-cronjob-em-","-em-configmap-em-","-em-clusterrolebinding-em-","-em-clusterrole-em-","create","-strong-getting-started-strong-"]};})();
\ No newline at end of file
diff --git a/static/docs/reference/generated/kubectl/node_modules/jquery.scrollto/jquery.scrollTo.min.js b/static/docs/reference/generated/kubectl/node_modules/jquery.scrollto/jquery.scrollTo.min.js
index 65a020d92ad..3f7d1457532 100644
--- a/static/docs/reference/generated/kubectl/node_modules/jquery.scrollto/jquery.scrollTo.min.js
+++ b/static/docs/reference/generated/kubectl/node_modules/jquery.scrollto/jquery.scrollTo.min.js
@@ -1,7 +1,7 @@
-/**
- * Copyright (c) 2007-2015 Ariel Flesler - afleslergmailcom | http://flesler.blogspot.com
- * Licensed under MIT
- * @author Ariel Flesler
- * @version 2.1.2
- */
-;(function(f){"use strict";"function"===typeof define&&define.amd?define(["jquery"],f):"undefined"!==typeof module&&module.exports?module.exports=f(require("jquery")):f(jQuery)})(function($){"use strict";function n(a){return!a.nodeName||-1!==$.inArray(a.nodeName.toLowerCase(),["iframe","#document","html","body"])}function h(a){return $.isFunction(a)||$.isPlainObject(a)?a:{top:a,left:a}}var p=$.scrollTo=function(a,d,b){return $(window).scrollTo(a,d,b)};p.defaults={axis:"xy",duration:0,limit:!0};$.fn.scrollTo=function(a,d,b){"object"=== typeof d&&(b=d,d=0);"function"===typeof b&&(b={onAfter:b});"max"===a&&(a=9E9);b=$.extend({},p.defaults,b);d=d||b.duration;var u=b.queue&&1=f[g]?0:Math.min(f[g],n));!a&&11;if(queue){duration/=2}settings.offset=both(settings.offset);settings.over=both(settings.over);return this.each(function(){if(target===null){return}var win=isWin(this),elem=win?this.contentWindow||window:this,$elem=$(elem),targ=target,attr={},toff;switch(typeof targ){case 'number':case 'string':if(/^([+-]=?)?\d+(\.\d+)?(px|%)?$/.test(targ)){targ=both(targ);break}targ=win?$(targ):$(targ,elem);case 'object':if(targ.length===0){return}if(targ.is||targ.style){toff=(targ=$(targ)).offset()}}var offset=isFunction(settings.offset)&&settings.offset(elem,targ)||settings.offset;$.each(settings.axis.split(''),function(i,axis){var Pos=axis==='x'?'Left':'Top',pos=Pos.toLowerCase(),key='scroll'+Pos,prev=$elem[key](),max=$scrollTo.max(elem,axis);if(toff){attr[key]=toff[pos]+(win?0:prev-$elem.offset()[pos]);if(settings.margin){attr[key]-=parseInt(targ.css('margin'+Pos),10)||0;attr[key]-=parseInt(targ.css('border'+Pos+'Width'),10)||0}attr[key]+=offset[pos]||0;if(settings.over[pos]){attr[key]+=targ[axis==='x'?'width':'height']()*settings.over[pos]}}else{var val=targ[pos];attr[key]=val.slice&&val.slice(-1)==='%'?parseFloat(val)/100*max:val}if(settings.limit&&/^\d+$/.test(attr[key])){attr[key]=attr[key]<=0?0:Math.min(attr[key],max)}if(!i&&settings.axis.length>1){if(prev===attr[key]){attr={}}else if(queue){animate(settings.onAfterFirst);attr={}}}});animate(settings.onAfter);function animate(callback){var opts=$.extend({},settings,{queue:true,duration:duration,complete:callback&&function(){callback.call(elem,targ,settings)}});$elem.animate(attr,opts)}})};$scrollTo.max=function(elem,axis){var Dim=axis==='x'?'Width':'Height',scroll='scroll'+Dim;if(!isWin(elem)){return elem[scroll]-$(elem)[Dim.toLowerCase()]()}var size='client'+Dim,doc=elem.ownerDocument||elem.document,html=doc.documentElement,body=doc.body;return Math.max(html[scroll],body[scroll])-Math.min(html[size],body[size])};function both(val){return isFunction(val)||$.isPlainObject(val)?val:{top:val,left:val}}$.Tween.propHooks.scrollLeft=$.Tween.propHooks.scrollTop={get:function(t){return $(t.elem)[t.prop]()},set:function(t){var curr=this.get(t);if(t.options.interrupt&&t._last&&t._last!==curr){return $(t.elem).stop()}var next=Math.round(t.now);if(curr!==next){$(t.elem)[t.prop](next);t._last=this.get(t)}}};return $scrollTo});
diff --git a/static/docs/reference/generated/kubectl/node_modules/jquery/dist/jquery.min.js b/static/docs/reference/generated/kubectl/node_modules/jquery/dist/jquery.min.js
index a1c07fd803b..c4c6022f298 100644
--- a/static/docs/reference/generated/kubectl/node_modules/jquery/dist/jquery.min.js
+++ b/static/docs/reference/generated/kubectl/node_modules/jquery/dist/jquery.min.js
@@ -1,2 +1,2 @@
-/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */
-!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e,t){return new k.fn.init(e,t)},p=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g;function d(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp($),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+$),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),ne=function(e,t,n){var r="0x"+t-65536;return r!=r||n?t:r<0?String.fromCharCode(r+65536):String.fromCharCode(r>>10|55296,1023&r|56320)},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(m.childNodes),m.childNodes),t[m.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&((e?e.ownerDocument||e:m)!==C&&T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!A[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&U.test(t)){(s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=k),o=(l=h(t)).length;while(o--)l[o]="#"+s+" "+xe(l[o]);c=l.join(","),f=ee.test(t)&&ye(e.parentNode)||e}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){A(t,!0)}finally{s===k&&e.removeAttribute("id")}}}return g(t.replace(B,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[k]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e.namespaceURI,n=(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:m;return r!==C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),m!==C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=k,!C.getElementsByName||!C.getElementsByName(k).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){a.appendChild(e).innerHTML="",e.querySelectorAll("[msallowcapture^='']").length&&v.push("[*^$]="+M+"*(?:''|\"\")"),e.querySelectorAll("[selected]").length||v.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+k+"-]").length||v.push("~="),e.querySelectorAll(":checked").length||v.push(":checked"),e.querySelectorAll("a#"+k+"+*").length||v.push(".#.+[+~]")}),ce(function(e){e.innerHTML="";var t=C.createElement("input");t.setAttribute("type","hidden"),e.appendChild(t).setAttribute("name","D"),e.querySelectorAll("[name=d]").length&&v.push("name"+M+"*[*^$|!~]?="),2!==e.querySelectorAll(":enabled").length&&v.push(":enabled",":disabled"),a.appendChild(e).disabled=!0,2!==e.querySelectorAll(":disabled").length&&v.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),v.push(",.*:")})),(d.matchesSelector=K.test(c=a.matches||a.webkitMatchesSelector||a.mozMatchesSelector||a.oMatchesSelector||a.msMatchesSelector))&&ce(function(e){d.disconnectedMatch=c.call(e,"*"),c.call(e,"[s!='']:x"),s.push("!=",$)}),v=v.length&&new RegExp(v.join("|")),s=s.length&&new RegExp(s.join("|")),t=K.test(a.compareDocumentPosition),y=t||K.test(a.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},D=t?function(e,t){if(e===t)return l=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)===(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!d.sortDetached&&t.compareDocumentPosition(e)===n?e===C||e.ownerDocument===m&&y(m,e)?-1:t===C||t.ownerDocument===m&&y(m,t)?1:u?P(u,e)-P(u,t):0:4&n?-1:1)}:function(e,t){if(e===t)return l=!0,0;var n,r=0,i=e.parentNode,o=t.parentNode,a=[e],s=[t];if(!i||!o)return e===C?-1:t===C?1:i?-1:o?1:u?P(u,e)-P(u,t):0;if(i===o)return pe(e,t);n=e;while(n=n.parentNode)a.unshift(n);n=t;while(n=n.parentNode)s.unshift(n);while(a[r]===s[r])r++;return r?pe(a[r],s[r]):a[r]===m?-1:s[r]===m?1:0}),C},se.matches=function(e,t){return se(e,null,null,t)},se.matchesSelector=function(e,t){if((e.ownerDocument||e)!==C&&T(e),d.matchesSelector&&E&&!A[t+" "]&&(!s||!s.test(t))&&(!v||!v.test(t)))try{var n=c.call(e,t);if(n||d.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(e){A(t,!0)}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=p[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&p(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function j(e,n,r){return m(n)?k.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?k.grep(e,function(e){return e===n!==r}):"string"!=typeof n?k.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(k.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||q,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:L.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof k?t[0]:t,k.merge(this,k.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),D.test(r[1])&&k.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(k):k.makeArray(e,this)}).prototype=k.fn,q=k(E);var H=/^(?:parents|prev(?:Until|All))/,O={children:!0,contents:!0,next:!0,prev:!0};function P(e,t){while((e=e[t])&&1!==e.nodeType);return e}k.fn.extend({has:function(e){var t=k(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i,ge={option:[1,""],thead:[1,"","
"],col:[2,"","
"],tr:[2,"","
"],td:[3,"","
"],_default:[0,"",""]};function ve(e,t){var n;return n="undefined"!=typeof e.getElementsByTagName?e.getElementsByTagName(t||"*"):"undefined"!=typeof e.querySelectorAll?e.querySelectorAll(t||"*"):[],void 0===t||t&&A(e,t)?k.merge([e],n):n}function ye(e,t){for(var n=0,r=e.length;nx",y.noCloneChecked=!!me.cloneNode(!0).lastChild.defaultValue;var Te=/^key/,Ce=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,Ee=/^([^.]*)(?:\.(.+)|)/;function ke(){return!0}function Se(){return!1}function Ne(e,t){return e===function(){try{return E.activeElement}catch(e){}}()==("focus"===t)}function Ae(e,t,n,r,i,o){var a,s;if("object"==typeof t){for(s in"string"!=typeof n&&(r=r||n,n=void 0),t)Ae(e,s,n,r,t[s],o);return e}if(null==r&&null==i?(i=n,r=n=void 0):null==i&&("string"==typeof n?(i=r,r=void 0):(i=r,r=n,n=void 0)),!1===i)i=Se;else if(!i)return e;return 1===o&&(a=i,(i=function(e){return k().off(e),a.apply(this,arguments)}).guid=a.guid||(a.guid=k.guid++)),e.each(function(){k.event.add(this,t,i,r,n)})}function De(e,i,o){o?(Q.set(e,i,!1),k.event.add(e,i,{namespace:!1,handler:function(e){var t,n,r=Q.get(this,i);if(1&e.isTrigger&&this[i]){if(r.length)(k.event.special[i]||{}).delegateType&&e.stopPropagation();else if(r=s.call(arguments),Q.set(this,i,r),t=o(this,i),this[i](),r!==(n=Q.get(this,i))||t?Q.set(this,i,!1):n={},r!==n)return e.stopImmediatePropagation(),e.preventDefault(),n.value}else r.length&&(Q.set(this,i,{value:k.event.trigger(k.extend(r[0],k.Event.prototype),r.slice(1),this)}),e.stopImmediatePropagation())}})):void 0===Q.get(e,i)&&k.event.add(e,i,ke)}k.event={global:{},add:function(t,e,n,r,i){var o,a,s,u,l,c,f,p,d,h,g,v=Q.get(t);if(v){n.handler&&(n=(o=n).handler,i=o.selector),i&&k.find.matchesSelector(ie,i),n.guid||(n.guid=k.guid++),(u=v.events)||(u=v.events={}),(a=v.handle)||(a=v.handle=function(e){return"undefined"!=typeof k&&k.event.triggered!==e.type?k.event.dispatch.apply(t,arguments):void 0}),l=(e=(e||"").match(R)||[""]).length;while(l--)d=g=(s=Ee.exec(e[l])||[])[1],h=(s[2]||"").split(".").sort(),d&&(f=k.event.special[d]||{},d=(i?f.delegateType:f.bindType)||d,f=k.event.special[d]||{},c=k.extend({type:d,origType:g,data:r,handler:n,guid:n.guid,selector:i,needsContext:i&&k.expr.match.needsContext.test(i),namespace:h.join(".")},o),(p=u[d])||((p=u[d]=[]).delegateCount=0,f.setup&&!1!==f.setup.call(t,r,h,a)||t.addEventListener&&t.addEventListener(d,a)),f.add&&(f.add.call(t,c),c.handler.guid||(c.handler.guid=n.guid)),i?p.splice(p.delegateCount++,0,c):p.push(c),k.event.global[d]=!0)}},remove:function(e,t,n,r,i){var o,a,s,u,l,c,f,p,d,h,g,v=Q.hasData(e)&&Q.get(e);if(v&&(u=v.events)){l=(t=(t||"").match(R)||[""]).length;while(l--)if(d=g=(s=Ee.exec(t[l])||[])[1],h=(s[2]||"").split(".").sort(),d){f=k.event.special[d]||{},p=u[d=(r?f.delegateType:f.bindType)||d]||[],s=s[2]&&new RegExp("(^|\\.)"+h.join("\\.(?:.*\\.|)")+"(\\.|$)"),a=o=p.length;while(o--)c=p[o],!i&&g!==c.origType||n&&n.guid!==c.guid||s&&!s.test(c.namespace)||r&&r!==c.selector&&("**"!==r||!c.selector)||(p.splice(o,1),c.selector&&p.delegateCount--,f.remove&&f.remove.call(e,c));a&&!p.length&&(f.teardown&&!1!==f.teardown.call(e,h,v.handle)||k.removeEvent(e,d,v.handle),delete u[d])}else for(d in u)k.event.remove(e,d+t[l],n,r,!0);k.isEmptyObject(u)&&Q.remove(e,"handle events")}},dispatch:function(e){var t,n,r,i,o,a,s=k.event.fix(e),u=new Array(arguments.length),l=(Q.get(this,"events")||{})[s.type]||[],c=k.event.special[s.type]||{};for(u[0]=s,t=1;t\x20\t\r\n\f]*)[^>]*)\/>/gi,qe=/\s*$/g;function Oe(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&k(e).children("tbody")[0]||e}function Pe(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function Re(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Me(e,t){var n,r,i,o,a,s,u,l;if(1===t.nodeType){if(Q.hasData(e)&&(o=Q.access(e),a=Q.set(t,o),l=o.events))for(i in delete a.handle,a.events={},l)for(n=0,r=l[i].length;n")},clone:function(e,t,n){var r,i,o,a,s,u,l,c=e.cloneNode(!0),f=oe(e);if(!(y.noCloneChecked||1!==e.nodeType&&11!==e.nodeType||k.isXMLDoc(e)))for(a=ve(c),r=0,i=(o=ve(e)).length;r").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var Vt,Gt=[],Yt=/(=)\?(?=&|$)|\?\?/;k.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=Gt.pop()||k.expando+"_"+kt++;return this[e]=!0,e}}),k.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Yt.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Yt.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Yt,"$1"+r):!1!==e.jsonp&&(e.url+=(St.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||k.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?k(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,Gt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((Vt=E.implementation.createHTMLDocument("").body).innerHTML="
",2===Vt.childNodes.length),k.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=D.exec(e))?[t.createElement(i[1])]:(i=we([e],t,o),o&&o.length&&k(o).remove(),k.merge([],i.childNodes)));var r,i,o},k.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(k.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},k.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){k.fn[t]=function(e){return this.on(t,e)}}),k.expr.pseudos.animated=function(t){return k.grep(k.timers,function(e){return t===e.elem}).length},k.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=k.css(e,"position"),c=k(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=k.css(e,"top"),u=k.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,k.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):c.css(f)}},k.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){k.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===k.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===k.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=k(e).offset()).top+=k.css(e,"borderTopWidth",!0),i.left+=k.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-k.css(r,"marginTop",!0),left:t.left-i.left-k.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===k.css(e,"position"))e=e.offsetParent;return e||ie})}}),k.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;k.fn[t]=function(e){return _(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),k.each(["top","left"],function(e,n){k.cssHooks[n]=ze(y.pixelPosition,function(e,t){if(t)return t=_e(e,n),$e.test(t)?k(e).position()[n]+"px":t})}),k.each({Height:"height",Width:"width"},function(a,s){k.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){k.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return _(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?k.css(e,t,i):k.style(e,t,n,i)},s,n?e:void 0,n)}})}),k.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){k.fn[n]=function(e,t){return 0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp(F),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+F),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(p.childNodes),p.childNodes),t[p.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&(T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!N[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&(U.test(t)||z.test(t))){(f=ee.test(t)&&ye(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=S)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){N(t,!0)}finally{s===S&&e.removeAttribute("id")}}}return g(t.replace($,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[S]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e&&e.namespaceURI,n=e&&(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:p;return r!=C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),p!=C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.scope=ce(function(e){return a.appendChild(e).appendChild(C.createElement("div")),"undefined"!=typeof e.querySelectorAll&&!e.querySelectorAll(":scope fieldset div").length}),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=S,!C.getElementsByName||!C.getElementsByName(S).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){var t;a.appendChild(e).innerHTML="",e.querySelectorAll("[msallowcapture^='']").length&&v.push("[*^$]="+M+"*(?:''|\"\")"),e.querySelectorAll("[selected]").length||v.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+S+"-]").length||v.push("~="),(t=C.createElement("input")).setAttribute("name",""),e.appendChild(t),e.querySelectorAll("[name='']").length||v.push("\\["+M+"*name"+M+"*="+M+"*(?:''|\"\")"),e.querySelectorAll(":checked").length||v.push(":checked"),e.querySelectorAll("a#"+S+"+*").length||v.push(".#.+[+~]"),e.querySelectorAll("\\\f"),v.push("[\\r\\n\\f]")}),ce(function(e){e.innerHTML="";var t=C.createElement("input");t.setAttribute("type","hidden"),e.appendChild(t).setAttribute("name","D"),e.querySelectorAll("[name=d]").length&&v.push("name"+M+"*[*^$|!~]?="),2!==e.querySelectorAll(":enabled").length&&v.push(":enabled",":disabled"),a.appendChild(e).disabled=!0,2!==e.querySelectorAll(":disabled").length&&v.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),v.push(",.*:")})),(d.matchesSelector=K.test(c=a.matches||a.webkitMatchesSelector||a.mozMatchesSelector||a.oMatchesSelector||a.msMatchesSelector))&&ce(function(e){d.disconnectedMatch=c.call(e,"*"),c.call(e,"[s!='']:x"),s.push("!=",F)}),v=v.length&&new RegExp(v.join("|")),s=s.length&&new RegExp(s.join("|")),t=K.test(a.compareDocumentPosition),y=t||K.test(a.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},j=t?function(e,t){if(e===t)return l=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)==(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!d.sortDetached&&t.compareDocumentPosition(e)===n?e==C||e.ownerDocument==p&&y(p,e)?-1:t==C||t.ownerDocument==p&&y(p,t)?1:u?P(u,e)-P(u,t):0:4&n?-1:1)}:function(e,t){if(e===t)return l=!0,0;var n,r=0,i=e.parentNode,o=t.parentNode,a=[e],s=[t];if(!i||!o)return e==C?-1:t==C?1:i?-1:o?1:u?P(u,e)-P(u,t):0;if(i===o)return pe(e,t);n=e;while(n=n.parentNode)a.unshift(n);n=t;while(n=n.parentNode)s.unshift(n);while(a[r]===s[r])r++;return r?pe(a[r],s[r]):a[r]==p?-1:s[r]==p?1:0}),C},se.matches=function(e,t){return se(e,null,null,t)},se.matchesSelector=function(e,t){if(T(e),d.matchesSelector&&E&&!N[t+" "]&&(!s||!s.test(t))&&(!v||!v.test(t)))try{var n=c.call(e,t);if(n||d.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(e){N(t,!0)}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=m[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&m(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function j(e,n,r){return m(n)?S.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?S.grep(e,function(e){return e===n!==r}):"string"!=typeof n?S.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(S.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||D,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:q.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof S?t[0]:t,S.merge(this,S.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),N.test(r[1])&&S.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(S):S.makeArray(e,this)}).prototype=S.fn,D=S(E);var L=/^(?:parents|prev(?:Until|All))/,H={children:!0,contents:!0,next:!0,prev:!0};function O(e,t){while((e=e[t])&&1!==e.nodeType);return e}S.fn.extend({has:function(e){var t=S(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i;ce=E.createDocumentFragment().appendChild(E.createElement("div")),(fe=E.createElement("input")).setAttribute("type","radio"),fe.setAttribute("checked","checked"),fe.setAttribute("name","t"),ce.appendChild(fe),y.checkClone=ce.cloneNode(!0).cloneNode(!0).lastChild.checked,ce.innerHTML="",y.noCloneChecked=!!ce.cloneNode(!0).lastChild.defaultValue,ce.innerHTML="",y.option=!!ce.lastChild;var ge={thead:[1,"","
"],col:[2,"","
"],tr:[2,"","
"],td:[3,"","
"],_default:[0,"",""]};function ve(e,t){var n;return n="undefined"!=typeof e.getElementsByTagName?e.getElementsByTagName(t||"*"):"undefined"!=typeof e.querySelectorAll?e.querySelectorAll(t||"*"):[],void 0===t||t&&A(e,t)?S.merge([e],n):n}function ye(e,t){for(var n=0,r=e.length;n",""]);var me=/<|&#?\w+;/;function xe(e,t,n,r,i){for(var o,a,s,u,l,c,f=t.createDocumentFragment(),p=[],d=0,h=e.length;d\s*$/g;function je(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&S(e).children("tbody")[0]||e}function De(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function qe(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Le(e,t){var n,r,i,o,a,s;if(1===t.nodeType){if(Y.hasData(e)&&(s=Y.get(e).events))for(i in Y.remove(t,"handle events"),s)for(n=0,r=s[i].length;n").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var _t,zt=[],Ut=/(=)\?(?=&|$)|\?\?/;S.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=zt.pop()||S.expando+"_"+wt.guid++;return this[e]=!0,e}}),S.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Ut.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Ut.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Ut,"$1"+r):!1!==e.jsonp&&(e.url+=(Tt.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||S.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?S(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,zt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((_t=E.implementation.createHTMLDocument("").body).innerHTML="
",2===_t.childNodes.length),S.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=N.exec(e))?[t.createElement(i[1])]:(i=xe([e],t,o),o&&o.length&&S(o).remove(),S.merge([],i.childNodes)));var r,i,o},S.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(S.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},S.expr.pseudos.animated=function(t){return S.grep(S.timers,function(e){return t===e.elem}).length},S.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=S.css(e,"position"),c=S(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=S.css(e,"top"),u=S.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,S.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):c.css(f)}},S.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){S.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===S.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===S.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=S(e).offset()).top+=S.css(e,"borderTopWidth",!0),i.left+=S.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-S.css(r,"marginTop",!0),left:t.left-i.left-S.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===S.css(e,"position"))e=e.offsetParent;return e||re})}}),S.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;S.fn[t]=function(e){return $(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),S.each(["top","left"],function(e,n){S.cssHooks[n]=Fe(y.pixelPosition,function(e,t){if(t)return t=We(e,n),Pe.test(t)?S(e).position()[n]+"px":t})}),S.each({Height:"height",Width:"width"},function(a,s){S.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){S.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return $(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?S.css(e,t,i):S.style(e,t,n,i)},s,n?e:void 0,n)}})}),S.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){S.fn[t]=function(e){return this.on(t,e)}}),S.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),S.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){S.fn[n]=function(e,t){return 0
Date: Thu, 30 Mar 2023 00:18:04 +0000
Subject: [PATCH 066/272] Graduate JobMutableNodeSchedulingDirectives to GA

---
 content/en/docs/concepts/workloads/controllers/job.md | 11 ++---------
 .../command-line-tools-reference/feature-gates.md     |  3 ++-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/content/en/docs/concepts/workloads/controllers/job.md b/content/en/docs/concepts/workloads/controllers/job.md
index 7d83ca69992..aa0866de252 100644
--- a/content/en/docs/concepts/workloads/controllers/job.md
+++ b/content/en/docs/concepts/workloads/controllers/job.md
@@ -631,14 +631,7 @@ as soon as the Job was resumed.
 
 ### Mutable Scheduling Directives
 
-{{< feature-state for_k8s_version="v1.23" state="beta" >}}
-
-{{< note >}}
-In order to use this behavior, you must enable the `JobMutableNodeSchedulingDirectives`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/).
-It is enabled by default.
-{{< /note >}}
+{{< feature-state for_k8s_version="v1.27" state="stable" >}}
 
 In most cases a parallel job will want the pods to run with constraints, 
 like all in the same zone, or all either on GPU model x or y but not a mix of both.
@@ -653,7 +646,7 @@ pod-to-node assignment to kube-scheduler. This is allowed only for suspended Job
 been unsuspended before.
 
 The fields in a Job's pod template that can be updated are node affinity, node selector, 
-tolerations, labels and annotations.
+tolerations, labels, annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/).
 
 ### Specifying your own Pod selector
 
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 15f1a1cdfb9..e54bcdfa420 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -112,7 +112,6 @@ For a reference to old feature gates that are removed, please refer to
 | `InTreePluginPortworxUnregister` | `false` | Alpha | 1.23 | |
 | `InTreePluginRBDUnregister` | `false` | Alpha | 1.23 | |
 | `InTreePluginvSphereUnregister` | `false` | Alpha | 1.21 | |
-| `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | |
 | `JobPodFailurePolicy` | `false` | Alpha | 1.25 | 1.25 |
 | `JobPodFailurePolicy` | `true` | Beta | 1.26 | |
 | `JobReadyPods` | `false` | Alpha | 1.23 | 1.23 |
@@ -283,6 +282,8 @@ For a reference to old feature gates that are removed, please refer to
 | `EphemeralContainers` | `true` | Beta | 1.23 | 1.24 |
 | `EphemeralContainers` | `true` | GA | 1.25 | - |
 | `ExecProbeTimeout` | `true` | GA | 1.20 | - |
+| `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | 1.26 |
+| `JobMutableNodeSchedulingDirectives` | `true` | GA | 1.27 | |
 | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 |
 | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 |
 | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 |

From 7b6e694dc77b01e54a4a50a03b44276d76a4b32a Mon Sep 17 00:00:00 2001
From: Kevin Hannon 
Date: Tue, 14 Feb 2023 14:12:16 -0500
Subject: [PATCH 067/272] labels and job updates to mention new labels

---
 .../concepts/workloads/controllers/job.md     | 64 +++++++++++--------
 .../labels-annotations-taints/_index.md       | 41 ++++++++++++
 2 files changed, 77 insertions(+), 28 deletions(-)

diff --git a/content/en/docs/concepts/workloads/controllers/job.md b/content/en/docs/concepts/workloads/controllers/job.md
index 7d83ca69992..e077f5fc132 100644
--- a/content/en/docs/concepts/workloads/controllers/job.md
+++ b/content/en/docs/concepts/workloads/controllers/job.md
@@ -54,22 +54,22 @@ Check on the status of the Job with `kubectl`:
 
 {{< tabs name="Check status of Job" >}}
 {{< tab name="kubectl describe job pi" codelang="bash" >}}
-Name:             pi
-Namespace:        default
-Selector:         controller-uid=0cd26dd5-88a2-4a5f-a203-ea19a1d5d578
-Labels:           controller-uid=0cd26dd5-88a2-4a5f-a203-ea19a1d5d578
-                  job-name=pi
-Annotations:      batch.kubernetes.io/job-tracking: 
-Parallelism:      1
-Completions:      1
-Completion Mode:  NonIndexed
-Start Time:       Fri, 28 Oct 2022 13:05:18 +0530
-Completed At:     Fri, 28 Oct 2022 13:05:21 +0530
-Duration:         3s
-Pods Statuses:    0 Active / 1 Succeeded / 0 Failed
+Name:           pi
+Namespace:      default
+Selector:       batch.kubernetes.io/controller-uid=c9948307-e56d-4b5d-8302-ae2d7b7da67c
+Labels:         batch.kubernetes.io/controller-uid=c9948307-e56d-4b5d-8302-ae2d7b7da67c
+                batch.kubernetes.io/job-name=pi
+                ...
+Annotations:    batch.kubernetes.io/job-tracking: ""
+Parallelism:    1
+Completions:    1
+Start Time:     Mon, 02 Dec 2019 15:20:11 +0200
+Completed At:   Mon, 02 Dec 2019 15:21:16 +0200
+Duration:       65s
+Pods Statuses:  0 Running / 1 Succeeded / 0 Failed
 Pod Template:
-  Labels:  controller-uid=0cd26dd5-88a2-4a5f-a203-ea19a1d5d578
-           job-name=pi
+  Labels:  batch.kubernetes.io/controller-uid=c9948307-e56d-4b5d-8302-ae2d7b7da67c
+           batch.kubernetes.io/job-name=pi
   Containers:
    pi:
     Image:      perl:5.34.0
@@ -93,15 +93,13 @@ Events:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    batch.kubernetes.io/job-tracking: ""
-    kubectl.kubernetes.io/last-applied-configuration: |
-      {"apiVersion":"batch/v1","kind":"Job","metadata":{"annotations":{},"name":"pi","namespace":"default"},"spec":{"backoffLimit":4,"template":{"spec":{"containers":[{"command":["perl","-Mbignum=bpi","-wle","print bpi(2000)"],"image":"perl:5.34.0","name":"pi"}],"restartPolicy":"Never"}}}}
+  annotations: batch.kubernetes.io/job-tracking: ""
+             ...  
   creationTimestamp: "2022-11-10T17:53:53Z"
   generation: 1
   labels:
-    controller-uid: 204fb678-040b-497f-9266-35ffa8716d14
-    job-name: pi
+    batch.kubernetes.io/controller-uid: 863452e6-270d-420e-9b94-53a54146c223
+    batch.kubernetes.io/job-name: pi
   name: pi
   namespace: default
   resourceVersion: "4751"
@@ -113,14 +111,14 @@ spec:
   parallelism: 1
   selector:
     matchLabels:
-      controller-uid: 204fb678-040b-497f-9266-35ffa8716d14
+      batch.kubernetes.io/controller-uid: 863452e6-270d-420e-9b94-53a54146c223
   suspend: false
   template:
     metadata:
       creationTimestamp: null
       labels:
-        controller-uid: 204fb678-040b-497f-9266-35ffa8716d14
-        job-name: pi
+        batch.kubernetes.io/controller-uid: 863452e6-270d-420e-9b94-53a54146c223
+        batch.kubernetes.io/job-name: pi
     spec:
       containers:
       - command:
@@ -152,7 +150,7 @@ To view completed Pods of a Job, use `kubectl get pods`.
 To list all the Pods that belong to a Job in a machine readable form, you can use a command like this:
 
 ```shell
-pods=$(kubectl get pods --selector=job-name=pi --output=jsonpath='{.items[*].metadata.name}')
+pods=$(kubectl get pods --selector=batch.kubernetes.io/job-name=pi --output=jsonpath='{.items[*].metadata.name}')
 echo $pods
 ```
 
@@ -171,6 +169,12 @@ View the standard output of one of the pods:
 kubectl logs $pods
 ```
 
+Another way to view the logs of a Job:
+
+```shell
+kubectl logs jobs/pi
+```
+
 The output is similar to this:
 
 ```
@@ -192,6 +196,10 @@ characters.
 
 A Job also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 
+### Job Labels
+
+Job labels will have `batch.kubernetes.io/` prefix for `job-name` and `controller-uid`.
+
 ### Pod Template
 
 The `.spec.template` is the only required field of the `.spec`.
@@ -696,12 +704,12 @@ metadata:
 spec:
   selector:
     matchLabels:
-      controller-uid: a8f3d00d-c6d2-11e5-9f87-42010af00002
+      batch.kubernetes.io/controller-uid: a8f3d00d-c6d2-11e5-9f87-42010af00002
   ...
 ```
 
 Then you create a new Job with name `new` and you explicitly specify the same selector.
-Since the existing Pods have label `controller-uid=a8f3d00d-c6d2-11e5-9f87-42010af00002`,
+Since the existing Pods have label `batch.kubernetes.io/controller-uid=a8f3d00d-c6d2-11e5-9f87-42010af00002`,
 they are controlled by Job `new` as well.
 
 You need to specify `manualSelector: true` in the new Job since you are not using
@@ -716,7 +724,7 @@ spec:
   manualSelector: true
   selector:
     matchLabels:
-      controller-uid: a8f3d00d-c6d2-11e5-9f87-42010af00002
+      batch.kubernetes.io/controller-uid: a8f3d00d-c6d2-11e5-9f87-42010af00002
   ...
 ```
 
diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index 5f64d1f7acc..6468e520ebc 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -664,6 +664,47 @@ Kubernetes 1.27 and newer will ignore this annotation and always track Jobs
 using finalizers.
 {{< /note >}}
 
+### job-name (deprecated) {#job-name}
+
+Example: `job-name: "pi"`
+
+Used on: Jobs and Pods controlled by Jobs
+
+{{< note >}}
+Starting from Kubernetes 1.27, this label is deprecated.
+Kubernetes 1.27 and newer ignore this label and use the prefixed `job-name` label.
+{{< /note >}}
+
+### controller-uid (deprecated) {#controller-uid}
+
+Example: `controller-uid: "$UID"`
+
+Used on: Jobs and Pods controlled by Jobs
+
+{{< note >}}
+Starting from Kubernetes 1.27, this label is deprecated.
+Kubernetes 1.27 and newer ignore this label and use the prefixed `controller-uid` label.
+{{< /note >}}
+
+### batch.kubernetes.io/job-name {#batchkubernetesio-job-name}
+
+Example: `batch.kubernetes.io/job-name: "pi"`
+
+Used on: Jobs and Pods controlled by Jobs
+
+This label is used as a user-friendly way to get Pods corresponding to a Job.
+The `job-name` comes from the `name` of the Job and allows for an easy way to get Pods corresponding to the Job.
+
+### batch.kubernetes.io/controller-uid {#batchkubernetesio-controller-uid}
+
+Example: `batch.kubernetes.io/controller-uid: "$UID"`
+
+Used on: Jobs and Pods controlled by Jobs
+
+This label is used as a programmatic way to get all Pods corresponding to a Job.  
+The `controller-uid` is a unique identifer that gets set in the `selector` field so the Job controller
+can get all the corresponding Pods.
+
 ### scheduler.alpha.kubernetes.io/defaultTolerations {#scheduleralphakubernetesio-defaulttolerations}
 
 Example: `scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator": "Equal", "value": "value1", "effect": "NoSchedule", "key": "dedicated-node"}]'`

From a4eca1afc6b324f81ae35d76d8fd84ad3934ac04 Mon Sep 17 00:00:00 2001
From: Vinay Kulkarni 
Date: Thu, 30 Mar 2023 19:59:48 -0700
Subject: [PATCH 068/272] Documentation for in-place pod resize feature
 (#39845)

* Documentation for in-place pod resize feature

Fix issues from review feedback

Update content/en/docs/tasks/configure-pod-container/resize-container-resources.md

Co-authored-by: Qiming Teng 

Better wording and formatting of overview section

Add descriptions about allocatedResources, resources, and resize fields

Update content/en/docs/tasks/configure-pod-container/resize-container-resources.md

Co-authored-by: Qiming Teng 

Update content/en/docs/tasks/configure-pod-container/resize-container-resources.md

Co-authored-by: Qiming Teng 

Apply suggestions from code review

Co-authored-by: Qiming Teng 

* Simplify the changes by using bullet points

* Apply suggestions from code review

Co-authored-by: Tim Bannister 

---------

Co-authored-by: Qiming Teng 
Co-authored-by: Tim Bannister 
---
 .../assign-cpu-resource.md                    |   2 +-
 .../assign-memory-resource.md                 |   5 +-
 .../resize-container-resources.md             | 261 ++++++++++++++++++
 content/en/examples/pods/qos/qos-pod-5.yaml   |  16 ++
 4 files changed, 279 insertions(+), 5 deletions(-)
 create mode 100644 content/en/docs/tasks/configure-pod-container/resize-container-resources.md
 create mode 100644 content/en/examples/pods/qos/qos-pod-5.yaml

diff --git a/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md b/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md
index 6f4b885e543..6f4c44e3494 100644
--- a/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md
+++ b/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md
@@ -275,4 +275,4 @@ kubectl delete namespace cpu-example
 
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
 
-
+* [Resize CPU and Memory Resources assigned to Containers](/docs/tasks/configure-pod-container/resize-container-resources/)
diff --git a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
index d923d6356c1..a0dcae50526 100644
--- a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
+++ b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
@@ -358,7 +358,4 @@ kubectl delete namespace mem-example
 
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
 
-
-
-
-
+* [Resize CPU and Memory Resources assigned to Containers](/docs/tasks/configure-pod-container/resize-container-resources/)
diff --git a/content/en/docs/tasks/configure-pod-container/resize-container-resources.md b/content/en/docs/tasks/configure-pod-container/resize-container-resources.md
new file mode 100644
index 00000000000..77e1b30d960
--- /dev/null
+++ b/content/en/docs/tasks/configure-pod-container/resize-container-resources.md
@@ -0,0 +1,261 @@
+---
+title: Resize CPU and Memory Resources assigned to Containers
+content_type: task
+weight: 30
+min-kubernetes-server-version: 1.27
+---
+
+
+
+
+{{< feature-state state="alpha" for_k8s_version="v1.27" >}}
+
+This page assumes that you are familiar with [Quality of Service](/docs/tasks/configure-pod-container/quality-service-pod/)
+for Kubernetes Pods.
+
+This page shows how to resize CPU and memory resources assigned to containers
+of a running pod without restarting the pod or its containers. A Kubernetes node
+allocates resources for a pod based on its `requests`, and restricts the pod's
+resource usage based on the `limits` specified in the pod's containers.
+
+For in-place resize of pod resources:
+- Container's resource `requests` and `limits` are _mutable_ for CPU
+  and memory resources.
+- `allocatedResources` field in `containerStatuses` of the Pod's status reflects
+  the resources allocated to the pod's containers.
+- `resources` field in `containerStatuses` of the Pod's status reflects the
+  actual resource `requests` and `limits` that are configured on the running
+  containers as reported by the container runtime.
+- `resize` field in the Pod's status shows the status of the last requested
+  pending resize. It can have the following values:
+  - `Proposed`: This value indicates an acknowledgement of the requested resize
+    and that the request was validated and recorded.
+  - `InProgress`: This value indicates that the node has accepted the resize
+    request and is in the process of applying it to the pod's containers.
+  - `Deferred`: This value means that the requested resize cannot be granted at
+    this time, and the node will keep retrying. The resize may be granted when
+    other pods leave and free up node resources.
+  - `Infeasible`: is a signal that the node cannot accommodate the requested
+    resize. This can happen if the requested resize exceeds the maximum
+    resources the node can ever allocate for a pod.
+
+
+## {{% heading "prerequisites" %}}
+
+
+{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+
+
+## Container Resize Policies
+
+Resize policies allow for a more fine-grained control over how pod's containers
+are resized for CPU and memory resources. For example, the container's
+application may be able to handle CPU resources resized without being restarted,
+but resizing memory may require that the application hence the containers be restarted.
+
+To enable this, the Container specification allows users to specify a `resizePolicy`.
+The following restart policies can be specified for resizing CPU and memory:
+* `NotRequired`: Resize the container's resources while it is running.
+* `RestartContainer`: Restart the container and apply new resources upon restart.
+
+If `resizePolicy[*].restartPolicy` is not specified, it defaults to `NotRequired`.
+
+{{< note >}}
+If the Pod's `restartPolicy` is `Never`, container's resize restart policy must be
+set to `NotRequired` for all Containers in the Pod.
+{{< /note >}}
+
+Below example shows a Pod whose Container's CPU can be resized without restart, but
+memory resize memory requires the container to be restarted.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: qos-demo-5
+  namespace: qos-example
+spec:
+  containers:
+  - name: qos-demo-ctr-5
+    image: nginx
+    resizePolicy:
+    - resourceName: cpu
+      restartPolicy: NotRequired
+    - resourceName: memory
+      restartPolicy: RestartContainer
+    resources:
+      limits:
+        memory: "200Mi"
+        cpu: "700m"
+      requests:
+        memory: "200Mi"
+        cpu: "700m"
+```
+
+{{< note >}}
+In the above example, if desired requests or limits for both CPU _and_ memory
+have changed, the container will be restarted in order to resize its memory.
+{{< /note >}}
+
+
+
+
+## Create a pod with resource requests and limits
+
+You can create a Guaranteed or Burstable [Quality of Service](/docs/tasks/configure-pod-container/quality-service-pod/)
+class pod by specifying requests and/or limits for a pod's containers.
+
+Consider the following manifest for a Pod that has one Container.
+
+{{< codenew file="pods/qos/qos-pod-5.yaml" >}}
+
+Create the pod in the `qos-example` namespace:
+
+```shell
+kubectl create namespace qos-example
+kubectl create -f https://k8s.io/examples/pods/qos/qos-pod-5.yaml
+```
+
+This pod is classified as a Guaranteed QoS class requesting 700m CPU and 200Mi
+memory.
+
+View detailed information about the pod:
+
+```shell
+kubectl get pod qos-demo-5 --output=yaml --namespace=qos-example
+```
+
+Also notice that the values of `resizePolicy[*].restartPolicy` defaulted to
+`NotRequired`, indicating that CPU and memory can be resized while container
+is running.
+
+```yaml
+spec:
+  containers:
+    ...
+    resizePolicy:
+    - resourceName: cpu
+      restartPolicy: NotRequired
+    - resourceName: memory
+      restartPolicy: NotRequired
+    resources:
+      limits:
+        cpu: 700m
+        memory: 200Mi
+      requests:
+        cpu: 700m
+        memory: 200Mi
+...
+  containerStatuses:
+...
+    name: qos-demo-ctr-5
+    ready: true
+...
+    allocatedResources:
+      cpu: 700m
+      memory: 200Mi
+    resources:
+      limits:
+        cpu: 700m
+        memory: 200Mi
+      requests:
+        cpu: 700m
+        memory: 200Mi
+    restartCount: 0
+    started: true
+...
+  qosClass: Guaranteed
+```
+
+
+## Updating the pod's resources
+
+Let's say the CPU requirements have increased, and 0.8 CPU is now desired. This
+is typically determined, and may be programmatically applied, by an entity such as
+[VerticalPodAutoscaler](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#readme) (VPA).
+
+{{< note >}}
+While you can change a Pod's requests and limits to express new desired
+resources, you cannot change the QoS class in which the Pod was created.
+{{< /note >}}
+
+Now, patch the Pod's Container with CPU requests & limits both set to `800m`:
+
+```shell
+kubectl -n qos-example patch pod qos-demo-5 --patch '{"spec":{"containers":[{"name":"qos-demo-ctr-5", "resources":{"requests":{"cpu":"800m"}, "limits":{"cpu":"800m"}}}]}}'
+```
+
+Query the Pod's detailed information after the Pod has been patched.
+
+```shell
+kubectl get pod qos-demo-5 --output=yaml --namespace=qos-example
+```
+
+The Pod's spec below reflects the updated CPU requests and limits.
+
+```yaml
+spec:
+  containers:
+    ...
+    resources:
+      limits:
+        cpu: 800m
+        memory: 200Mi
+      requests:
+        cpu: 800m
+        memory: 200Mi
+...
+  containerStatuses:
+...
+    allocatedResources:
+      cpu: 800m
+      memory: 200Mi
+    resources:
+      limits:
+        cpu: 800m
+        memory: 200Mi
+      requests:
+        cpu: 800m
+        memory: 200Mi
+    restartCount: 0
+    started: true
+```
+
+Observe that the `allocatedResources` values have been updated to reflect the new
+desired CPU requests. This indicates that node was able to accommodate the
+increased CPU resource needs.
+
+In the Container's status, updated CPU resource values shows that new CPU
+resources have been applied. The Container's `restartCount` remains unchanged,
+indicating that container's CPU resources were resized without restarting the container.
+
+
+## Clean up
+
+Delete your namespace:
+
+```shell
+kubectl delete namespace qos-example
+```
+
+
+## {{% heading "whatsnext" %}}
+
+
+### For application developers
+
+* [Assign Memory Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-memory-resource/)
+
+* [Assign CPU Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-cpu-resource/)
+
+### For cluster administrators
+
+* [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+
+* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+
+* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+
+* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+
+* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
diff --git a/content/en/examples/pods/qos/qos-pod-5.yaml b/content/en/examples/pods/qos/qos-pod-5.yaml
new file mode 100644
index 00000000000..c9b0c00c7ee
--- /dev/null
+++ b/content/en/examples/pods/qos/qos-pod-5.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: qos-demo-5
+  namespace: qos-example
+spec:
+  containers:
+  - name: qos-demo-ctr-5
+    image: nginx
+    resources:
+      limits:
+        memory: "200Mi"
+        cpu: "700m"
+      requests:
+        memory: "200Mi"
+        cpu: "700m"

From 2ffb0371883a9e254aa60c99b35ab4b8017ab24a Mon Sep 17 00:00:00 2001
From: Rodrigo Campos 
Date: Fri, 31 Mar 2023 00:01:48 -0300
Subject: [PATCH 069/272] Document user namespace changes in v1.27 (KEP-127)
 (#39860)

* content: Update user namespaces version requirements

Also, with the new implementation, the fsGroup was dropped. So removed
the mention to those limitations.

Signed-off-by: Rodrigo Campos 

* content: Add reference to the userns task in the concepts page

Signed-off-by: Rodrigo Campos 

---------

Signed-off-by: Rodrigo Campos 
---
 .../workloads/pods/user-namespaces.md         | 39 +++++++++++--------
 .../user-namespaces.md                        | 10 +++--
 2 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md
index 0217490aa87..ec734c53d90 100644
--- a/content/en/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@@ -29,22 +29,36 @@ mitigate some future vulnerabilities too.
 
 ## {{% heading "prerequisites" %}}
 
-{{% thirdparty-content single="true" %}}
-
+{{% thirdparty-content %}}
 
-This is a Linux only feature. In addition, support is needed in the 
+This is a Linux-only feature and support is needed in Linux for idmap mounts on
+the filesystems used. This means:
+
+* On the node, the filesystem you use for `/var/lib/kubelet/pods/`, or the
+  custom directory you configure for this, needs idmap mount support.
+* All the filesystems used in the pod's volumes must support idmap mounts.
+
+In practice this means you need at least Linux 6.3, as tmpfs started supporting
+idmap mounts in that version. This is usually needed as several Kubernetes
+features use tmpfs (the service account token that is mounted by default uses a
+tmpfs, Secrets use a tmpfs, etc.)
+
+Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
+ext4, xfs, fat, tmpfs, overlayfs.
+
+In addition, support is needed in the 
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
 to use this feature with Kubernetes stateless pods:
 
-* CRI-O: v1.25 has support for user namespaces.
+* CRI-O: version 1.25 (and later) supports user namespaces for containers.
 
-* containerd: support is planned for the 1.7 release. See containerd
-  issue [#7063][containerd-userns-issue] for more details.
+Please note that containerd v1.7 supports user namespaces for containers,
+compatible with Kubernetes {{< skew currentVersion >}}. It should not be used
+with Kubernetes 1.27 (and later).
 
 Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet.
 
 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
-[containerd-userns-issue]: https://github.com/containerd/containerd/issues/7063
 
 ## Introduction
 
@@ -152,13 +166,6 @@ volume types are allowed:
  * downwardAPI
  * emptyDir
 
-To guarantee that the pod can read the files of such volumes, volumes are
-created as if you specified `.spec.securityContext.fsGroup` as `0` for the Pod.
-If it is specified to a different value, this other value will of course be
-honored instead.
+## {{% heading "whatsnext" %}}
 
-As a by-product of this, folders and files for these volumes will have
-permissions for the group, even if `defaultMode` or `mode` to specific items of
-the volumes were specified without permissions to groups. For example, it is not
-possible to mount these volumes in a way that its files have permissions only
-for the owner.
+* Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/)
diff --git a/content/en/docs/tasks/configure-pod-container/user-namespaces.md b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
index 6c4c01234cb..85cd1298a07 100644
--- a/content/en/docs/tasks/configure-pod-container/user-namespaces.md
+++ b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
@@ -43,11 +43,13 @@ this is true when user namespaces are used.
 * You need to be able to exec into pods
 * Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled.
 
-In addition, support is needed in the
-{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to use this feature with Kubernetes stateless pods:
+The cluster that you're using **must** include at least one node that meets the
+[requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
+for using user namespaces with Pods.
 
-* CRI-O: v1.25 has support for user namespaces.
+If you have a mixture of nodes and only some of the nodes provide user namespace support for
+Pods, you also need to ensure that the user namespace Pods are
+[scheduled](/docs/concepts/scheduling-eviction/assign-pod-node/) to suitable nodes.
 
 Please note that **if your container runtime doesn't support user namespaces, the
 `hostUsers` field in the pod spec will be silently ignored and the pod will be

From e239a7dd33f0941c295cd632b9f9c7ba887eac1c Mon Sep 17 00:00:00 2001
From: Kermit Alexander II 
Date: Thu, 30 Mar 2023 22:41:48 -0500
Subject: [PATCH 070/272] Documentation for messageExpression update to
 KEP-2876 (#40019)

* Add messageExpression documentation.

* Apply feedback on wording.

* Add info about casting to string.

* Use "evaluates to an error" to avoid ambiguous wording around "fails."

* Revise wording around string casting.
---
 .../custom-resource-definitions.md            | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
index c439aa35dfd..2bcf40bef85 100644
--- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
+++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
@@ -1035,6 +1035,37 @@ xref: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#
 [OpenAPI types](https://swagger.io/specification/#data-types),
 [Kubernetes Structural Schemas](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
 
+#### The messageExpression field
+
+Similar to the `message` field, which defines the string reported for a validation rule failure, 
+`messageExpression` allows you to use a CEL expression to construct the message string.
+This allows you to insert more descriptive information into the validation failure message. 
+`messageExpression` must evaluate a string and may use the same variables that are available to the `rule` 
+field. For example:
+
+```yaml
+x-kubernetes-validations:
+- rule: "self.x <= self.maxLimit"
+  messageExpression: '"x exceeded max limit of " + string(self.maxLimit)'
+```
+
+Keep in mind that CEL string concatenation (`+` operator) does not auto-cast to string. If
+you have a non-string scalar, use the `string()` function to cast the scalar to a string
+like shown in the above example.
+
+`messageExpression` must evaluate to a string, and this is checked while the CRD is being written. Note that it is possible
+to set `message` and `messageExpression` on the same rule, and if both are present, `messageExpression`
+will be used. However, if `messageExpression` evaluates to an error, the string defined in `message` 
+will be used instead, and the `messageExpression` error will be logged. This fallback will also occur if
+the CEL expression defined in `messageExpression` generates an empty string, or a string containing line 
+breaks.
+
+If one of the above conditions are met and no `message` has been set, then the default validation failure
+message will be used instead.
+
+`messageExpression` is a CEL expression, so the restrictions listed in [Resource use by validation functions](#resource-use-by-validation-functions) apply. If evaluation halts due to resource constraints 
+during `messageExpression` execution, then no further validation rules will be executed.
+
 #### Validation functions {#available-validation-functions}
 
 Functions available include:

From 17ad96c7929cf69f81de1d4a5b2d1bf386f751a5 Mon Sep 17 00:00:00 2001
From: Jeffrey Ying 
Date: Thu, 30 Mar 2023 23:49:48 -0400
Subject: [PATCH 071/272] Doc update for KEP-3352 Aggregated Discovery (#40024)

* Add documentation for aggregated discovery

* Update feature gate

* Update content/en/docs/concepts/overview/kubernetes-api.md

---------

Co-authored-by: Qiming Teng 
---
 .../docs/concepts/overview/kubernetes-api.md  | 24 +++++++++++++++++++
 .../feature-gates.md                          |  3 ++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/overview/kubernetes-api.md b/content/en/docs/concepts/overview/kubernetes-api.md
index 27e4829ba55..f522be1ea9e 100644
--- a/content/en/docs/concepts/overview/kubernetes-api.md
+++ b/content/en/docs/concepts/overview/kubernetes-api.md
@@ -158,6 +158,30 @@ Refer to the table below for accepted request headers.
 Kubernetes stores the serialized state of objects by writing them into
 {{< glossary_tooltip term_id="etcd" >}}.
 
+## API Discovery
+
+A list of all group versions supported by a cluster is published at
+the `/api` and `/apis` endpoints. Each group version also advertises
+the list of resources supported via `/apis//` (for
+example: `/apis/rbac.authorization.k8s.io/v1alpha1`). These endpoints
+are used by kubectl to fetch the list of resources supported by a
+cluster.
+
+### Aggregated Discovery
+
+{{< feature-state state="beta"  for_k8s_version="v1.27" >}}
+
+Kubernetes offers beta support for aggregated discovery, publishing
+all resources supported by a cluster through two endpoints (`/api` and
+`/apis`) compared to one for every group version. Requesting this
+endpoint drastically reduces the number of requests sent to fetch the
+discovery for the average Kubernetes cluster. This may be accessed by
+requesting the respective endpoints with an Accept header indicating
+the aggregated discovery resource:
+`Accept: application/json;v=v2beta1;g=apidiscovery.k8s.io;as=APIGroupDiscoveryList`.
+
+The endpoint also supports ETag and protobuf encoding.
+
 ## API groups and versioning
 
 To make it easier to eliminate fields or restructure resource representations,
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index c2f1cd6e789..9eac31ae775 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -68,7 +68,8 @@ For a reference to old feature gates that are removed, please refer to
 | `APIServerIdentity` | `true` | Beta | 1.26 | |
 | `APIServerTracing` | `false` | Alpha | 1.22 | 1.26 |
 | `APIServerTracing` | `true` | Beta | 1.27 | |
-| `AggregatedDiscoveryEndpoint` | `false` | Alpha | 1.26 | |
+| `AggregatedDiscoveryEndpoint` | `false` | Alpha | 1.26 | 1.26 |
+| `AggregatedDiscoveryEndpoint` | `true` | Beta | 1.27 | |
 | `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 |
 | `AnyVolumeDataSource` | `true` | Beta | 1.24 | |
 | `AppArmor` | `true` | Beta | 1.4 | |

From cb656b40c235642bffddc00a146ddca2323d5366 Mon Sep 17 00:00:00 2001
From: Rita Zhang 
Date: Thu, 30 Mar 2023 23:21:49 -0700
Subject: [PATCH 072/272] Add docs to accompany KMS v2beta1 changes (#39110)

* Tracking commit for v1.27 docs

* feat: KMS v2beta1

Signed-off-by: Rita Zhang 

---------

Signed-off-by: Rita Zhang 
Co-authored-by: carolina valencia 
---
 .../tasks/administer-cluster/encrypt-data.md  |   3 +-
 .../tasks/administer-cluster/kms-provider.md  | 199 ++++++++++++++----
 2 files changed, 157 insertions(+), 45 deletions(-)

diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md
index bbd12a326b0..c884810d20e 100644
--- a/content/en/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md
@@ -145,7 +145,8 @@ Name | Encryption | Strength | Speed | Key Length | Other Considerations
 `secretbox` | XSalsa20 and Poly1305 | Strong | Faster | 32-byte | A newer standard and may not be considered acceptable in environments that require high levels of review.
 `aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented.
 `aescbc` | AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
-`kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding (prior to v1.25), using AES-GCM starting from v1.25, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/).
+`kms v1` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding (prior to v1.25), using AES-GCM starting from v1.25, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Slow (_compared to `kms v2`_) | 32-bytes |  Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS V1 provider](/docs/tasks/administer-cluster/kms-provider#configuring-the-kms-provider-kms-v1).
+`kms v2` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-GCM, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Available in beta from `v1.27`. A new DEK is generated at startup and reused for encryption. The DEK is rotated when the KEK is rotated. [Configure the KMS V2 provider](/docs/tasks/administer-cluster/kms-provider#configuring-the-kms-provider-kms-v2).
 {{< /table >}}
 
 Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider
diff --git a/content/en/docs/tasks/administer-cluster/kms-provider.md b/content/en/docs/tasks/administer-cluster/kms-provider.md
index 21e89321e6c..7cf67fbf853 100644
--- a/content/en/docs/tasks/administer-cluster/kms-provider.md
+++ b/content/en/docs/tasks/administer-cluster/kms-provider.md
@@ -7,14 +7,17 @@ content_type: task
 weight: 370
 ---
 
-This page shows how to configure a Key Management Service (KMS) provider and plugin to enable secret data encryption. Currently there are two KMS API versions. KMS v1 will continue to work while v2 develops in maturity. If you are not sure which KMS API version to pick, choose v1. 
+This page shows how to configure a Key Management Service (KMS) provider and plugin to enable secret data encryption.
+Currently there are two KMS API versions. New integrations that only need to support Kubernetes v1.27+ 
+should use KMS v2 as it offers significantly better performance characteristics than v1
+(note the `Caution` sections below for specific cases when KMS v2 must not be used.)
 
 ## {{% heading "prerequisites" %}}
 
 {{< include "task-tutorial-prereqs.md" >}}
 
 The version of Kubernetes that you need depends on which KMS API version
-you have selected. 
+you have selected.
 
 - If you selected KMS API v1, any supported Kubernetes version will work fine.
 - If you selected KMS API v2, you should use Kubernetes v{{< skew currentVersion >}}
@@ -24,36 +27,61 @@ you have selected.
 {{< version-check >}}
 
 ### KMS v1
+{{< feature-state for_k8s_version="v1.12" state="beta" >}}
+
 * Kubernetes version 1.10.0 or later is required
 
 * Your cluster must use etcd v3 or later
 
-{{< feature-state for_k8s_version="v1.12" state="beta" >}}
-
 ### KMS v2
-* Kubernetes version 1.25.0 or later is required
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
-* Set kube-apiserver feature gate: `--feature-gates=KMSv2=true` to configure a KMS v2 provider
+* For version 1.25 and 1.26, enabling the feature via kube-apiserver feature gate is required.
+Set `--feature-gates=KMSv2=true` to configure a KMS v2 provider.
 
 * Your cluster must use etcd v3 or later
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< caution >}}
+The KMS v2 API and implementation changed in incompatible ways in-between the alpha release in v1.25
+and the beta release in v1.27.  Attempting to upgrade from old versions with the alpha feature
+enabled will result in data loss.
+{{< /caution >}}
 
 
 
 The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd.
-The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption.
+The data is encrypted using a data encryption key (DEK).
 The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS.
-The KMS provider uses gRPC to communicate with a specific KMS plugin.
+With KMS v1, a new DEK is generated for each encryption.
+With KMS v2, a new DEK is generated on server startup and when the KMS plugin informs the API server
+that a KEK rotation has occurred (see `Understanding key_id and Key Rotation` section below).
+The KMS provider uses gRPC to communicate with a specific KMS plugin over a UNIX domain socket.
 The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s)
 as the Kubernetes control plane, is responsible for all communication with the remote KMS.
 
+{{< caution >}}
+If you are running virtual machine (VM) based nodes that leverage VM state store with this feature, you must not use KMS v2.
+
+With KMS v2, the API server uses AES-GCM with a 12 byte nonce (8 byte atomic counter and 4 bytes random data) for encryption. 
+The following issues could occur if the VM is saved and restored:
+1. The counter value may be lost or corrupted if the VM is saved in an inconsistent state or restored improperly. 
+   This can lead to a situation where the same counter value is used twice, resulting in the same nonce being used 
+   for two different messages.
+2. If the VM is restored to a previous state, the counter value may be set back to its previous value, 
+resulting in the same nonce being used again.
+
+Although both of these cases are partially mitigated by the 4 byte random nonce, this can compromise 
+the security of the encryption.
+{{< /caution >}}
+
 ## Configuring the KMS provider
 
 To configure a KMS provider on the API server, include a provider of type `kms` in the
 `providers` array in the encryption configuration file and set the following properties:
 
 ### KMS v1 {#configuring-the-kms-provider-kms-v1}
+
+* `apiVersion`: API Version for KMS provider. Leave this value empty or set it to `v1`.
 * `name`: Display name of the KMS plugin. Cannot be changed once set.
 * `endpoint`: Listen address of the gRPC server (KMS plugin). The endpoint is a UNIX domain socket.
 * `cachesize`: Number of data encryption keys (DEKs) to be cached in the clear.
@@ -63,15 +91,17 @@ To configure a KMS provider on the API server, include a provider of type `kms`
   returning an error (default is 3 seconds).
 
 ### KMS v2 {#configuring-the-kms-provider-kms-v2}
-* `apiVersion`: API Version for KMS provider (Allowed values: v2, v1 or empty. Any other value will result in an error.)  Must be set to v2 to use the KMS v2 APIs.
+
+* `apiVersion`: API Version for KMS provider. Set this to `v2`.
 * `name`: Display name of the KMS plugin. Cannot be changed once set.
 * `endpoint`: Listen address of the gRPC server (KMS plugin). The endpoint is a UNIX domain socket.
-* `cachesize`: Number of data encryption keys (DEKs) to be cached in the clear.
-  When cached, DEKs can be used without another call to the KMS;
-  whereas DEKs that are not cached require a call to the KMS to unwrap.
 * `timeout`: How long should `kube-apiserver` wait for kms-plugin to respond before
   returning an error (default is 3 seconds).
 
+KMS v2 does not support the `cachesize` property. All data encryption keys (DEKs) will be cached in
+the clear once the server has unwrapped them via a call to the KMS. Once cached, DEKs can be used
+to perform decryption indefinitely without making a call to the KMS.
+
 See [Understanding the encryption at rest configuration](/docs/tasks/administer-cluster/encrypt-data).
 
 ## Implementing a KMS plugin
@@ -80,7 +110,7 @@ To implement a KMS plugin, you can develop a new plugin gRPC server or enable a
 already provided by your cloud provider.
 You then integrate the plugin with the remote KMS and deploy it on the Kubernetes master.
 
-### Enabling the KMS supported by your cloud provider 
+### Enabling the KMS supported by your cloud provider
 
 Refer to your cloud provider for instructions on enabling the cloud provider-specific KMS plugin.
 
@@ -90,21 +120,26 @@ You can develop a KMS plugin gRPC server using a stub file available for Go. For
 you use a proto file to create a stub file that you can use to develop the gRPC server code.
 
 #### KMS v1 {#developing-a-kms-plugin-gRPC-server-kms-v1}
+
 * Using Go: Use the functions and data structures in the stub file:
-  [api.pb.go](https://github.com/kubernetes/kubernetes/blob/release-1.25/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/api.pb.go)
-  to develop the gRPC server code 
+  [api.pb.go](https://github.com/kubernetes/kms/blob/release-{{< skew currentVersion >}}/apis/v1beta1/api.pb.go)
+  to develop the gRPC server code
 
 * Using languages other than Go: Use the protoc compiler with the proto file:
-  [api.proto](https://github.com/kubernetes/kubernetes/blob/release-1.25/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/api.proto)
+  [api.proto](https://github.com/kubernetes/kms/blob/release-{{< skew currentVersion >}}/apis/v1beta1/api.proto)
   to generate a stub file for the specific language
 
 #### KMS v2 {#developing-a-kms-plugin-gRPC-server-kms-v2}
-* Using Go: Use the functions and data structures in the stub file:
-  [api.pb.go](https://github.com/kubernetes/kubernetes/blob/release-1.25/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v2alpha1/api.pb.go)
-  to develop the gRPC server code 
+
+* Using Go: A high level
+  [library](https://github.com/kubernetes/kms/blob/release-{{< skew currentVersion >}}/pkg/service/interface.go)
+  is provided to make the process easier.  Low level implementations
+  can use the functions and data structures in the stub file:
+  [api.pb.go](https://github.com/kubernetes/kms/blob/release-{{< skew currentVersion >}}/apis/v2/api.pb.go)
+  to develop the gRPC server code
 
 * Using languages other than Go: Use the protoc compiler with the proto file:
-  [api.proto](https://github.com/kubernetes/kubernetes/blob/release-1.25/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v2alpha1/api.proto)
+  [api.proto](https://github.com/kubernetes/kms/blob/release-{{< skew currentVersion >}}/apis/v2/api.proto)
   to generate a stub file for the specific language
 
 Then use the functions and data structures in the stub file to develop the server code.
@@ -112,35 +147,106 @@ Then use the functions and data structures in the stub file to develop the serve
 #### Notes
 
 ##### KMS v1 {#developing-a-kms-plugin-gRPC-server-notes-kms-v1}
+
 * kms plugin version: `v1beta1`
 
   In response to procedure call Version, a compatible KMS plugin should return `v1beta1` as `VersionResponse.version`.
 
 * message version: `v1beta1`
 
-  All messages from KMS provider have the version field set to current version v1beta1.
+  All messages from KMS provider have the version field set to `v1beta1`.
 
 * protocol: UNIX domain socket (`unix`)
 
   The plugin is implemented as a gRPC server that listens at UNIX domain socket. The plugin deployment should create a file on the file system to run the gRPC unix domain socket connection. The API server (gRPC client) is configured with the KMS provider (gRPC server) unix domain socket endpoint in order to communicate with it. An abstract Linux socket may be used by starting the endpoint with `/@`, i.e. `unix:///@foo`. Care must be taken when using this type of socket as they do not have concept of ACL (unlike traditional file based sockets). However, they are subject to Linux networking namespace, so will only be accessible to containers within the same pod unless host networking is used.
 
 ##### KMS v2 {#developing-a-kms-plugin-gRPC-server-notes-kms-v2}
-* kms plugin version: `v2alpha1`
 
-  In response to procedure call Status, a compatible KMS plugin should return `v2alpha1` as `StatusResponse.Version`, "ok" as `StatusResponse.Healthz` and a keyID (KMS KEK ID) as `StatusResponse.KeyID`
+* KMS plugin version: `v2beta1`
+
+  In response to procedure call `Status`, a compatible KMS plugin should return `v2beta1` as `StatusResponse.version`,
+  "ok" as `StatusResponse.healthz` and a `key_id` (remote KMS KEK ID) as `StatusResponse.key_id`.
+
+  The API server polls the `Status` procedure call approximately every minute when everything is healthy,
+  and every 10 seconds when the plugin is not healthy.  Plugins must take care to optimize this call as it will be
+  under constant load.
+
+* Encryption
+
+  The `EncryptRequest` procedure call provides the plaintext and a UID for logging purposes.  The response must include
+  the ciphertext, the `key_id` for the KEK used, and, optionally, any metadata that the KMS plugin needs to aid in
+  future `DecryptRequest` calls (via the `annotations` field).  The plugin must guarantee that any distinct plaintext
+  results in a distinct response `(ciphertext, key_id, annotations)`.
+
+  If the plugin returns a non-empty `annotations` map, all map keys must be fully qualified domain names such as
+  `example.com`. An example use case of `annotation` is `{"kms.example.io/remote-kms-auditid":""}`
+
+  The API server does not perform the `EncryptRequest` procedure call at a high rate.  Plugin implementations should
+  still aim to keep each request's latency at under 100 milliseconds.
+
+* Decryption
+
+  The `DecryptRequest` procedure call provides the `(ciphertext, key_id, annotations)` from `EncryptRequest` and a UID
+  for logging purposes.  As expected, it is the inverse of the `EncryptRequest` call.  Plugins must verify that the
+  `key_id` is one that they understand - they must not attempt to decrypt data unless they are sure that it was
+  encrypted by them at an earlier time.
+
+  The API server may perform thousands of `DecryptRequest` procedure calls on startup to fill its watch cache.  Thus
+  plugin implementations must perform these calls as quickly as possible, and should aim to keep each request's latency
+  at under 10 milliseconds.
+
+* Understanding `key_id` and Key Rotation
+
+  The `key_id` is the public, non-secret name of the remote KMS KEK that is currently in use.  It may be logged
+  during regular operation of the API server, and thus must not contain any private data.  Plugin implementations
+  are encouraged to use a hash to avoid leaking any data.  The KMS v2 metrics take care to hash this value before
+  exposing it via the `/metrics` endpoint.
+
+  The API server considers the `key_id` returned from the `Status` procedure call to be authoritative.  Thus, a change
+  to this value signals to the API server that the remote KEK has changed, and data encrypted with the old KEK should
+  be marked stale when a no-op write is performed (as described below).  If an `EncryptRequest` procedure call returns a
+  `key_id` that is different from `Status`, the response is thrown away and the plugin is considered unhealthy.  Thus
+  implementations must guarantee that the `key_id` returned from `Status` will be the same as the one returned by
+  `EncryptRequest`.  Furthermore, plugins must ensure that the `key_id` is stable and does not flip-flop between values
+  (i.e. during a remote KEK rotation).
+
+  Plugins must not re-use `key_id`s, even in situations where a previously used remote KEK has been reinstated.  For
+  example, if a plugin was using `key_id=A`, switched to `key_id=B`, and then went back to `key_id=A` - instead of
+  reporting `key_id=A` the plugin should report some derivative value such as `key_id=A_001` or use a new value such
+  as `key_id=C`.
+
+  Since the API server polls `Status` about every minute, `key_id` rotation is not immediate.  Furthermore, the API
+  server will coast on the last valid state for about three minutes.  Thus if a user wants to take a passive approach
+  to storage migration (i.e. by waiting), they must schedule a migration to occur at `3 + N + M` minutes after the
+  remote KEK has been rotated (`N` is how long it takes the plugin to observe the `key_id` change and `M` is the
+  desired buffer to allow config changes to be processed - a minimum `M` of five minutes is recommend).  Note that no
+  API server restart is required to perform KEK rotation.
+
+  {{< caution >}}  
+  Because you don't control the number of writes performed with the DEK, we recommend rotating the KEK at least every 90 days.
+  {{< /caution >}}
 
 * protocol: UNIX domain socket (`unix`)
 
-  The plugin is implemented as a gRPC server that listens at UNIX domain socket. The plugin deployment should create a file on the file system to run the gRPC unix domain socket connection. The API server (gRPC client) is configured with the KMS provider (gRPC server) unix domain socket endpoint in order to communicate with it. An abstract Linux socket may be used by starting the endpoint with `/@`, i.e. `unix:///@foo`. Care must be taken when using this type of socket as they do not have concept of ACL (unlike traditional file based sockets). However, they are subject to Linux networking namespace, so will only be accessible to containers within the same pod unless host networking is used. 
+  The plugin is implemented as a gRPC server that listens at UNIX domain socket. 
+  The plugin deployment should create a file on the file system to run the gRPC unix domain socket connection. 
+  The API server (gRPC client) is configured with the KMS provider (gRPC server) unix 
+  domain socket endpoint in order to communicate with it. 
+  An abstract Linux socket may be used by starting the endpoint with `/@`, i.e. `unix:///@foo`. 
+  Care must be taken when using this type of socket as they do not have concept of ACL 
+  (unlike traditional file based sockets). 
+  However, they are subject to Linux networking namespace, so will only be accessible to 
+  containers within the same pod unless host networking is used.
 
 ### Integrating a KMS plugin with the remote KMS
 
 The KMS plugin can communicate with the remote KMS using any protocol supported by the KMS.
-All configuration data, including authentication credentials the KMS plugin uses to communicate with the remote KMS, 
+All configuration data, including authentication credentials the KMS plugin uses to communicate with the remote KMS,
 are stored and managed by the KMS plugin independently.
-The KMS plugin can encode the ciphertext with additional metadata that may be required before sending it to the KMS for decryption.
+The KMS plugin can encode the ciphertext with additional metadata that may be required before sending it to the KMS
+for decryption (KMS v2 makes this process easier by providing a dedicated `annotations` field).
 
-### Deploying the KMS plugin 
+### Deploying the KMS plugin
 
 Ensure that the KMS plugin runs on the same host(s) as the Kubernetes master(s).
 
@@ -196,25 +302,24 @@ defined in a CustomResourceDefinition, your cluster must be running Kubernetes v
              apiVersion: v2
              name: myKmsPluginFoo
              endpoint: unix:///tmp/socketfile.sock
-             cachesize: 100
              timeout: 3s
          - kms:
+             apiVersion: v2
              name: myKmsPluginBar
              endpoint: unix:///tmp/socketfile.sock
-             cachesize: 100
              timeout: 3s
    ```
 
 Setting `--encryption-provider-config-automatic-reload` to `true` collapses all health checks to a single health check endpoint. Individual health checks are only available when KMS v1 providers are in use and the encryption config is not auto-reloaded.
 
-Following table summarizes the health check endpoints for each KMS version:
+The following table summarizes the health check endpoints for each KMS version:
 
-| KMS configurations        | Without Automatic Reload           | With Automatic Reload  |
-| ------------------------- |------------------------------------| -----------------------|
-| KMS v1 only               | Individual Healthchecks            | Single Healthcheck     |
-| KMS v2 only               | Single Healthcheck                 | Single Healthcheck     |
-| Both KMS v1 and v2        | Individual Healthchecks            | Single Healthcheck     |
-| No KMS                    | None                               | Single Healthcheck     |
+| KMS configurations | Without Automatic Reload | With Automatic Reload |
+| ------------------ | ------------------------ | --------------------- |
+| KMS v1 only        | Individual Healthchecks  | Single Healthcheck    |
+| KMS v2 only        | Single Healthcheck       | Single Healthcheck    |
+| Both KMS v1 and v2 | Individual Healthchecks  | Single Healthcheck    |
+| No KMS             | None                     | Single Healthcheck    |
 
 `Single Healthcheck` means that the only health check endpoint is `/healthz/kms-providers`.
 
@@ -222,6 +327,10 @@ Following table summarizes the health check endpoints for each KMS version:
 
 These healthcheck endpoint paths are hard coded and generated/controlled by the server. The indices for individual healthchecks corresponds to the order in which the KMS encryption config is processed.
 
+At a high level, restarting an API server when a KMS plugin is unhealthy is unlikely to make the situation better.
+It can make the situation significantly worse by throwing away the API server's DEK cache.  Thus the general
+recommendation is to ignore the API server KMS healthz checks for liveness purposes, i.e. `/livez?exclude=kms-providers`.
+
 Until the steps defined in [Ensuring all secrets are encrypted](#ensuring-all-secrets-are-encrypted) are performed, the `providers` list should end with the `identity: {}` provider to allow unencrypted data to be read.  Once all resources are encrypted, the `identity` provider should be removed to prevent the API server from honoring unencrypted data.
 
 For details about the `EncryptionConfiguration` format, please check the
@@ -229,8 +338,9 @@ For details about the `EncryptionConfiguration` format, please check the
 
 ## Verifying that the data is encrypted
 
-Data is encrypted when written to etcd. After restarting your `kube-apiserver`, 
-any newly created or updated Secret or other resource types configured in `EncryptionConfiguration` should be encrypted when stored. To verify,
+When encryption at rest is correctly configured, resources are encrypted on write.
+After restarting your `kube-apiserver`, any newly created or updated Secret or other resource types
+configured in `EncryptionConfiguration` should be encrypted when stored. To verify,
 you can use the `etcdctl` command line program to retrieve the contents of your secret data.
 
 1. Create a new secret called `secret1` in the `default` namespace:
@@ -259,7 +369,8 @@ you can use the `etcdctl` command line program to retrieve the contents of your
 
 ## Ensuring all secrets are encrypted
 
-Because secrets are encrypted on write, performing an update on a secret encrypts that content.
+When encryption at rest is correctly configured, resources are encrypted on write.
+Thus we can perform an in-place no-op update to ensure that data is encrypted.
 
 The following command reads all secrets and then updates them to apply server side encryption.
 If an error occurs due to a conflicting write, retry the command.
@@ -283,9 +394,9 @@ To switch from a local encryption provider to the `kms` provider and re-encrypt
          - secrets
        providers:
          - kms:
+             apiVersion: v2
              name : myKmsPlugin
              endpoint: unix:///tmp/socketfile.sock
-             cachesize: 100
          - aescbc:
              keys:
                - name: key1
@@ -304,7 +415,7 @@ To switch from a local encryption provider to the `kms` provider and re-encrypt
 
 To disable encryption at rest:
 
-1. Place the `identity` provider as the first entry in the configuration file: 
+1. Place the `identity` provider as the first entry in the configuration file:
 
    ```yaml
    apiVersion: apiserver.config.k8s.io/v1
@@ -315,12 +426,12 @@ To disable encryption at rest:
        providers:
          - identity: {}
          - kms:
+             apiVersion: v2
              name : myKmsPlugin
              endpoint: unix:///tmp/socketfile.sock
-             cachesize: 100
    ```
 
-1. Restart all `kube-apiserver` processes. 
+1. Restart all `kube-apiserver` processes.
 
 1. Run the following command to force all secrets to be decrypted.
 

From c2bfdc268549f459fe2a54085eec54a230250ae2 Mon Sep 17 00:00:00 2001
From: Dan Winship 
Date: Fri, 31 Mar 2023 11:15:49 -0400
Subject: [PATCH 073/272] Add docs for CloudDualStackNodeIPs docs (KEP-3705)
 (#40188)

* Document KEP-3705 CloudDualStackNodeIPs

* Clarify --node-ip docs, reference dual-stack docs

Co-authored-by: Tim Bannister 

---------

Co-authored-by: Tim Bannister 
---
 content/en/docs/concepts/architecture/nodes.md         | 10 +++++++++-
 .../en/docs/concepts/services-networking/dual-stack.md |  7 +++++++
 .../command-line-tools-reference/feature-gates.md      |  4 ++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/architecture/nodes.md b/content/en/docs/concepts/architecture/nodes.md
index 944083bc4d0..97193697dac 100644
--- a/content/en/docs/concepts/architecture/nodes.md
+++ b/content/en/docs/concepts/architecture/nodes.md
@@ -93,7 +93,15 @@ For self-registration, the kubelet is started with the following options:
   {{< glossary_tooltip text="taints" term_id="taint" >}} (comma separated `=:`).
 
   No-op if `register-node` is false.
-- `--node-ip` - IP address of the node.
+- `--node-ip` - Optional comma-separated list of the IP addresses for the node.
+  You can only specify a single address for each address family.
+  For example, in a single-stack IPv4 cluster, you set this value to be the IPv4 address that the
+  kubelet should use for the node.
+  See [configure IPv4/IPv6 dual stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)
+  for details of running a dual-stack cluster.
+
+  If you don't provide this argument, the kubelet uses the node's default IPv4 address, if any;
+  if the node has no IPv4 addresses then the kubelet uses the node's default IPv6 address.
 - `--node-labels` - {{< glossary_tooltip text="Labels" term_id="label" >}} to add when registering the node
   in the cluster (see label restrictions enforced by the
   [NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)).
diff --git a/content/en/docs/concepts/services-networking/dual-stack.md b/content/en/docs/concepts/services-networking/dual-stack.md
index 6c05516b033..1fad8507788 100644
--- a/content/en/docs/concepts/services-networking/dual-stack.md
+++ b/content/en/docs/concepts/services-networking/dual-stack.md
@@ -79,6 +79,13 @@ An example of an IPv6 CIDR: `fdXY:IJKL:MNOP:15::/64` (this shows the format but
 address - see [RFC 4193](https://tools.ietf.org/html/rfc4193))
 {{< /note >}}
 
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+When using an external cloud provider, you can pass a dual-stack `--node-ip` value to
+kubelet if you enable the `CloudDualStackNodeIPs` feature gate in both kubelet and the
+external cloud provider. This is only supported for cloud providers that support dual
+stack clusters.
+
 ## Services
 
 You can create {{< glossary_tooltip text="Services" term_id="service" >}} which can use IPv4, IPv6, or both.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index ca1cc6749b8..2dc8bef9ef5 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -83,6 +83,7 @@ For a reference to old feature gates that are removed, please refer to
 | `CSINodeExpandSecret` | `false` | Alpha | 1.25 | 1.26 |
 | `CSINodeExpandSecret` | `true` | Beta | 1.27 | |
 | `CSIVolumeHealth` | `false` | Alpha | 1.21 | |
+| `CloudDualStackNodeIPs` | false | Alpha | 1.27 | |
 | `ComponentSLIs` | `false` | Alpha | 1.26 | |
 | `ContainerCheckpoint` | `false` | Alpha | 1.25 | |
 | `ContextualLogging` | `false` | Alpha | 1.24 | |
@@ -398,6 +399,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
   {{< glossary_tooltip text="PVC" term_id="persistent-volume-claim" >}}.
 - `AppArmor`: Enable use of AppArmor mandatory access control for Pods running on Linux nodes.
   See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details.
+- `CloudDualStackNodeIPs`: Enables dual-stack `kubelet --node-ip` with external cloud providers.
+  See [Configure IPv4/IPv6 dual-stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)
+  for more details.
 - `ContainerCheckpoint`: Enables the kubelet `checkpoint` API.
   See [Kubelet Checkpoint API](/docs/reference/node/kubelet-checkpoint-api/) for more details.
 - `CPUManager`: Enable container level CPU affinity support, see

From 0c9ba63075dd5cc1e57c041ce4089ddbfc2de22b Mon Sep 17 00:00:00 2001
From: Jefftree 
Date: Mon, 27 Mar 2023 17:02:45 +0000
Subject: [PATCH 074/272] Address comments

---
 content/en/docs/concepts/overview/kubernetes-api.md       | 4 ++--
 .../custom-resources/custom-resource-definitions.md       | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/concepts/overview/kubernetes-api.md b/content/en/docs/concepts/overview/kubernetes-api.md
index 725d47778bd..8aaa0452f9d 100644
--- a/content/en/docs/concepts/overview/kubernetes-api.md
+++ b/content/en/docs/concepts/overview/kubernetes-api.md
@@ -84,7 +84,7 @@ packages that define the API objects.
 
 {{< feature-state state="stable"  for_k8s_version="v1.27" >}}
 
-Kubernetes {{< param "version" >}} offers stable support for publishing its APIs as OpenAPI v3.
+Kubernetes supports publishing a description of its APIs as OpenAPI v3.
 
 A discovery endpoint `/openapi/v3` is provided to see a list of all
 group/versions available. This endpoint only returns JSON. These
@@ -149,7 +149,7 @@ Refer to the table below for accepted request headers.
   
 
 
-A golang implementation to fetch the OpenAPI V3 is provided in the package `k8s.io/client-go/openapi3`.
+A Golang implementation to fetch the OpenAPI V3 is provided in the package `k8s.io/client-go/openapi3`.
 
 ## Persistence
 
diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
index de6106e50a4..6f65907c7fd 100644
--- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
+++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
@@ -1350,7 +1350,10 @@ default.
 
 CustomResourceDefinition [OpenAPI v3 validation schemas](#validation) which are
 [structural](#specifying-a-structural-schema) and [enable pruning](#field-pruning) are published
-as [OpenAPI v3](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) and OpenAPI v2 from Kubernetes API server. It is recommended to use the OpenAPI v3 document as it is a lossless representation of the CustomResourceDefinition OpenAPI v3 validation schema while OpenAPI v2 represents a lossy conversion.
+as [OpenAPI v3](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) and
+OpenAPI v2 from Kubernetes API server. It is recommended to use the OpenAPI v3 document
+as it is a lossless representation of the CustomResourceDefinition OpenAPI v3 validation schema
+while OpenAPI v2 represents a lossy conversion.
 
 The [kubectl](/docs/reference/kubectl/) command-line tool consumes the published schema to perform
 client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`)
@@ -1358,7 +1361,8 @@ on custom resources. The published schema can be consumed for other purposes as
 
 #### Compatibility with OpenAPI V2
 
-For compatibility with OpenAPI V2, the OpenAPI v3 validation schema performs a lossy conversion to the OpenAPI v2 schema. The schema show up in `definitions` and `paths` fields in the
+For compatibility with OpenAPI V2, the OpenAPI v3 validation schema performs a lossy conversion
+to the OpenAPI v2 schema. The schema show up in `definitions` and `paths` fields in the
 [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions).
 
 The following modifications are applied during the conversion to keep backwards compatibility with

From d922bb21227f0a0c7e8761d45f70760570087452 Mon Sep 17 00:00:00 2001
From: Joseph Anttila Hall 
Date: Wed, 15 Mar 2023 21:05:24 -0700
Subject: [PATCH 075/272] Konnectivity example refresh.

---
 content/en/examples/admin/konnectivity/konnectivity-agent.yaml | 2 +-
 .../en/examples/admin/konnectivity/konnectivity-server.yaml    | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/en/examples/admin/konnectivity/konnectivity-agent.yaml b/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
index 0eb47e1c58b..cbcbf89114a 100644
--- a/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
+++ b/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
@@ -22,7 +22,7 @@ spec:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
       containers:
-        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.16
+        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.37
           name: konnectivity-agent
           command: ["/proxy-agent"]
           args: [
diff --git a/content/en/examples/admin/konnectivity/konnectivity-server.yaml b/content/en/examples/admin/konnectivity/konnectivity-server.yaml
index 9f583740bd8..4dfbf5db9d1 100644
--- a/content/en/examples/admin/konnectivity/konnectivity-server.yaml
+++ b/content/en/examples/admin/konnectivity/konnectivity-server.yaml
@@ -8,12 +8,13 @@ spec:
   hostNetwork: true
   containers:
   - name: konnectivity-server-container
-    image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32
+    image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.37
     command: ["/proxy-server"]
     args: [
             "--logtostderr=true",
             # This needs to be consistent with the value set in egressSelectorConfiguration.
             "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
+            "--delete-existing-uds-file",
             # The following two lines assume the Konnectivity server is
             # deployed on the same machine as the apiserver, and the certs and
             # key of the API Server are at the specified location.

From 528e1138e99fd24b0350a0ca3cbe5c2bec5fd998 Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Sat, 1 Apr 2023 15:34:10 +0900
Subject: [PATCH 076/272] add min domains

---
 .../2023-04-11-topology-spread-features.md    | 30 +++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 8d38440562c..290a5ac2b73 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -6,7 +6,7 @@ slug: topology-spread-new-features
 evergreen: true
 ---
 
-**Authors:** [Alex Wang](https://github.com/denkensk)(), [Kante Yin](https://github.com/kerthcet)(), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
+**Authors:** [Alex Wang](https://github.com/denkensk)(Shopee), [Kante Yin](https://github.com/kerthcet)(DaoCloud), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
 
 In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA. 
 It is the feature to control how Pods are spread to each failure-domain (regions, zones, nodes etc).
@@ -19,7 +19,33 @@ This blog post is going to introduce each feature and the usecase/issue behind t
 
 ## KEP-3022: min domains in Pod Topology Spread
 
-TODO(sanposhiho): write it
+Pod Topology Spread has the `maxSkew` parameter to define the degree to which Pods may be unevenly distributed. 
+
+But, there wasn't a way to control the number of domains over which we should spread. 
+Some users want to force spreading Pods over a minimum number of domains, and if there aren't enough already present, make the cluster-autoscaler provision them.
+
+Then, we introduced the `minDomains` parameter in the Pod Topology Spread. 
+Via `minDomains` parameter, you can define the minimum number of domains. 
+
+For example, there are 3 Nodes with the enough capacity, 
+and newly created replicaset has the following `topologySpreadConstraints` in template.
+
+```yaml
+topologySpreadConstraints:
+- maxSkew: 1
+  minDomains: 5 # requires 5 Nodes at least.
+  whenUnsatisfiable: DoNotSchedule # minDomains is valid only when DoNotSchedule is used.
+  topologyKey: kubernetes.io/hostname 
+  labelSelector:
+    matchLabels:
+        foo: bar
+```
+
+This case, 3 Pods will be scheduled to those 3 Nodes,
+but other 2 Pods from this replicaset will be unschedulable until more Nodes join the cluster.
+
+The cluster autoscaler provisions new Nodes based on these unschedulable Pods,
+and as a result, the replicas are finally spread over 5 Nodes.
 
 ## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
 

From 48b77c022678c8322bb6fec08b1e6d0ad96a5ba7 Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Sun, 2 Apr 2023 01:11:55 +0530
Subject: [PATCH 077/272] Added v1.27 Release blog article

---
 .../_posts/2023-04-11-kubernetes-1.27-blog.md | 209 ++++++++++++++++++
 .../kubernetes-1.27.png                       | Bin 0 -> 232585 bytes
 2 files changed, 209 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
 create mode 100644 static/images/blog/2023-04-11-kubernetes-1.27-blog/kubernetes-1.27.png

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
new file mode 100644
index 00000000000..da60ef0330d
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -0,0 +1,209 @@
+---
+layout: blog
+title: "Kubernetes v1.27: Chill Vibes"
+date: 2023-04-11
+slug: kubernetes-v1-27-release
+
+**Authors**: [Kubernetes 1.26 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.27/release-team.md)
+
+Announcing the release of Kubernetes v1.27, the first release of 2023!
+
+This release consist of sixty enhancements. Eighteen of those enhancements are entering Alpha, Tweentynine are graduating to Beta, and Thirteen are graduating to Stable.
+
+## Release theme and logo
+
+**Kubernetes v1.27: Chill Vibes**
+
+The theme for Kubernetes v1.27 is *Chill Vibes*.
+
+{{< figure src="/images/blog/2023-04-11-kubernetes-1.27-blog/kubernetes-1.27.png" alt="Kubernetes 1.27 Chill Vibes logo" class="release-logo" >}}
+
+
+It's a little silly, but there were some important shifts in this release that helped inspire the theme. Throughout a typical Kubernetes release cycle, there are several deadlines that features need to meet to remain included. If a feature misses any of these deadlines, there is an exception process they can go through. Handling these exceptions is a very normal part of the release. But v1.27 is the first release that anyone can remember where we didn't receive a single exception request after the enhancements freeze. Even as the release progressed, things remained much calmer than any of us are used to.
+
+There's a specific reason we were able to enjoy a more calm release this time around, and that's all the work that folks put in beind the scenes to improve how we manage the release. That's what this theme celebrates, people putting in the work to make things better for the community.
+
+Special thinks to [Britnee Laverack](https://www.instagram.com/artsyfie/) for creating the logo. Britnee also design the logo for [Kubernetes 1.24: Stargazer](https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#release-theme-and-logo).
+
+# What's New (Major Themes)
+
+### Freeze `k8s.gcr.io` image registry
+
+Replacing the old image registry, [k8s.gcr.io](https://cloud.google.com/container-registry/) with [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io) which has been generally available for several months. The Kubernetes project created and runs the `registry.k8s.io` image registry, which is fully controlled by the community.
+This mean that all subsequent image releases would not be available on the old registry. Freezing  the `k8s.gcr.io` image registry by not pushing any new digests or tags after this release.
+
+What does this change mean for contributors:
+
+* If you are a maintainer of a subproject, you will need to update your manifests and Helm charts to use the new registry.
+
+What does this change mean for end users:
+
+* This Kubernetes release will not be published to the old registry.
+
+* Patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry from April. 
+
+* Starting in v1.25, the default image registry has been set to `registry.k8s.io`. This value is overridable in kubeadm and kubelet but setting it to `k8s.gcr.io` will fail for new releases after April as they won’t be present in the old registry.
+
+* If you want to increase the reliability of your cluster and remove dependency on the community-owned registry or you are running Kubernetes in networks where external traffic is restricted, you should consider hosting local image registry mirrors. Some cloud vendors may offer hosted solutions for this.
+
+
+## SeccompDefault graduates to stable
+
+To use seccomp profile defaulting, you must run the kubelet with the `--seccomp-default` [command line flag](/docs/reference/command-line-tools-reference/kubelet) enabled for each node where you want to use it. 
+If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. The default profiles aim to provide a strong set of security defaults while preserving the functionality of the workload. It is possible that the default profiles differ between container runtimes and their release versions.
+
+You can find more detailed information about a possible upgrade and downgrade strategy in the related Kubernetes Enhancement Proposal (KEP): [Enable seccomp by default](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2413-seccomp-by-default).
+
+## Pod Scheduling Readiness goes to beta 
+
+Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a "miss-essential-resources" state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster AutoScaler) in an unnecessary manner.
+
+By specifying/removing a Pod's `.spec.schedulingGates`, you can control when a Pod is ready to be considered for scheduling.
+
+The `schedulingGates` field contains a list of strings, and each string literal is perceived as a criteria that Pod should be satisfied before considered schedulable. This field can be initialized only when a Pod is created (either by the client, or mutated during admission). After creation, each schedulingGate can be removed in an arbitrary order, but addition of a new scheduling gate is disallowed.
+
+## Node Service Log Viewer
+
+This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use the feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. On Linux we assume that service logs are available either via journald. On Windows we assume that service logs are available in the application log provider. On both operating systems, logs are also available by reading files within `/var/log/`.
+
+A node level administrator can try out this alpha feature on all their nodes, or on just a subset. Provided you're authorized to do so.
+
+## ReadWriteOncePod PersistentVolume Access Mode goes to beta 
+
+ReadWriteOncePod is a new access mode for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs) introduced in Kubernetes v1.22. This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
+
+The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/) of pods using ReadWriteOncePod PVCs. Scheduler preemption allows higher-priority pods to preempt lower-priority pods, so that they can start running on the same node. With this release, pods using ReadWriteOncePod PVCs can also be preempted if a higher-priority pod requires the same PVC. For more context [see here](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode).
+
+
+## Respect PodTopologySpread after rolling upgrades
+
+`matchLabelKeys` is a list of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the pod labels, those key-value labels are ANDed with `labelSelector` to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the pod labels will be ignored. A null or empty list means only match against the `labelSelector`.
+
+With `matchLabelKeys`, users don't need to update the `pod.spec` between different revisions. The controller/operator just needs to set different values to the same `label` key for different revisions. The scheduler will assume the values automatically based on `matchLabelKeys`. For example, if users use Deployment, they can use the label keyed with `pod-template-hash`, which is added automatically by the Deployment controller, to distinguish between different revisions in a single Deployment.
+
+
+## Speed up SELinux volume relabeling using mounts
+
+In this release, how SELinux labels are applied to volumes used by Pods is graduating to beta. This feature speeds up container startup by mounting volumes with the correct SELinux label instead of changing each file on the volumes recursively. Linux kernel with SELinux support allows the first mount of a volume to set SELinux label on the whole volume using `-o context=` mount option. This way, all files will have assigned the given label in a constant time, without recursively walking through the whole volumes.
+
+`context` mount option cannot be applied to bind-mounts or re-mounts of already mounted volumes. Since it's a CSI driver that does the first mount of a volume, it must be the CSI driver who actually applies this mount option. We added a new field `SELinuxMount` to CSI Driver object, so CSI drivers can announce if they support `-o context` mount option.
+
+If Kubernetes knows SELinux label of a Pod **and** CSI driver responsible for a pod's volume announces `SELinuxMount: true` **and** the volume has Access Mode `ReadWriteOncePod`, then it will ask the CSI driver to mount the volume with mount option `context=` **and** it will tell the container runtime not to relabel content of the volume - all files already have the right label. Get more information on the KEP: [Speed up SELinux volume relabeling using mounts](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling)
+
+## Robust VolumeManager reconstruction goes to beta
+
+This is a VolumeManager refactoring that allows kubelet to populate additional information about how existing volumes are mounted during the kubelet startup. In general, this makes volume cleanup more robust. 
+By adding `NewVolumeManagerReconstruction` feature gate and enabling it by default to enable improved discovery of mounted volumes during kubelet startup.
+
+Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select the legacy discovery behavior.
+
+In Kubernetes v1.25 and v1.26, this behavior toggle was part of the `SELinuxMountReadWriteOncePod` feature gate.
+
+## `JobMutableNodeSchedulingDirectives` graduates to GA
+
+This was introduced in v1.22 and started as a beta level, now it's stable. In most cases a parallel job will want the pods to run with constraints, like all in the same zone, or all either on GPU model x or y but not a mix of both. The suspend field is the first step towards achieving those semantics. Suspend allows a custom queue controller to decide when a job should start. However, once a job is unsuspended, a custom queue controller has no influence on where the pods of a job will actually land.
+
+This feature allows updating a Job's scheduling directives before it starts, which gives custom queue controllers the ability to influence pod placement while at the same time offloading actual pod-to-node assignment to kube-scheduler. This is allowed only for suspended Jobs that have never been unsuspended before. The fields in a Job's pod template that can be updated are node affinity, node selector, tolerations, labels and annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/). Find more details in KEP: [Allow updating scheduling directives of jobs](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/2926-job-mutable-scheduling-directives)
+
+## Mutable Pod Scheduling Directives goes to beta
+
+This allows a pod to make pod scheduling directives (nodeSelector, affinity) mutable as long as the pod is gated.  It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled, and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
+
+This opens the door for a new pattern of adding scheduling features to Kubernetes.  Specifically, building lightweight schedulers that implement features not supported by kube-scheduler, while relying on the existing kube-scheduler to support all upstream features and handle the pod-to-node binding. This pattern should be the preferred one if the custom feature doesn't require implementing a schedule plugin, which entails re-building and maintaining a custom kube-scheduler binary.
+
+## DownwardAPIHugePages graduates to stable 
+
+Support for `requests.hugepages-` and `limits.hugepages-` is being added to the downward API to be consistent with other resources like cpu, memory, and ephemeral storage. You can find more details in the KEP: [Downward API HugePages](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2053-downward-api-hugepages).
+
+# Other Updates
+
+## Graduations to stable
+
+This release includes a total of thirteen enhancements promoted to Stable:
+
+* [Mutable scheduling directives for suspended Jobs](https://github.com/kubernetes/enhancements/issues/2926)
+* [Add downward API support for hugepages](https://github.com/kubernetes/enhancements/issues/2053)
+* [Kubelet option to enable seccomp by default](https://github.com/kubernetes/enhancements/issues/2413)
+* [Default container annotation that to be used by kubectl](https://github.com/kubernetes/enhancements/issues/2227)
+* [TimeZone support in CronJob](https://github.com/kubernetes/enhancements/issues/3140)
+* [Expose metrics about resource requests and limits that represent the pod model](https://github.com/kubernetes/enhancements/issues/1748)
+* [Server Side Unknown Field Validation](https://github.com/kubernetes/enhancements/issues/2885)
+* [Node Topology Manager](https://github.com/kubernetes/enhancements/issues/693)
+* [Freeze k8s.gcr.io image registry](https://github.com/kubernetes/enhancements/issues/3720)
+* [Add gRPC probe to Pod.Spec.Container.{Liveness,Readiness,Startup} Probe](https://github.com/kubernetes/enhancements/issues/2727)
+* [Add configurable grace period to probes](https://github.com/kubernetes/enhancements/issues/2238)
+* [OpenAPI v3](https://github.com/kubernetes/enhancements/issues/2896)
+* [Stay on supported go versions](https://github.com/kubernetes/enhancements/issues/3744)
+
+## Deprecations and removals
+
+This release saw several removals:
+
+* [Removal of `storage.k8s.io/v1beta1` from CSIStorageCapacity](https://github.com/kubernetes/kubernetes/pull/108445)
+* [Removal of support for deprecated seccomp annotations](https://github.com/kubernetes/kubernetes/pull/114947)
+* [Removal of `--master-service-namespace` command line argument](https://github.com/kubernetes/kubernetes/pull/112797)
+* [Removal of the `ControllerManagerLeaderMigration` feature gate](https://github.com/kubernetes/kubernetes/pull/113534)
+* [Removal of `--enable-taint-manager` command line argument](https://github.com/kubernetes/kubernetes/pull/111411)
+* [Removal of `--pod-eviction-timeout` command line argument](https://github.com/kubernetes/kubernetes/pull/113710)
+* [Removal of the `CSI Migration` feature gate](https://github.com/kubernetes/kubernetes/pull/110410)
+* [Removal of `CSIInlineVolume` feature gate](https://github.com/kubernetes/kubernetes/pull/111258)
+* [Removal of `EphemeralContainers` feature gate](https://github.com/kubernetes/kubernetes/pull/111402)
+* [Removal of `LocalStorageCapacityIsolation` feature gate](https://github.com/kubernetes/kubernetes/pull/111513)
+* [Removal of `NetworkPolicyEndPort` feature gate](https://github.com/kubernetes/kubernetes/pull/110868)
+* [Removal of `StatefulSetMinReadySeconds` feature gate](https://github.com/kubernetes/kubernetes/pull/110896)
+* [Removal of `IdentifyPodOS` feature gate](https://github.com/kubernetes/kubernetes/pull/111229)
+* [Removal of `DaemonSetUpdateSurge` feature gate](https://github.com/kubernetes/kubernetes/pull/111194)
+
+
+
+## Release notes
+
+The complete details of the Kubernetes v1.27 release are available in our [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md).
+
+
+## Availability
+
+Kubernetes v1.27 is available for download on [GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.27.0). To get started with Kubernetes, you can run local Kubernetes clusters using [minikube](https://minikube.sigs.k8s.io/docs/), [kind](https://kind.sigs.k8s.io/), etc. You can also easily install v1.27 using [kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).
+ 
+## Release team
+
+Kubernetes is only possible with the support, commitment, and hard work of its community. Each release team is made up of dedicated community volunteers who work together to build the many pieces that make up the Kubernetes releases you rely on. This requires the specialized skills of people from all corners of our community, from the code itself to its documentation and project management.
+
+Special thanks to our Release Lead Xander Grzywinski for guiding us through a smooth and successful release cycle and to all members of the release team for supporting one another and working so hard to produce the v1.27 release for the community.
+
+## Ecosystem updates
+
+* KubeCon + CloudNativeCon Europe 2023 will take place in Amsterdam, The Netherlands, from 17 – 21 April 2023! You can find more information about the conference and registration on the [event site](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/).
+* cdCon +  GitOpsCon will be held in Vancouver, Canada, on May 8th and 9th, 2023!  More information about the conference and registration can be found on the [event site](https://events.linuxfoundation.org/cdcon-gitopscon/).
+
+## Project velocity
+
+The [CNCF K8s DevStats](https://k8s.devstats.cncf.io/d/12/dashboards?orgId=1&refresh=15m) project aggregates a number of interesting data points related to the velocity of Kubernetes and various sub-projects. This includes everything from individual contributions to the number of companies that are contributing, and is an illustration of the depth and breadth of effort that goes into evolving this ecosystem.
+
+In the v1.27 release cycle, which [ran for 14 weeks](https://github.com/kubernetes/sig-release/tree/master/releases/release-1.27) (January 9 to April 11), we saw contributions from [1020 companies](https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1&var-period_name=v1.26.0%20-%20now&var-metric=contributions) and [1603 individuals](https://k8s.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=v1.26.0%20-%20now&var-metric=contributions&var-repogroup_name=Kubernetes&var-repo_name=kubernetes%2Fkubernetes&var-country_name=All&var-companies=All).
+
+## Upcoming Release Webinar
+
+Join members of the Kubernetes v1.27 release team on  to learn about the major features of this release, as well as deprecations and removals to help plan for upgrades. For more information and registration, visit the [event page](#) on the CNCF Online Programs site.
+
+## Get Involved
+
+The simplest way to get involved with Kubernetes is by joining one of the many [Special Interest Groups](https://github.com/kubernetes/community/blob/master/sig-list.md) (SIGs) that align with your interests.
+
+Have something you’d like to broadcast to the Kubernetes community? Share your voice at our weekly [community meeting](https://github.com/kubernetes/community/tree/master/communication), and through the channels below:
+
+* Find out more about contributing to Kubernetes at the [Kubernetes Contributors website](https://www.kubernetes.dev/).
+
+* Follow us on Twitter [@Kubernetesio](https://twitter.com/kubernetesio) for the latest updates.
+
+* Join the community discussion on [Discuss](https://discuss.kubernetes.io/).
+
+* Join the community on [Slack](https://communityinviter.com/apps/kubernetes/community).
+
+* Post questions (or answer questions) on [Server Fault](https://serverfault.com/questions/tagged/kubernetes).
+
+* [Share](https://docs.google.com/forms/d/e/1FAIpQLScuI7Ye3VQHQTwBASrgkjQDSS5TP0g3AXfFhwSM9YpHgxRKFA/viewform) your Kubernetes story.
+
+* Read more about what’s happening with Kubernetes on the [blog](https://kubernetes.io/blog/).
+
+* Learn more about the [Kubernetes Release Team](https://github.com/kubernetes/sig-release/tree/master/release-team).
\ No newline at end of file
diff --git a/static/images/blog/2023-04-11-kubernetes-1.27-blog/kubernetes-1.27.png b/static/images/blog/2023-04-11-kubernetes-1.27-blog/kubernetes-1.27.png
new file mode 100644
index 0000000000000000000000000000000000000000..cbfceda4b8bdde712a0914657155c51004fdde24
GIT binary patch
literal 232585
zcmeEu_g7R|({7_OIHE9$1OuYd|?`_vWm1(bI*
zPn7l>ewY6!Zu{(nQ2E!cs;1EkUbY`Dc5)gte4rXKzC#^BHR`cS?Yt{2YJ7|IiB22q
zDRF}#yU2g!q0p3SnnC_SO<u%yvbYCWm_u$Z0k
ze51(v<6tutHJz;vE53^~Px`qQ)cRfPpT|_h(#OV45o}(yFZ+LuyLGN+=tV34iW;^h
zjIOm4o%!sfU~|b=ik&~b0z7lX-2k%f7v-Ys-5svozcZibQ1{tbQ)+Yih2rhMxP-nwL*cHSd8iZ>|3U4lhquqzY{buN
zDUr{z>NXDgi+215@^pN?z4ICyboJBchMKC*0Yv=ofB)-&|MkHCe-8vvBylpsuc0o?
z&7a1oN&TvnAYh@~x|-30d8(+9$E}OcS(jYwd`BmP_l@9%Pi<~fp-|>oH$6q(5Q*qn
z^iV31qGnY;zycCE9`JJrEylJj4|PC(>-<$IPQ}BL6SF74V}E@OqCugWGy41b@oORE
z;WqNH%hM}gBKjSn!!OKFcXFcqt`ov52bsAqz!hQS!_o5Zef_zZ)M#Setg}(*U(9tz
zQO5BH@dq!_X^(tIJ*}g_Qggox-zZQhCPP(|lxRuXnc-J|@r4y<%i;qC33WeBtMXlG
z!K$z`$0fiIx$NA0Dh`}8G>gWWPbT-+^vb3O1VG;GHCcxkN`
zS_|=rdz2;{5>?N!uT5IE_Z@xGA`O<6ykmmT8ZV}5;-p6Yg%(gMOLy(6t`Q}Sqj4U?
z^Nm^(u=f~_BZoac*w=pn6CgtHi28cI>wV+SL2iBwCP0Re4;9q19R40#Q-7!4sld4T`#8ol
zjwt6;oW#croPqk-f`m=eVa{HHpw7O%j!x=199b;B;#Ma?P{lYmCJh%l6-)ZHPVuJH
z@k#y)z(JiDH8uD4k;N~?ah-?b?pgjf_pj~yKZkuL2s_v{IY+T|HESir+UZ
z%~1LQ09=Bk(1edrvY2^PY3?(oiucWP)4<#oZyghh_R#!Vb
zFF8JB#0uggPs@gaVv~Jp0k0u|mZ65+iP@Sp*%bNea
z0dGZ67i=Yg_>vSs>Q*@{@7wk=Qz7?M4(>aU{sF7>IguEC*45UF0!w5Qi9;COIKGQY
z%ZlVzm4ha_5^y5SBvHT#2i^31FGbkQk;TjM5grU>q?ZZochokeFM5U?y|NyGSF_1Y
zPtUv1ECuXgjF>21e(Wt^No^w1xIehUaaR
z+u+S#MesZ!`Do7mIws{H@}RFp{9}eHxfi&r@hHr%kUcGh;ETFc$sL$f?ON-T#xcZg
zr{eh-8W<~gkXSTpKAM};!~_Tsrj)8qKN(jiCjwXUA+BsgLXT3gTk2VojU;+Q$vU@k
zD)ZG|>QKnqpPy+I80`j%b!tE0J@wCPuj$
zZ1(mYRTF73!Z>>Z*JxRDkt(?r;LlJ3jR63Da}YyuB>_Y?ra=
z17(a%4AH@<_)-ApMtB51}O<<&ma`*tE{%Pv{QAmaz_R1HS6i{++bMqC@ICbbuwh_Y*dQ4;fqNiTh
zAl=t9GZAX!tP!C^m*nDE$(ASRWmWP3dbX;;dGnYQ2Y9lr`N%*HihyY6lIXaUtC*;0Y#vw2;4cs@G}rMVM0h$vVN^K#iBa-
z8OU04nvsJY;frjb0+qmbCb-tcFUxW4399Z}FLpn+
z{c)&^8c8O`4ljdh_Gs*|EEE(mbqrYmgIB8JeJcyflCsMoJ~uxX-K~Duw~e>Zp`N0{
zq>gUX<|`p@xCA4%`6OT-3Bu>KkWX|G)hUrys!RUooA!4TC~2E~t0LyA#+_?AHaFLN
z2RUja2x7ygVs(FpR`YZ7o7pU}e!E92JxQ^T0F
zJUCj^6$4K;%?kz$4zH|ST=v@SW$9U7^6EcpHeMG0nSd{1hw9k~5z)>DxAi!-jiHiaQbM^)h6f#baQ0GS;Qm957r4QwT?eVNWJ?8jZDlH06vV~<=H`XI95&n|Xf?cAw#J;{qpcZK
zJQIFrzXzSBN)85U>~de!P0#gVjH&dyHp{V*L?RtVCYk608ROJt&4D<33K>ToC`j&U
zLxmnqp4!mVbJ7%C<>X`FiZbC0RALnIPR**u!8f#nvRCQ5Mb#d*?X|O20)W$-zf0)@
zz0<=o!*Z+S?qAa#n6YHyKE~^EC;i`vwLc??#Zi5vGN`W-UTy3SVK)W
zSF!tS`d%_xS;hsDahKo`J*udBRze!vcGaC^2A4Ve8wBmB
zdSRqcRE4h#0j90?hSS@;02E?wLS~fI4e!%4w&!2}D=8U&@b?TYh|a#If1C8{IaQN}
zYXlxf{)oC;(Zph?zG%@iuDgxyre{AIhZ&x~BE}K{6lOCsocGO&K>GMYZEU!^P#Xs*
z61f?gu7``toC2M9G~nZsdjE)b2=8=fyp
zTAl^^gvl1!BGB5NT03&vQ@t#m-CRZ|R%b#n2mVWy9E5E)%g^8LV^XXBnc7|iW!2et
z^h2InYD8H&3s*}pNYny(~EswK#Bo2H>Yk}NT)BOA5D2)zg%*53g#kM{-0
zHa46)Fty1xq*ZxxLh@${G5LQ~618P5q9$trBeQxZ-w3pT*sMcQOL1m5QvuzEF~TGz
zr~%UGDp1N&0tC5Jv#8635onw?39vGXAr`5run1PgB(5o}Dlm3Y+|u2J9spj_LO7ox
zmJSZSrrq3JHM(0V@MfSEM98>nTS`iR^#h+l?yV1S^UI>Hv`|DS#y!&*7Zf5>+)(%?>o!n9UAM*zmmn
z6vgnlA9GNP1YjE0vq5MK;uHzVtX~JKp^?J;DWP~djRtG=TBiL$lpf%Bn;XXjI{%b
zA*OQC(^naGlHg@H4NE{Zd@oMuX4}q1UjotOl@Bz6(Hk@gyE*9oqoo^*#VTY=OzinC
z3jKm2HS%{P3a4q|>LdSl}k)N9~zIFI&V>p`*K?C>bGXaAe>b=&bHRIXSY)vgzP-
zoH#QQu#S2j3UBWD18qHFOllmF5lYs+MP=Uim3{m6(dIiI!0RTu00F%BAI7I)$h4T$
zG~%-s3@X!p5lB=1QJ`Aakvw6dkr4*Scn%s&4nQ;zBZqhqcvtnUWFkw{p4#xdj0xQA
z1(m@E)&N9mi^hS7sFxKuo@v&fXWLFevw$Yqk;DXE$&d=~3{oqolI2)Tqt5OpIyoMlCJU0+>I9v1R@Ql!FO$QvxwW
zsS4%VR4)L!HQ}SYHiHes+ah^X%(1=fmg^PtX(5npI|dP-NLC~6#{nfagKkPD=0Kn?
zr7#zy;n+?>7d!cmP9vh6i5HH-X>g?ZsCsUKGQu7u
zy@C?C4BZ5D#pGp>3`^+1Na7}tpO(nU!(YQE57z{R2C5e%9L88#f@SU1*9gn#?J3Z{
zaKW8x^LM!2YSy%emC9<=o*|?SU?X_>K$zgdzP$>T2_Vb%En)oZ=H})T(A^mFB}^B{
zj%L?dAnBs&Gr7!mv+A?rZDODwEqVSBz>YgWiZF5e1^^
z@&EPc+isW|JOE9~5P;{e9yHxRQBUE~O^HNRSWUxlGatce|APuD1qp!N$=sfYF6)7#
ztyHjr?lll;zMF5sDpqg+bUJ=JaSp`*C%2(0Hk>se08Y5o5e$dD6PArHQd1&7M|bm#
z9z%J%89|4Vgk{kDRQ7<8KWeHK?4?;Bu#6o9NOBs@0|49Hu&o5alOKg6c}WeQ$ubjk
zC(2|hOcyUOwE5i;lEuJ%>8K&H-#*yQOgN7?hd^y;SpY0iAkAYAx+@3QkBr=ajj#f_
z`4WA|O1KnNz?Xa+_4E$_DB#Sbqczu&H6ZGRn1d#?Iv22V+)D>ytZY~sMcgY7qb%qR
z0JasN)a_ApK7dcNpN}#W2adFZ^njUghur)H1bhu0m`cP1YopB57nI1qDhC^oe!iI#
zR*xmW0c>K3v(TO{G#%`LdixBtXG0)`j1ajm1besS9Z>tt=)gC`QUIH`B`)lMAOioJ
z?LnX5j;lGN55x%4L*tyFY+%PcJ~@q;12Cflm#m;qpOH1aef@IKo;9Qp?MxAL%~N|P
z=ll4to4_N@{=CCMWCkU{C2nfSQgtm6k0zhVTBF8=&G=<)UQFYjd)2XFIF(eeT
z;Y%uR~?uBi{IuFxaJ5}0O0WvjH0CQuBT98
zuYkk|7@qe+$cITD>A@$K0Q)SU8QUJypq{Svq0@k1;zBm^{0&@yPse})i{9Qx3vhx6
zu`Zp#1l0Vu+c}MZMGk<)1KR6G4=Y!JD!26jng#K3II{5sj^QsLqZG+4YwD>2JOBt&
zGqGq{(9kpqFazjnB*IHFz()BANl{YySZdcbd=9&?v`9=sZmx>Ds%-P+T%sF;yN#az8;6F5{C;)BO$(dt`oPAhqxLiai6f&^!AE1AKn}bG
zN+y=59<}#)@_f8l6dm1AwU;VvjBkF>dev>d3~N)1We9C%EUsriJlGbPDWR3OT^Wu6
zBfnC_>rY{2Yz~HRKcR!!6xlp1_356qz6WZ?-n-@j#-fErQFd__vz#XW`)6?7IkIUD
zR5a0QPb@vJ61qVLdBj40eS#x*8*oGXTHC5>w$X$>UrIt3erhMDqv~=MKSzPll>5Tz
zzSnh|#8F017)U)_f+qtLiPm7UVg~cngg%byBr3>qps!z@9j6Vk0V9t9;6M0iwnIxnnlc@P?ZklaH-i}+Y#$rfufFnI3pL|Pp?F#%Moq|IGXy0#jz0FQbRLP+7Q2#`E!>+OHF0He#M5Lfa3vfN(mU*_
z(=85B^*~COBYe1oh~Z6TZ9Um!(D(9!+Uafk5oE&Rvx7$gziLGi;{TL|e446Fav{_S
z%)!`2-1>%iA5jaiTN}x0;5v5`G$h&>(==i~aH}GK+)#zHQ`b*-iz}|bJ{K5QR$$Lv
zjvDpdoE}YEavxQ#0ujFR*c)O2b!G`c$!0K|;>%zH=7||gB$9v`uS@zI_2e%O-+JUGPAk&=&SR}ee0Qwgr_(G0cqb*y8
z?;Q=gM%*pnU!p|@CK6N(eG3bYGF~J-kCiSSB@kFp;{8FVsDhMTUkiZu31?8gr7;Iw
zgv1`cu(WCASmIhI2eANb1LTa->}|KSngz1oUQcmsSJ0hm5kfhbQyn0l@P^yB<|-iM
zYcL0*1Qim)=QhBij>8o~w$3s_Iga{iFaH+Mn@}{XC(rr)S&g&t@~Xt1x}5(M6Ogg!
z>B0qLC=%?_No8<765l>
zD?mv97y@H;&jK2E@=ZxQ1$6jxxGhC`&M3@SBym=`N^mDuMSZp)N_09|TfKcHUoWQX
z$^GfMd6zGB0z1YVEK>Rslz&Y|M8TuT5CpMkm?z;Yk(&fFpdLsJ^22{S3|j5x?)T0J
zYionRe6L-aF>*f$W}L0u-$k}ijFtsrx&eVI99g)feUBMSCHg8=2`1X$@$NIR2X?Ek
z9rWV5p1g7EO&un8QOhPJZI0-|ub0CFlq`CRMbm&Ie1`92%)>y>$Oht?Y*ZWky&NRF
zqwIQCa)Y&p4L(IQWV^(6ys>_@<-gqgw1kz=3yKE|yn&z
zM1inqTI6C*YP9P7Ky25O(vs!o5B0kl{DUK|mN22FU>ZSp9~X!0Aqw8ZX#k8L=vfW}
zGhm^_>k~QI_a~S5ZdRv(gfPI?=dKTOA>_txQ>fT%_cfetaXGRX%g7Bv7z+@o&G7&k
zR8f0!kaf0^{+?)&NlJ**aAL1mN+f`Vz}u{k<>lK|-Tp#mwR4H^^Lkmb8D_}M6qCT%
z>qbJSb
zC*8nQ16HbLAgO-c1g@h>sTZFG&-QniY_l+gGV2+~1U3nzRI5ewuBMR*Gvc$hluci3|iQrf*k3pf$Y
zD_~(N-#7C308BS^YJ)#nuam8DzmKbRK2-<0BsaH5yjkc*hVb1Y)kE}7IGlXVzhPDm
zdt0-zw+Zd}kr)^vz{#fTos2wYX6S^4CbN%)LCQtdHyDk{*~muOasfiNk!K%~i+Zk9x?_uUmYHxl6udt3c~w@G
z{BIB6=_-2VxS6J8oZ%I}c1!{`*NaIqt!b~_@5_s>N1zYh1Ol`d3B~ux(Hp>N
z1odd=hmZM^5(qdD{~9B8!djmd>GIpFtP-rm&uDcZa&nN|&4hJR$rq$)5rCwcu+$&z
zY<#%;?Q&-7opNjlYgp1{b4BB=m=1Do@d7U>R<7DRaUM;`z`SG&4g*6ez6c++=LxZJ
zCAa*On3()k+(^Csqq;0#M;tF#%JI|baG{JdcGDr9W_sp=-Yx>ey&9O3ORACQb3sV>
zFsUGMCvO1UQKi<4A5MRDGI$S^^Ve*+xuPj0TE3rmpzuA~k_h{~2Jt_`sc3Tk`897p|0JPyei}$sz=^ow${9OaUqvZIotFtoGoT26gWD8#mGhW8s>Qg&HKimUa{ox46OG@aYucYG
zE4YD5zh${9+x@(lY>yxz*S$F%algl+|7BDTm+?wc9@v9F9)^eD9$XpZz~q)ik-Uj9
z&hb@AshMt-nmVgfnObrU=vCN=d(TSSG^}EPKtyCiG3=7P@RT}!q&Ye*w%kmCI-QFz
zN{uJ_V`5{SA5Jni`RJsU>@PSPG!=p5{fxwS@5lX`gMm?4H*A0b`SAP!($@>tBf9|V
zWfd}xwDJVRF;JF}AVn^45})mhx-r=*E_lNEr-#wl#&_y+P$OVsu0rE1Ko^ZP{Y+|O
zZ;qpoi^v#o5h)5b@GzxjyH)Dp?vO#H6&`!4ImLLpbAGjpTA&N44;Ud1QGVbeq0tal
zw@flHOTrhR7>rD!l>^v7*Q;#h)mD$Lu1dQ7uO|fSWj5Cjzl1dXnFhSYDcQ^Ny%k51U&4w9!LwpH}8WXL|bQT=Jfnrkw3Cf88fXT0TPX`ZD%wTIy
zy72WbOj#g!oP{5zPh_49Ux%x*ZP%e?HEM&mt86}zr4}F3VmyCxB_v|!F6$@j@);!(
z2rq#TF9F5&whzR=_A#(whV(kov%-L+;H$ywgfuiv!83!ct@o~!trMkY7J7xHr)~A0
zd~)&f5rwDpKNoASL>l3)p_zXqoM+XmqcV8Fi$F?B19)yD9UzbeS`Mg;yb`0QbB
zrJ|xj^vz#15Ea%2s>IqF@)q@cUkYPa1G!V61YOM@6kG$EzRfjGJP%jSULsWRqAV{mK~+_!{qA@1^
zPOkG3Zy&A{4YL1@WYMa&#ocb
zUk)0?GPKIy@ru1Nw~=e7oxLEMYCsuTd#bFwqPjlg4e3I!CMv&AG4D|>-=V$BcnOIY
zJd8U17Ss~dKMKX+l>3!gH+l{Jxun`p?^BX*Qj>52pNYC{{D6^u?(4S~vAVh{3I>eD
z!`b~BKd`6Kcr^@Nga1caL1qAV)a^Y@fEv_`sG#xLH)|ponO*~P>8f6?K;QD(DyNu~
zH;bsA7o*PFZqAkAo3x4HW&GB-8pAWe?=PN82>-Vg8>sBGO%2T1svt-E$E>~_nEQu{
zqN$smqzyR>r%(>?baeMiIuGYA#++tAMW%97Q};bEc_{I@Htg%yx%4DIck$nR%{oJD
z(r5qd&K`DC&oATW9N_m&@(atYkD7)p@&x_<*6TD@?P`kaN
zD25jMzQegZA^d4;v;ax=Sb*6R(pA_=ze3syfEf$kiA`x6;1NWcX`~0jTYhg(xoM*Q$sGhf%W3Vxw96%LVH&9#RjHVx!iJ;fWJNq
z`jLtFU5=uu*raEWtwz=MiKi$%3C3No3ZaZ3j+(ms~85REq$#M#@vS0Vy0&k!;hgb>G{r~UG+Xzy6ou2)6-A~rGnI0^%MqjJWlS7^ZMmnS6_
zlgGuSWjo3s{4nygJ)8ebKNUNiS6NpPI}E3`{9WSKa_}BkeZ()AN|)6stM66F@uXYB2Qv|Spv}8!bJpynn$v#q&eUF;X!^D
zvHB1FV4tpbVcL(OJKs;Bcr^^-i#yrw<1LK`BO+V_RbvM;eQRi$2WQ??h)rx-C(!^p
zMl~BEIgqh7#~h#5J1r^nChM|S-IAS44>RAHvZ3mM^QZ!M4}S~q^x}f&H>)cA`qPGu
zwX&S(t=-g~p|u1^+9M%=B2ZZjh+DqM(L8zGvG#avAW5=j`7+AlEm}a~{d6|G
zk^axsO*65do!o!mc25khz02}WfSWB;vjj~q{1Y;0Uam9fVQhW+5|hs>tLIWzqfI$v
z0Q?(@uAVf#s$ajCMBzJkhkiaRvk!KHF8F`tQ_0
zlimSoq}W3TCF9G@Efe#2)+&?gqDd?906tuWf|AN-bm)Q6-uFv)0#$8IUYFJT6*r4m
z|0etYPWTUYu22FX2Au(D^1>WmwJRs_>dV%3;)j#wJ=J}MEpZfA)x4a?x$F3ZieEL3
zo%F`Ii(jtIb~8%uxr%wOxKj=5Clo59tu7e+xU`xCUAf78Y<||WZtYJO&3l(2D~VI6
zteBCnr$u!262ske#O7|tW$m<+9l~)`rt6^;P0Kl|A+U*mj!-;*{?G1G&19XHMR$Qz{A+K^4T|#CTc(K1#g`rqg48rkq`hBIGWjYt*UsWCAi_6PU1L@O6U3
ziM>WGj9Da6Fokkn+sHIe!ONS6d@m^DME$IP!^TMFcJG_+69cy1A4TPtj@>>sq@|nT=<-WsmcOtxD0O=M
zU3#9>XS>K_V}Jt=LXZ475P_WFA~=CGbWlgStS=cdS_G2bbD$p%>SJaQn}I~`UZFAb
zLXd#=qsj3mYl^qh{@(Ie;fIj{okjwB2?R6-Ixv7bu?z*TJ4oN;Mr9;UP+Ywu;*uBr
zF;(9M!&_L;5M-L1R7n1}o(X^F6=&p{7)4V=lN@XXgDy2K1iwMY1206cQDWEtz?^PK
zJ2yD##R0m8`KkK(=_;dP?sk>7>J}e~Z)~}Icb451T5$S3>PZOl%@+|*7>|drjXDEQ
zu*>pjM=UJqVobwHoT#8nkH#T=%HP>B6SXppMfDHB=PL4ckrpxpPH#92I1RY4RzD9K
z_b$#F7fLzq0K%0Ihf+-VBlbM1`C|0UbRMtlAU2G}@KjOJ{1mfSU80!IXU;QPr!(OX
z9D~qzVJe#7h6`F&lQ3*T+pwT&X)cTI9~7k0F~i+^HsF!8_uD4Cwe~M!m6n0bW?dWV
zKMx~3HZdo2jZ0*lUR|g&iF;i`uP&J;1m3*oPea}7ASn{v8K2Hyn&ig-)d1M>)t!sw
zUSfT@_=+Fcum@{|pm9BLa&VlWd8F?Bu{;(q&I(--NjWa&)w@wxTUUswJi*n7LJhRd
zyXWS;YsQ|&^pM;0uD|(GJNSM8Jz%n=>-u96)+I)q8Ah))mw>U`=MeGoM*?KON>7gJ
zZ1eh%qbR6#?^1>xR23*t_i~Hs`>-c4TIh3{t|Apno+51b+X;U@UwtEPTBQtF7ZiL4
z2ZNWSTe&kF=!V`S<{p$s+@(|ObzGXCYu%<4{|`W$bmPpkS~12Ix*4|9k?!YmZ`ZvM
zS`tm-n{MQ=t{#Q>1H1jTZIkTjh}S~Sw;YA;$;uKP$is+wSvR~uR{lGE#32>mYeoM3qs6PLH7ZybQorm!mnWr4Go6A)y}BK{Ou9vTd^RTB*i~V
zf4GkiA9$8oQ3dNs|zd}XcZO!qOHjjEkEpZy95av|R~ISwWa_e-
zqM|J&sEfKlp*`pltsU>tzbEP+Kzzaz;5fd<@Be#bcRhvVTqyrolu6Mh_s@ERr^kEJ
z$=ENhbwxWnr@dtzgzQp
zvYRY)-g8YUzG(r1!+6(cakp;YXeawTh)uJVc@<5)KzDdCe++wS2p<1=}s?R06ud9KFi4hA5Vy+P`VJYKh`y>)B!~C
znaw5p9-XJ27muFZ_W4j^bSOw>*xy`j%9{!`I{(s56g7~`BPMHyPNV@EMm4DWn&II5
z?LcWDwn6Q)OlEhI0w-!$LF$R?1=x|1T{37Ad+)VB@@gS+w4S>axz*pW=b0E@-CD~o
zm7X^hW9jOfl8gAQ&c6qB@o7#_KzE#No|7|vA5`9rUiX-`wt2@%Xsb4xr&-Id$!WlJ
zCT(4GcybpLXnmB{9ZZt|h&@`(%k$7$#IGkU&!*gOt<5;6<%M#l%I%D)IKqeTp2G>Jm{&X`1+Fz2r7`;?;q^RtM=#x8Yp4DiKwHAKQ!M_eM!cQyq9}AU
z>vZ=|h3clyAX7d#rzw%QYAy?^QD5CKMBy9X74rdiXbdPs##H+%J#y{$7C(4hOpz|x=X5`=x6RG_yi0v4hp9w
zkop284`ude``vb@2nv2
zzxEm>kAzbXJpyzFP+8b9fmRY!MOa%0OD%8GHPHj7J!eZ>SrJ^QOy6dJze}xl`bmK}
z6x~;^w?^8xs{k(;#`=wq*E7)XQ+t%H&nz*!OI(g!h{Io@-tw1%6&;GHS@JH(SQ9_v
zI0cLAcNUy~-~m75Ew6r1DVq8H&2Q?n*o$YGUH_C0tu51e&&$n@=ff%NF@O9Yy=+`f
zEPdHvN1o)jY~tmq)JZRcN)sVGt7I@x{MsrCNqL8%boJvBl5n9sB$sCC?(Y3&Zw%k?T?tOzjyypND?U-cD$ID(%ZUF&$jzX
z&frebT)Q&gX!$KMBmNvY#x{1|Q8CrWXnLUT59^S|^R`4f+$3um0?{ABCJjQ$pU=nh
zy+P9O_q~rg{$5*)i8RxWkN1aM_VoDF({?8VyCW|5e0$P%{^he6lQFg==~}gK=BOyl0EO{V+QBZtvYg`vZ!{jvVtQ_usIV*s#vS|mK``>zfkN}L
z%Sga>onlEQs)qy>ae)l4)JEC4Zk9jB6XSr4{_}_Ag
z)pfH6-Q%A2_`@N+sC%<9+lxCNshjdRtxdJInL+cY?#WyH-r1oj
zHKWkje+p##<4uqTSt&+13bWyUvhhZ2ZLxl~
zKs``Aq|77DWk3U}}HTY-KQ%h&h!J!Q9ANyYY_
zb}cRU^u+o%)8@A8)Ykpy2jAD;q+bsJ5+scUrx@tEG>CP4n17wY>V%e#sg0lHw{nXg
zPfTOeE|oVFnpX||3YgtW~*XBtD4JI
z|E$cFe{>lP5jcRl_;oZDsft=iuACj0>M}OwK@VkJEq0*M{hDZN-9Du>@_h2&1>Pa2
z8Fovn>QNY2{2?FppQG0lD4GOh0&fG)1l|0|16rNPHBh+tF)YFsTBVsAgClHp1k%`PZoE*r|^dBGPV?PFJ@6EZXZzF+d4vBKIX
z+|`)mOBZ?d}4IfV9C?{UJHXYqj118A0s2R-M{y}VaZQI-)r
zJrS{AUhrumMwY?YM2GXT>FU_SI=$J8jrA*z>2FOB*1Ybw>ifk_>Wx*ub+-Z#a)vWyJ=)k=dDa^g=XFK`$
z9BdwHu6A@7`n^9X({$PIyKiprU~JD;pXUAgLeC-?jcmdP6%v7I9gom|<00jGl?7
z5!OR4g~aqYB}PM0m^w7kRKK1aILmkwbV;sZr=}dvdJ%sc@6%l}YbtviC!10oIFd5v
z=QO(NHtn?1kr!tuSr$I;bbnm8l2xcp=6LDGLTS_-sg7yY0|=#xx`#$8-6xBR=2mhV
zFZBwG&dn}0>VWxeuTa1vk@Ev_W24)O+1HJc4KtXIY&Eq$RII3DPr4T
ze$q>VF7GivMlHm|W$sZgU3cTV3403_W{f!w3Q+D@{(ttS1?JH>s7sOiMhY8q3~}c7
zVqF~(+iF|kT$^ZO+_SYXLVK7HpECHhB}4b_wchUoPW=Y&sE1{nCfC!a?U?=Qhg$BH
z&UO~-Ecyp#f9>(=*r*pfq}*N&yc+lV-*Y`5Lvy<3vbFt%WM^mht9XQIEJxA;rsKm+
zFTdCppVtI>2+W+4z~s{Qx%}GeI5Qz;)(gCIWRu@dkD9RDAR4&OERaD1I9mBg`Md*v
zV{qgy=#TZzx0~_A=4cI$KHm1tFbrI&iO`Qm2gKsL=6;V+MeEec87=R}*HeC{{kk>N
z*SRx56C`d_s^AHyPr6m=Y)l)z6jOQ&!&;G1z5tx=0Cgo#^
zEo{A-=S-ewjYpjy6+`~b1n4(BHN$XDY&ykawV*a^EOx47czt8kguAmtgqe*ixaFa0
z7hk>M)wJFp`Jc$!*?m_!8s@kMgPqcb|LnvBpI!GW`q*;MhUg5ox3v9kM7%$CVOB%&
zFnh~ru1f|Cf*lE|w==~1yzg`~OValW&+&8s3XTOCoEU0Jx6>XTI0xg?A*H8xqiNT5MZ_E%UZ$n
z9GjaG!kH@x;;LN&oabJ~hckGy#vHmlm>2Nd^yX8t82I{Wne^vyDEnV0mw_2cnd^Es
zm%*=>w{0M#J>>*%p9g}-$a58!=1PbT^pN)g!Lqev&7`BN`PmE6=D0zJvIz_RaI(SQTmLfU>
z7WwMkj~?60f7I>;>R!FWVmpG`$G#$ZsB&_>LzqznH#5(`e#3>lrYC~i$>+B7f6!kS
zs7IrY{ZyA-ViYJ#E-71B^{H6HICbCZekYU_HuNbwJ`LcFaaGtfYEiXd_HaZkM`>yc
z^+A5x)_SgJK;C~q`HnNSFw`kggx@b{bU{ET`3ylT?%
zGD+c#pDr@V+3K|WjP$qgYvtBvdarH2Wn=}3m-4@rWcH$OD?L6;a{V&zWye*0u1dJr
z7F3vpO5$T8zOl@B-;z#ZpnI@#z61jX20$CbJcAZSBt(J~n#A9Gt><;eD@-s>FIg8_Cf1NJ#gVdA-J9z9P^j{&o!>1F5*Hh;6gPFi%1G9^XSmecP$INy+XfigqZr8
zTcg2^q&=wBbRJ@-xSmF3=-RgdPsJ+{0WyH}GIwOvLZE
z8*a6VJJUSrytVg2S*CuQXO8JbtV8{wulw-7?H%okiKU&2X38JvnQwXU<84QVe!f*v
z$7-_-I6Rsoue0FkXRPw`i#}t+Ji#?+49RVNaYaCf29Hxm~t5Mh-T-wRzDTyc?D+nd#ioq7O9
zrj>fJgn4&^$crWN1#MMgx;m}cLkB{aVp#rp$jNUvqAtHsleJga&#bAk4rt4+hFu@i
zn@8C$8s-Wp{%@ev=#_T<&1!vIC9b-#^8Q_!;K62#;X|CY&aAwAzekZ-H;ZgGqgv|s
zg!Hqo)w=ENtUqDv`)tb{%sb4uErur)iHiDdhwB{YO&{K9o)7+47&OR~s;S$xWjxLh
zPdR!{I!-w8rp_J>A1|N%R?DVm^>Q-%%*?cxL`>3T%1K=U*qOOAGmbNQFS#Vh!10b3ua@kX%~n|x2_8@Rr|{~vhEA?Uz1
z@pH9dUtoK{J+Bizq5qGpgm69>(@V(SC`!+@8&ec}B)aJwyl8OARMvCJ$S{Eg4BG4s
zF3T2WnpNu!(U1PDot+{RonHEM6QHzStCj9|kGF&+#J954&Yb2Mp4YMT3<{ldn9}9@-L9fD
z#c8*;tyPovys7E38>e$+&amu+#pZPLwa#HJ@9m&gW37Ix+yz1?GyF4^h
zLQ*PkEHv&sjlzTEq?B_h`HGHo9;ag4>8s%;$ank-$i
zs$H>WgJ?r$Ad&nlkrksL11j$2zOuV<-g8+X_dSBjeL{6cv+9NTm0%YJe}Qw*7}Dnw
zk8zCnMs-6;tA7q8w&SSV^jw?yiZ?P&aRgjBsj#6UWt8~^e9V^}9h=Q$Is=31H;r+<
z^{EEG0|hPF~-YAPpe(nwoYf_Vn;{jJU=#`BQ6#BG?ss}b)$xC
zt&b6ILMb{Q%rL>S0a3bqojy}sR0zVP*y+;eFYN91uxAC6$W|acu|}MV23TXg9Vez|
z;CpIUiB~)Q9?;%T)~X;6HrR__j(jhN#FD3%aLVz;bC(^Qr0V0}9!|ebXL*<%Jt;On
zvEbRcvcE!=U!lRQ261m{3sLXK;z;pM&^V-f8BW5O{^@<%_ijpj*7@SqF$K(3z24Oo
zQnG@BtAi0$%~H1?j=(bk%vO~y^CxWVj3xyhO*WT`x@XOus`}awz|!gXhK(%e_mS@L
zI#@Uhbm7Lp4rVLz6m%n0FsuUJF-jH&w*jgzB+oSBzKwn_Uq3kx2VK>r89-4C^~_!l
zmEf2rwO$+)P=5d%iQ94i*~(u-lNO6KKeXSQ9KoI~iX(s`^J19qCvQJSlYkgbe~iG{(|*bYW?uNs1^o0FoWrw%*8=C|EHga5tqMFASBSWNvue{+2z0^oqa7KU?V
z!@F2Q7b2lf7uRep4h>X2r|6;Il!Pl?W5OqU7A~%zB(s|iN3h6RLj(DFYxw+CXhdd7A%#kS8#ZZ
z=)}y0T6=pQYUK7O#oPZAZMd{FdUjLVQ2K2~K?Jj-HH%2V?!aw8w%~|BsL_~0PLQ|e
zBr%Wxh;d_^)PrpAILo5_O5NZ
zQ|@(AVD;kUbSTCyc9N-Y1dik@wy4I9+AYmou7@*za-55SBT)UKw8rFmF)xp?DPv$&
z&igYh=M34Y+BENdO35tk-jdZMaeja>Zer{h_4*}Kc?}ejI?iGYTe*e{^FwzhA4`gY
z@@N0Jxx}>Y>EJJ?SgMry+3`rMuSCFwmHuinz0Cu<@$0Wz!>cT(
zXu2%s^Lb0^rb%*8rLXG-{4<-RYG#@aGN5ji7N{%M|E3OJ)6S)
zmod*8K^Lb*@B+I%QdRgwj)NsLt3vrspjhgt*8lnwHQ4B*P7f%KM`{sG+V}Eu*YM>S
z34o5+KxC!fEXY6{QIXXE4eizBET#gHHi(qk@VALCu}8g!p0M?e3DdA^WFOROZW}VpBlHTSoEichXwfFsIrbobz_~&uvme~
z@2-)tw1miU;+`-k6h3(w(ks^)0`DPIr20aY;tm*?Br0-rM#T#%LxXFcunQe
z7fI)ytLP}QEq6fe9n=mCBP@T%Zut)^WH>@uW7<-IlL7_v8F9ED0$CQs`lB#_>7d00
z^YFe73=eoJSa~xu(rhgATwTh-qNuK}Zgh0?weRu;ivwnzkU~!Lgi(p;`tPU4V=~yY
zi_E?qRCC$>!&>qOgPoC_M+F&v23S}pV=<_?RSojhES5@DEUs)iR=S41g0%BTSv!#A
zbv=hlRulr&?%uvZ;J|Y_-4FrdLBFLa;Gmxq<()EPNcq|K}8R9`B0-Ac(z)ty_XKv~;GT~s=@>*KWyRF*(ml2}J
zI4Csc3eDR*-oII8^q;W5W0XB13XbZ}F6t19cJc3owogI?{d6YEfS8qsG&i9b{618Thmcz
z1*c2-+~(o-OhJ^IU8P@1&&J%e4T}(1-1$Qm{CW^>)aTmMRiAht&y>os&2i^IOSMcG
zfvv^s;%|^-%jt+J@8yYK=FEV4#D!>&a_;nB#OyV;L@{vd#2n*Axc!A%&otb9z$pDg
z5D)~bGw4No7!paN9MvTo^$mSzewuP~*FHzw1hpT^-sZPCQvvQ(RYvW2OB(TAR`6?9
zAPd)tt<}{xI@eow%Ik76>>!r%u3`2Wr#x@>e!1V_|T>70(fIgnd`EM?S4u3RSjEX3rVQVEr;<9vd6W
zt*=)jB`qb8(b(q9pk>Qo5Mwc&ag8Ug+R&6NaxfijK6&ei6_N|tr(Z!t-B7;uxDXVq
zgboGssGpbZ`~Ui;raInr9F*xiH#FR`MxW`$55elX_#Ebu8c3RGYU_lo@HTfCu49DoBa`x%
zDfexSiZ7~xPFgE`l
zj3_@GBbcoT%jakCerigoTmKF#l%nBXwhf7H-FvRovMY5kB#71%(%Ei&lLADu=$#39
zjnpdIc$(<}6T{_E&!pt2T($VB&Z`8ykJZzWiHl>K-=BeO?S|rj=G`4U=0qUY!w6GA
zD-6t6i||o%HhwA_R{Xm1OrD5}hO)e`uzYMzRv&a3W=um)%8Y9ctJ9PThQQ|Qs>DH7
zAZ%k(Q+XjFsQQM6c>PNy-eW7*A&R^Mn?Lfj$}N(Co=b1AH|lMEoANt0TY>S|7)3&I
z+uu+t(z2Iqr=U10uymJl2b_n#Gl=0Giy6D+r{b_+_a%gcDS%^YN?zS)vkh0INM_hP
zBI&P4^%~mrJwyoJ;1iDROljuFwhOr4{=iAZ!5ufDFk^cjF{-|6j>vAq(%`nX#Gsl~
z`%ydXc=5k&XT+)qLvwJelzU_o9hRzjC%va=Cf5jQ)27zml67x=u91Sib`w)=xU>&hHWMq0<)mBv)^_Bg8UW*_V|l0^zWoUn4%W_kDws>0sf~ltYVcZ-lylx3EZ!730iOP;YH|lY&Nb=8xh%=
zl^cS;*lyV1t7^O~XI2jA?dcf~!Dk}wB=apmuV&qMCAH-BE}PXt&L70U_j80=O`zJ=ljA$rvjPpCUHxxqI3_mdmv6)n(W
z$aFYb8*}S;&nj3tkAw71phao4lTV{qHCn#bUhAp(If#mu{5uUet3e23K-a{=coG7a
z;aA(hiASF#7RPb)y8XzutG8Fq&@ekLE^bA*q;&P@=!nf>KPBWPYg$xP6wB2WP~Pxe
zm)!KDY>l=Xlfzh=nYS3o#oPqZN%ug*S$4WvnP7awnhB~MnE1-JrTEL_hyw{
z758})Q1;7_0^f3{dmrpfRFpRvXX$dML=X^
zJ;BY4B6=O0+~URF2ygs}BjkOJFrKsL-u5#8$QYHWy&Hy9C&WJ{Ue-dyA2;i(<5)z21PTsT3)prquJhM~p5t0AnDtv>5)
zK@DJ^vngab#r*u!`nv6yKKE0d)?U#?bkFRv%#QCbB=0tWJFrigABm8zZ&=<5wcw)SJuqQISPDKrMbhpVsoqSkAJ6
zsVN-_I5TFx^+YLdK5o4oUAU1_{zk!Ct4>#0Rh5^X&ZnX>6ii#KN`Wzau-s`2c3eVA
zs@O4cWK-V8rkstPJ?iUMblVWW-)xmGfn@6Sn58NsO!Z?nJbN^*q5?lF-8KD+(_cI~
zKBn$Wo9mpPE9lrlM0(ynpmcV&an&_Npr{f$9aq&`ZEGWbDygq{?I!-9^L6F#*@-rB
zXAl+{On380j>Z8nRAa%iUbE8pIsA_oKuCe(DZJrGlf&+b)9TSVl#mp&)V*C*R0E3+
zClP||FYxpa41m>6?ASvs>2g>9xI7uD>%x`Q?
z2N6Em!#B8oWFpl8_0Wq}VQY7+um;Qz&LigZ*&cb|;Za`}%M|Xp-$>DjM!1xfmqS@d
zbTn42`cN=w_0;figp-pKKa(5Ed-KNSSVpp&2Dg>P!$%}I6rQ^p^~WH
zsARLND8SCR)75H+Ut6NVZWFRW>picK#aU%9rEC5(G{n@JuFefdWq1N*EUy1V!lVy7n8cyn@j2?j!N%`{M)4lHZ0%1RmQwO~_kMiE!c-Ax&GbL3w%R8ZXJf0i&eplgv~Yhj5_dpiXtCT?^z)YjkLLn|LSGd*Tc^o=9IMKwb;QEQpBDh6}SIyWc}^V
z)&E1iWzR;~sd)1xjD=an6)d2t`;GI}6e89Xl$0_`N-r!mVr3+TsX8uSF5I_br2xpsdy@9s^&`OWv4ArhdsdcE
zrGONn!zq|$$oS?h&e$t(O>inMqkU--+ctTAyn>VLGAlkFZwulEQ4beZ)q1cSeq0{G
zWx@6s?D9uMC__Pe`c!O6hYikS8>x=P_-(!J^0pzp@zSUgjd)~DUS8fPSWaBrMqr&H
z9zOoq&Gn`2T3@U!re{xYFLb3-Q&ZSkYRzWrL2SqLajKNVIE^YihR61r?yiS+oUD$4
zbDCEbcKXf4zO-gMvIXs_6!il(?;7d~YvXnvE_yFM1V}BFg=zBH
z2tE=*Z+Bu~-R8-GyFz4}9BL;EYr2bL2Z!cO80fxkv81cI?@r$)3y3_Qh^AE=ot-TV
z2-pa$QLKk-Mx5@=7bCqGS4x?wF#ZZ{D;gU3>3ZW`_QCmLw?ewqm|NwID)}L4Ij4bL
zsqXmG>9^R;a-K`sE4^Gq^*NaB!(e1D`83$fp|Rg!;!P~MoO$LUFtT5{HW%l*ajnhyI
z;$e^ho!dYwzki!Sx$))c&era(qKphgU|M-&dwT?IF%u(WMG>gSw$Ps#8yg2jv-Ew~61Ia|nI!jsSeGa-?yV_$JHovUnctYLbC75>Dq&907odZ}emF%)8Y
z`!88KIE@cqvzeMkuATtFpsu&KPkJOv^hC2p4^-s6=g=sC$)JR09^p8s58(Dosd2_u
zb=p+wp4!lCVv^rWR9^tcMkgn88yYwO(na&8IS*K#&1!O*%idqG@h%2l(kGKuDPp7AM)z0}dfxbxL^YF%Fy~NWW_$Td3E#4l39mir
zTvOiAXcrBIq>5&w$>;QmT-A#@dTxqYS4{?i=!KJF&m#Dp`ZJ~OO
zoF@6Xz|XfV~9?XY>M2E9Ubm^wvKUVMzGQ<%nwfq5`|{`_6xtCT+q4Vx5)5t
zBA{oTp4vHb_%l6c#YW!h3MYXAVXSd0-?GkS8PGypxRT$!d#Celuz_~2ZK}da`m$3M
zlgd$;*%?A_FQkZg5(67*Qf?@{M|18Ys)3G0D!~n$J#2N~t$u+E2bNoAVq4AwS`3W(
z8fV}w$sxcjK{Nf-5}boT;|m1nfCIlhBl&N5q^`Kb1BvnZ=qMM#rgE{)3pr#KNCHB`Yf`x?(>H)U~$@oE#r->@T*dY6`8J7#L)+v9UpUM>Tt0
z$ZtI~WCUB#U+~!=!hwN-Wnl7ByPi%};GPeRPHYf*8l?^Q)7yrBjZWip+KH%|9JY#!
zD08lEQfgm8rJ$A6>nQPFp0+g2i|Owmg)LpNt*y}AHULhof=vptMka7G_6&r|yE|dm
zk6hCnaJ+Az3&KYrkdi9mk$X&(<`>@}1-xfgO$gZ7pSPuc&#h;i=Riq8Aq|Q&E-tQK
z^|VB1ZR^ZT0yJDsPESp2@n=J8Yipsc2e9my#&4z^t*m5xQSpZt+k7#R5$5-gP^F5h
zcF(^YR_}%@(7W5~;ZIBlBq>(u?tFzAp8WGWp=rPGDRV`YYcJXCoVukIu}#zQl^7WR
z`#UAq9m;}%UH@nPns6Z1-u^j0Qf=s&h+#Y&2WanR_UFaWGgrVXRl%}{!
zmcC(U&yUe^QxOV%)wm0bkh+SKcr#VM(nAGxBNZm(#bcTiT@SjXLv7^I39mTi{{%JI
zZSPh{3eYFKFHf~yg?9wr)A)AdJ{1&iCN})*#YAy#W4+3XEFR}%6f|fA>Gs(pK+ce@+6t4B>Pqqi=tBh@pd!|0VmDkWH
z+}*V>pQ->Cty!>faE740=k&LV!1&v(y0kQ2=!2B$i~VjT4fFSZg8%;02Xd(-^$A#n
z;)AsbFpTevRM{%0`O3ZbXi9D$w$_|FdMB0&u;faoU>YR=M9YDX@$R3B6_!7T-i4j*Jf5E>TuELLiUD&G_vN;+GA6GANQ6^k
zR8e^ix?Z%F9*MtxJzmCs_(bfnh|dSY-gp*z^fF}ej|(Uw2$BZEgh-6BG+v#|%)!Ct
zX1YpIqNZYn$%13cDkEt&Fkj}hyCEy
ziR3j5{V0_SF%5=k4xFDiZGu(3?Wbvxqmo4Zp-^@)D^9fGmkrM*
zh3MM{4lEvf)c9Zgz}H4a$p>;`;xwZ_CBqN=HXPDY+SI=n3%INtMRJ=<$1~uzkM`2#`B0%4EP7!$}W$RR2tAjR}(rV*0^%M?31sccXu7r
zWMRd$s**f@_^KpHz)es!QkGK4#M5GQ^V8X+Q|z#G4X!BS5bL{;)!+>LR=0;VgZ|(N
zDE#*y+Y=KLM<@u@3m|=b{=vF}o!`oca{UR-s@t2T6Pw2Q?|;Oa$#sd(bH+>8r&+1mxMx~E-Hxrq4VTO&7d?vMelo%BpTq56zYzD_
z{#3I}q}CR^7R`-hXs+|wYrM$H;G8qBP9dfj%HqfHPtC>Q*xOZL^O3Fkw1a)dl<9@`
z416UbNT#4adlo)3hZ4Qc|CT!Coha1+?2Wm)+xb&{@z+liC4I{c2hu7lF)1l2MLQ=u
z_s-Irn+fP*kn;2MiHb)|DveA`K98ArPnw13wEjYS4EN^!`^VWM{+XHkWHC|^QBm;m
z{XSDusyXs`B+1<)Qp8W^TgG;%g7W9#WoUQKrttZPC`r5fyG7*AjjYlEsZP7;uA)%*_SF#E>9tiNjW>2TqL}o131~I~{8V8=W^>
zCr-*VSl}NvvJVAW5DHiFQ&(5ljo-h2OvSmh1;fL`mrR=FNcxWhee$kIs{w3SW0q-h@ZSm>T$-x^q~~FZ1<{-VuFPF+ON1t$Z%N{7KX?Y
zuZmC(j>rW$sObg=8B@r9CQPX;L#97Np~4rSl=6UQgPsVfzn&912lz%nMW~*XU?Rj)
z>5+4^pJcLDV!*-FoSs50cYP+dQ5+My
z^}v}3*w`>ssG5Ta^V!)khuGVv=jS863UxtG%*@OzncktGd}1EwXkvnh>I(~Sn{Sh%
z^(6t}{GrTa6UVs(nViJ-uZ{z$!Yt&yZl!`40$07JsC`9W+=h9r?8sg<N4N6`4Dyf5w5kIJDgAX0xTB;*ac|ox8W0)sEYZ|c%q(Ti2rV$1=>L)M1
z?>XaSjrvhy*Muc)+jX_XJ2FHmH#e@|cFtX$R>@fa2Z5RfEeD<-2v=-bSy{pA-`lJq
z!x0@cGpT84G~OV}>@ysNJd`J#a$02>$g^T_6pD;I}Oll%%Y`3iR&
zm9aepI7h^J!R0rv2F{-iGi{gs&d%sJr@vVwFV^mSF?DM>A{zwW0m1wY{VMLWO>vWd
z?bv=X*?Tq3&*1UW!u&F(4tE!(>2EOD-(9m}8M-;_x=eV9`V!uq6!U#?P`7y4Ym@ek
zNo!w3WV^WG6h1cMOLj#C26H?Lh@^mq8xaEogN0A;-@JQ1_gY6r=9w8Y9u*Z;8ahn}
z4GoRDyO$?LK-uryA)~?3QMmlE05B~~8MwT5Q?L2-08|n%lX%u>@X-*KWZ)W?4zEnw
zaeg99(~TvgiM(-ME|@zh$ESZLRIAVJ30ahj&}4E|cx-K0@6j;^$*bBigmNB&Rr#Jc
zEsf9|4*H&+mT6qm^f14bkAucCTC#rNXhE%LZN%S+p0Qc4e}41|5&C3l$-17B-~_GD
z^)q47hKB4aynl%|G98}8mw(&4Eei7goDaGUsL*b1H@Qs~6l7#%;Q2nSiaM-{2nfJ~
z=L-l3NQ2={2(!W@ctx5#OsT
z{Za{BVCqJn%g^50enYa1Xvnr{eD?E1a3*%`2Rnn7mnNqB8MRa&{g-2PA4>SpnPCLE
z&oSV2>u(&dPGCCU;vqYf?9j-Ie4-NIC|8V1-#dK$@LeM%MM%zrhDR;nm5ui?DRI}W
zgv&zg0&!cGMb`<_()+Q%YlBXf>93o_MI@`7U)rmw;gyw@Nv<-rz2)FQ_HFY7Z!ip-
zc>LJ|+J4QLS5{W|-)j7>aXEkY67>-oIl2Bc11TxIVm@YnfB)bngeUpTfn#H9i`U+s
zrK-AGzqd5Teg_fZW`g96!C2biO)&|n&;{nB;)1FDo;;MNdQCpg!}Fg7_q)RwFCM1(
zQ6Gu%B=^3_To_WD4oj1|I^-Y>sCmzdKaN`|>TN%%`Vo0C*-BP1Z^&b-l>=Eqz^&8u
zrSm^c_GiT=Sc-EY|Ee?6P@B#wMOVlu}yy%-r0Z2*1-c
z?x80P!lOrv5Vq0^j0VD)OvQW|Ev=`ZD;*ynL(6>{g{HgL_n8D2^2@Bu%%O67Dr%&$e1_ctCv7?943=Z=Ta|X8J}?US#gbSFC#ZynT9K_%yJF
zwh+mLh>&l1;~5OLt*V36AI<^B`28+gbKxO!Ayy8qdYDj_hOcnDT+<#i$GnOoH}(bS@mT$^^wxUKC`U=&p0q%0;w6*ziG&4Ngtr
z4qMG+cds9%78gGSx|XsU(lx4Xp<>|Lnt^hm;y3Xu=%aalfPsaD{lu22tf?7oJ`di3
z2EY}_z7LNVDYi2+NkJt-Mnxq?lg=`m`(~GVMzG88G&xJryxz=fNEca=O!4?nb-VL^
zbIk6KOKUf{{PTzMe*Md7@H`%sc`xZtP+y*((3C%E{>Be#CbGDs_sLbE?N|;qou4dj
zfX_^YeB_#*wvL<3CPlUc`~nxu`adyBdmp0_AVv`-Ir1-JyTS%^s&mf34=^b5KB20Zt4K4!#RkW)_yA$w~jYIZcPQ_jcfxSDQ&?T5j$W
z)k5ZgC%SE?r_5jj2FJ#{3kzu{Pig7teL<13va%8$kdl;aUHr6g2;Qo!?-$)rPQZI$
z-u$RiGAX@QZfx6u>I_F7k6h;v@8W#S7FlZGqiN?Ou>N6Loo$H!$o`f$5hU2>bija5
zglHEiOxDB!SvK6R=r+`;$?_3|Sr0H0+2=8x_tx%Oc*Fy8C?pon>x@MG!0+oQjs>pd
zbp)wZ9dfX<D_{1TGG=T{p+=n!(4MxvGv5X}5)xSOW6;;$o*8%;{rdH*
z<_5tlF%e(o6a((T-&Wq=k7C@vu|WZ9PgZuee)lI_1Lqsma!z;O)_5*&-f2tT%y2v2
z?{V`%&9S>5LJXcs0puv_YId!;k`WvJ)j*NWN2ki(Wuut`XSiJ9yw;&}(uaaP&8S>4
zdfBns#gaJ?9Ug`TW=8bUJs$Bn`uXcYBk1!uGKGY7Y_!-eZ&}F*y@E~JoJt1~#
zvUyac)Ipj_K|$dGIEcRfN@tf)Z)@wr1W9r_%?9l8p?RPJfKCob3hJiCu0wTM*~6G#
zZ=@G=UrrFbz5+r3gi}ykh)76CHjY4E^6~LO^HNzkjMPg94pVggRH)1J1`V!~gB&Yz
z!(d-;uDola<9tuz^C#5M#o+IYDFab@hD)jOs;MERESNHX_+@@@U#-{{SopZ@2z~zJ
z1-jdfI;e=yuc4MF5YXi!(okpy{B?c`Zka#tvH7^uV;a$O1SWjHc22`Wm$@WHMn*op
ze~FEck7BA}W%c&A9eYnt545ZG4GgqxLUfFbgsbY?D^+QM+V`a-34hA{Gn}eS9x93yI=~uh-#QD3NXmG~l*y;ys%VJ7gUrgHcIl?db^o*ac
zoKc~k!#;q7O2E0&(Q~5gm8mEvkw4}^8&p;CiMd3G3bCG=d-4wm&iFwP3ouAp&ZbfI
z6|2X*9NVL3vxJByK@)B-9z;>LqCDKVP{gxiUT;+e4Xqj^fu^RWUNOEv484|5+hWU#
zo{K2Ef`hxOvNel++jTs_zwc;Qf2@lq0{^yZ3yYp;
z60BU?+?<-TW}@=L2Oq++#W_uJTXiSb!}I3C^tll=Zhv5C{;vJB#Bh$Y>F_5@aicQ9
zQ1~^MJB<6;vQkOovK(8F@gZy%t9_HH$|m96fmkown}KgI!jlQ+Z)%2F{fwGVDo(q4
zZD4xS2YeNh^5v;UCnnNCA&89)mueL90%-5mE9isFsBgGS0iuwVg#bz#=+iRd*z6sh
zor?f&F)@)&Cy{-9^0zUYco8V=9yl!6)ep_iq7+Y1tA!}9ofT>Si4FY_9}(Dd*&I?4
z!A^MMy32{jv@x0Uop$XNN5b{HpgdZ~)?t5snJ>=AhyDYRdWMS{r&vZ~!;<(ZztUy$
zrPbs;?r;>VgbBi2d}u=`X(`{;7cKdlG>>(Ug_03B
zRe}Y*va-l3Dl5IA6&w-nAvQL)2MC?vVcD+jQ4=O0sSS>g|6e0s8qO30S)twdo$%Z7
zF$6#nuq%A{yfR>jiU88-=Em)hiwIMrnpWDkH_U&o-N3-Q1>}&vzCe|$jkPuK##pWO;XLNur`!S@0Mx|0
z&ilA4nk31*IB2=`jDS~E5}j)A@>aXAD5haOkeX$=Ju3cSw=c#@sSXMEJ3XH)n~~Md
zpTmZt8kn;RMqbR;<`)>vWpe#p1HzqsWiIYT9iETar)XONlt}yMjDFmoQTy_=zm6Zp
zMoHLhxZhKEtZQ~`_XC?ww^_Y+ses(y06*^*I6^30lk$)r9IZAACp$$+O|JnsCPRVMPdb;Pi&`;mr6*>k@Uvg&rDq07rCxFho=vk64tff
zYJ7n~4e3d3szI|v4gT2cyp!X?gZ618R&+*QF89+rHVG#0bBD^?rBcfrVdjG?sgw@7{N
zG`*^ls*t^=LxxQ7iX{S%-=HfhM%^=`*D*hCH=*#lJ1>1!7G)s<8cDd#Z1~HSw=d6~
z_HfynRYDIBt^etca&mHD&#>|EkW4j1M4o`|C@LnF4mfRJfB$#D`5YYH7qDO_@aK=E
z)z;#G8cZg)Up5X3!<{~6v!7@Bj~4*R)YP<0FJ&2X{-VCC+U+G(rDpW?Va1UH)gBJU
z_L|;gD22*(uc@WB0c-BX%2@*Y{E6jX3LXJ&B0+;+OsIa<2Bs+oz{om-stp@uDR-eC
z+nlai-zTp`R@T;fUWk$b4F|OIZ*g&mrW#;h0ZBzfM7$%Z{|60sjQ@+9j~zkh1FAY8
zsSX^kCatAEeHQg9t8em1=pZM`VJ!QtQk2|!X_L%XWG51R?HAGSO|5jWyz2%wH_I{!
zEYk|q{ktvoz6)&c%=FpA=N{G6iC%s%$;^*p23**ePN;4XErzawgZwkl1)jywX+T8`
z(AMNifWiShiBN^3rzZdum$%H!2mq_+D;4)tWlx&<00~P@4jo8XgX=6TEQ_G8jf}uT
z`x+`@vZyY9JEyy6Uz{(|V-uCr0+x`aMpk-4zP1rKzt+X0NBf0G#Vy-Ml=!O^;xH84
z_Dy0*%Tgfa{QNNP+ZHd#JrVd47($19UVa(-%HL88Zz}~FnoQP{!-~IJny4T)&xd+?
zJ^*1^0ANIeWT9d@0OH`B!2}jGVLSl91_#jqNX5d!(wk=a7uibZd&Lw3breb+_x56T
zl58VhK_jCsyDmz}!$fz>
zTp=7dw*VOyNi&BEm1ebtlxT7}CN9=>(>UfQCwVL_>4C$g6cF7*w*OISp=-Nxr4N$ACEfXA(!(?4e&1103si{P84$sb=wu#>PgVS>84Kr6nD}
zOe3SBypOMrj~T(H3JMA7_kI{!o&DCa(9DIvw}vA>dln9b?Gh)rbB&|e0J1#sq+$VNbAu~N8njOYP<1ZSv{&>fx7r_SxY!%AbFUj0chsK{Q
z-e$8ELH@keO-&(SP_97@%Lgeg7VNJaJM*MFpyc78ZJoWdNqUsr4+rcqK^oPKT>D%$U0i=2Pc|1a^KfHTK|VfM(0s!H)IL7{K&28M=E9R2RybC4#IX(OA1Gc(9Qpp1-+1OlZC7l;Xd(sXm9LsJ*`RRE?oBZVpKx=#C7cC>_OEC6)7Zdvuo(&tx9n#~hDsh1w_#
z7`r@@DVt`TUL08i`n~=-abMlWTszyp<<6%PT%y1Q-5j`>pzA79uYCwo)c?u3WF6Cg
z5ZKd;E2sicUq3W91|Qleg6{h(#MX8
zqM5wFB?CROs3^=Rvr+>H1Ov+`BpN>l25PhOsf8Oj&qWH+_A0pfA6mQwRT#7}`he)t~@lzoR12)GA8mEwxbW
z;OFe76ScwJ;DM&Eg%uy$5eox5Vom-vmg`(0bI~zAW{ZkNaV8Dy^Wx=Kyc$cAw0v9&|
zGzHO@t9yUaGEVjeTqUz!^ZVyhP{WdWy~0zQ78PPevHwei+gb1S29gFOLR^pO$e%os
zeTpLl9y!eX4P0&89*XqWIToRvUchSu20XgX?8nau|0~r-*!*DoA9h=1`7f5?bGq3Y
z%ZDlecz9oFVM(KZ*L9{aybx??8h`Jjz7rAT@ArHnwv_`CEJ=aC%s5j7fdLhOm^k;o
z>c6pHp0Wz!&w!B`)M;8ke^&g0pTGpd9Uckt1s`lXn4#^TyATxv3j%c336g(w>&LC`
zkL3d>Gza$G@%r}syu6R)lhV@CXv0TP_yRC$LP8{1OV%(uH@)%orFBva`D2;q@8!NF
z)4*StO5Q2%ylC|k+X}<#k_URMa
z-J}Ij=limWvgvo=Q2h^~yeXOc_~|*AJcAh}2puqahKCkS^*YECfL3j6Yyfck5p8&`
zV1)erc9Jaw^ls$-IOx`>@d&cX1|t+WRz-$9H#dffgMs{=byLXR#}76*JH%%S2sCT1
z02F_&@xpDx(=LurO!NlCzN<@E+1}s<21X00mOzyGJrN`X#=~F>Y8(!9lr7)9_Xi~t
z;2*#$K^6VXwRd*;_RSm6)4c&$R(U6FP0_Sk9x=`xajhF0fkqk{*XmLu*bxk&b^3Muw1t0Wd}Z??)3A@~>it3YFmNHT?Z*MCySHA!3Yo
zt{B)LYmPWlxNo-qs&b(EsjDM9YJr#lzDpop5HT>w$#ytEMkINM8aXVQy6I@?kLm7~U
z28yE;D1m=<{{A(;^7g>{W?G|O1cDh&Tu~7VV1E-+(^T2q&s@zwi3H0ANEV0^0ODKA
z=ALw!-+cVB4KKs*+%W(>F&7iWqlnZGkBVFg4(R_mH@N$qk_FHNspJ~y#Y!lv&r7q3
zR?I%Q2b&n#cV%bD%0i9}M&{k2@lk0w?)g|M?(Oq{Rm^)w3Tn$u1H%)cq0Y@S0^!I!829P~zeK86{+VALDq#65TVVS&yDI;z~Ml@!gcNtWhYRLGCXQqr9@Pv(v^6
zuCm1x&TmCpAuI+N-pK}dPu|-%1$O2@d6&%0y>8XHc)iY_-Iq`A)v4$2&^XQl+b{T3
z(_zv-@C7|F+T$+`%;e;c?qzv2IHD!w107r26KHzZsi|kmrUK0x{4h2)mM8heJpurA
zI5|0n6n03aB8x*$e&)r2lUEN?eXSOBM`(M^K2LsZxfqWgmPw;T`G5oSD)(;oXytpy
z0`Z53EZ)MDP$ha%O!i@2hh&@_S-L(bX1}E^VDk3%hN|Q_Ibp|B2Rho?5AG!aKmrzC
z;|3!DrK3c(P*_3&<)Y!gZJ$^SA?+(507@Py0S?#btOGoxT}OLJ&otzcVuG7`zlwJH
zRh8eT5Wkh*{VLiKKIB6lr|FfM7kE#6B3n996XU~1Oy{5nLleM;WMpK16yr#N2?G=Y
zvawN3Cpk5Odr!1L?|Oq9%##cyS$_kZnOU!w2lAXxkW^NTxH*bcq0!%9gcJvGADGBh
zG6~O{ioY8C}m>6hjQbsi;3-Z_sff%6EI4WOW<
zDCUFl^?z6e*Q7O?Hx+3$PS(}9--KaajEwHeW-tFx%2#~$l)^u`axK!e)&
znYedIb#FDJczNIUQr^LMgJLF%g_m31Qrry!XKDrSm+Gs@GghzfFoEr#0UO0eM#z1p
zn>4V__m@vMHPKBsK`lQZN(%~*?<_x{J|I7R%7@{&!bC}3xnhT1ZUP`=K_XwR8*V4T
z?N9d({|u^u{*G9xXTxaHgu>EwCzP>(K1qB`Ij`B5>!T@JWlZ#3fGQX_C%n_!@_I&bLfw+j@
z#{0=!gKsEK1(xR2_@r^FV9%if!V>a*{RY`EM5!X?{D{Ajb?Kxxo%^%BE-nrZ4ipRl
zKhWKi?F=-7CefJpuLVP1Z|cJ*{PxGOLm_iuyljqntviyhnh%vH#^bfR!U
zO)=X4$dT&T;%gGX6Ia$`6=Nh2^V8d(1Rh~P&o
zgCTESJo{YXe}v6z;1iL}mA)U)1Lm4C5SZo%s#q&Pa@yKF(a8MP)WFaKs0IJ-(K}M2
zw2$|M>skA&`;FERs&9YXk_SOe(<_NPm-M4@{jq&QO`pDe;Hxi=Q4g9Clu0u(zMh_4
zQZ2-~FF0@Fy^h&s*0I7`ADmzUNn=j|yW#Nc^~z8RjCG
z?4cAw27I|d>jo=QvMAs+dN+``rz(5TRb+Dhz*+-PJ{1T+aN_6Hf=;3jmKs+>w0aOQxzQvhw~wHsiQslZfrM=^1A`mw#U#+8vf
zf$GAnI>Gm{+Ok!0@i~4z2Mc>R5@cZtfiwQ0JgcwQ*bxyuS9=eVE#eiV59>rFo`|@N|G2~)9W?9mO=xH
zr-}utCc#TZHbKUJcDeO_mrbAmAWg0BIwj-ee2#zz^J?XwX7T^fvHp41o;8@b0Ae90
z2g~!Ai>Dq)Uf^7T-~ji~pM6%!KYyia-d8mK`N2i~aKfA1>X1L8CH|jk$wygZCA-PV
z`;ou$ga#LygR+LS#{;!^rPbX3au^tZr5R!Lfv-kX?}06@V!4~l@T=Y}vVzNwkK+YB
zk)k;4?CbytdINXi#YLUjB^D+o)Kij{Mx3#32y9Xy`Zy8>zq&^*z(paP7ZQA}==6%^
zj-o_)CXmKRjs&X&{*p9_>R%Z_{l34~$3>xjh}>8^%EVNMDaoW1ddlUAv4>`&Fz`KR
zGLmR=bMikk4cpNQQ$27U2PCkJygbJ65fny)hW_na7%gnLY|rim`ePG~AKL_dSCq$8
z1R+T`sLbcCs_0t@;@LkGzr`jE!aMy%8Mm#^p(sQBzO&YYMG2^!_OZac^*9M~Cf$Ag
zQBDns#pL7Mu0Y`${KlB3$~(c{iwib@34uGWw7i_8H|aCsLSHNcRO7uH>vwfM23Y{?
zVtU;lG8m&e{1Q6Ogc>wG2<)@j0Y>Hzr|9aFX5(edd`R)2#l8^QPyXlE$4)i-G~{dX
zjL*#LrY=mBhC9Xoz=to`{@LnHmSM>%oqzj;@v~NRfwhXJrVp4jwzR-pxjB~Qg8BRZ
z4isL{YkmQpWoapm2FFiFK;SZlD2MoV{AMU2CPik)Q7+Ko(=hulIL8d=zK~B*1I)vd
z-ySV)`7V$L^B<(~x6>`ne&NsNUsn5Y6Gi_~NX@S{O-h?uV5`}Us$j#?hp&RD_Y&9S
zxR~$5hvd`|dfvo}gVulU@^`uppfhw~{vBc71q@HY
z7SaA*7$3C&m?IqHJa!X1IZ=sCutFZjLEx_dmU_Ra4WsJE;5*1x1-p_A<4yhkR_|N6
zW7gl;RHQrPh$b`}yFYXm6jyc|zL+#3WpjE11L6~qp$7+6lc$W>$bW}@-#k~Pmo#uzy
zCaJ89PCPt3FThF1@|EG1ptxXeqX@(Fu5oam9Y`0NRJW3
zH(zyB+*(9lBngDODQ9I&0AvK@anNvqeX*;`Qcw^9AR}vLQ~?(b9BclmG1DA+D7C;~U~%jN~0~
zhfyDJG$m5__`R{Hk#XCkG|QOtsZE;~{D67YwD%QG-XLguE>L9t9o0kb4@DNT!)|WP
z1W+vtgf*C#WHg@k{8!gksrrwu-!peE35g3*seJQd4&&eg($9t~L2}7W>Gxd>LL5K^
zEUh!g@_jVLRQRO0RDY>42G#v}eR`Nkf#Cn9u+b+nkh{%kit`)wmBfdz)8suaTLijX
zZjXaR6?uOt5-}FMaVMZH0oZVFaun_Hi;-a`ia)!`%hKf`wuL~
zt^qzK3qZDmoxHciVJpqFU$#k}n>6Fd*Bt@{{OW3Cw=3k(1-xVx@S}=PZi`Uhv;4Jg
z7z#yA8)CdZM-cs6q_wP}eaIQ78BB&BKOzHDR#CD1W&oc)1CW6XX1Ay(sgJGC8mg=Z
z)M~QO&m$Sf;+j}f@V5!bFnGq|!g1fk{R>BbJ;S(1k>6Um@lr@%pV8Rf3CifhHJ@+X
zacfk7fR0mXZ9kCf)0}-04xI4Fv#o4WL<~sI(N-EtM%rZSIsPda_yMGGIzSf>Jk-Qe>8*)z`T;
zW}C}aQ-E<)mftUFJ4ojr1QPno2{i!OPQYK~@!09DzS!j4eTPn~RjX08{H!u=q@E4O
z^X8eb>~u;z9--E&{4q-rX^g*@#heT2&FE
zChWnEZehpVC-xzz!en}~uA{!NvaxL-S72zr{)7Tt*%%j&_k{4FSOR=7{@P9}$O0-z
z!+Qgn)+-UeGFiJmFPr>IQ3bjRUMtfUUf_L9bwWG6z4z_sxNpXN)Oz@u_s8#tQWRhU
zzWBbhX!+UFGNS@eJdKS<&W+LB`1IvK592$4DXt4Q=Uy%7e+%I|0G$jojz@e~6#2^S
zR-+*Dt{`njcRN`ocPgRf@~7s%nE2P=2Bd)s(ugyoiqM_eXR-oL%_}X(C+h$ztC6m~
z^1z*ba@el0$;)}&MHJ!6{@?8e`D(8(b+xp-033So4ONR7UA?6T#A
z^o$lEbrY<6cZj)NvQoc!z(J~6wfUvf{{$Nr9hcUcy;jNYwP0)WE8EJ#x(6+CQJNp
zF95;9SsGp3W=*y|?Hk)-p+&c$zE&}~bvo$4SAcOWXe~a)T(JX5_W^B;|2^B{`w&Gc
zUkjCiDr*V~9`i1?8df9au9<^j$K)dULdWW%k^Opki&q23%`@{xhhcl%b8+r@t~lpc
zPIZSen{)!bw1U60?0il0|86{d5NFU>)C
zbcN;{h8KE&#gjmKTGnMQ;drC!DQv0of~$SH7316|W^?&X4ki28
zr8~ox1niun3nt;5S1N8-j?D3=MiyxJUG9&~m&F8}exT=iJ@>k+jb9DB33dB)F~L}g
zD;vWY=a!6g;pWBJHk{UZWraYrQY-
z`|EHO<`eL0<~Gi;;|w-}9lzaXGeoIgfKN}ABITo&S-GoWs8#}4(hr}1vdi3*B_5t{
z%d_&$Ccoei3Qi6Y;7~}8E9;>9Qf{8xn#*v`k;%HmvhuEKlkBeU-c*6wWA_y=oDW0y`xQSZ`I2w*Ov3H#P_9!Zca>@6
zhMCVk|3gk5|539{b$=L?VL)GVIKa3iuZKBWD=#2ef*3NaPGrw1zoo-;Jus`-)&0Ri
zPxU2lG^z4vnr-%v=ZMk?;nL&P)X#Rh*#w8J51(zl-QNNQFc1iq^FR76T9`Ii~OSonE2Q^r7z@%>P_hc5aS<~kBZl&pY7DsfzI8>
z6|P%p7cQ;b8&(hGn~!Bd`-(w-y-K_&?mtqCzSI!G9B5`y*&E#(_<3}4nE7!H`g0aS
z=k$Qh^>>Y?H&eKBhj1aPqglKRpMryXNR|h0YL5#di@JdaWn*spGo09MYQmk?aA%Pt
zf!0F>5!VKnTImL951Ly(RmM^NAjNcGb2C#=lm4Ua23D1dfYpxH^aIwNNqDQ8BlF`~
zjk3@MvuR^Y^dVrsuC1}YNDWwZAoPbCsPa1pML~KgWtIES
zy`}{=)E~;tcjrdHFSq0dX8~hX%A!n_6S;G|BvZ1XNqPF#e;T=pW!c@X`>#7>sMmI@
z$p@$_zap`R?5Ka18p1?zM~uUlDF#c^g#MUkqJ$xwl)|}??;&dx6A-o7##^NkSQH3o
z)n^fx%D6Hbu=LFT$+mKyw4*+r8+w>;RC+tHY&2fBS=h=ru9U1Ga*%gv1QI+5ylkhp
zbCeXoF5Zw3pbtlGLSVGiLx_9$Y&Li>g>FvaoMnq7^*)?rD*F+qq~u>Q2!A9xN7R3!UnZqtFel_UQ{O>vZ8UV%Oi-ugUuA?0Qn
zIl96bzUsgPPV4lQGpal*o8=!awEf%onpApy_Mfal<7EvvJ6l
zPm*aaqkGp|dN#i$0sWH}fzu6Ve*#xd49MOuJ-M@OaaC6Ekn{kKhtGmSDL%8}(Nk_B
zr%3xf)fMkN;#SaZgGTFuE|`!c?(%gS=sKN~(7%w0dtmXZqcyWPf^||nSvf&3=TM9A
zQP7-og&rzspUx*Q?e
z?DYBp1+`2-{^v%In3``waMgs=d{&gUXYWL0cLh)MA$QRFi83^JL(#Jf!rg%6cX_J@
zW3Fu{xcz4_!DsW_ZdUP)`oiflB93F%cQm(K=m(hxQX(&++>b7e51}*=GF_n~yppAu
zEq9eLksnv;uFEIgTn*}NG+?hRQv8G8hJSY&Q_er%(GOs`8EaYRis_DU9ww4&x=QU;
z0KgttB-rl(z}7BABB`lIwtK8@nO^u01VU%WP$JWH7abHJ2#DT}`;V@iE<+wk+A#US
z7JAQohEkPtLim~#L`q~tsugf-Xmsa@WV(XR_>v{=x6N7M%0``5UHbZNlz07c`mJ&M
zJxY8(r=q^M{WXUgE|gm|6EJ|+n3?UYij>mt5=H9)F~d-a&U<{q(#ve9!cM?adHItm_a
zbxp4J{%yzZVc(XwY*pi-?M>fNV<*hZ?C=-kIL>)hw?Yo3^)CgHozr@^%X3B8aCMYo
z7UlC?D}wDC5r?Vtr?;@xGH{f;`}MOxX%HKN!e^ot;ABQ9@P;FCysKGma_CwM?cBow
z_drFWzsS)+`5sRN3oojCS*&yTZBO%wiSji#+Cgo1OxgW1!Qh&ZmwTu|+dou-8&9pr
z>gJ`ab_46BNkDg<*Dd|&LH|DU*yXdG*AFs8LFDSaG(fkws2T-*+}Dl|P!$bCs%0V!
zXm0apZmomdudGy)>POn`jhc%+K^)H)N$ol#bCEo_k5yb*krJ(p8rjim|G5~(7$Ku#iUG8Wijxah&f01J^poB9Fx*t8sifecSe8EwmmF#ie
zI1J!siMKq&>VnY1dAG;c2l|I>-y}cir?c+49r&W3lLe#(@Fg{QV8N$o+#G1Y$u6Tf
z`?xC-un|dEYyC(B>_<>({mA{0s-s7>{g=s=(*zN(!=Xh~C8`sTXWM7Q_5!Bk=GjI)
z%qO&b4-*-vi1^P;0@>Cuo(dKPfeW#qF8UNDHTwm6u7S_ZvL7g%>0Ne0WHgjUTrT4%
zf7}@e7s6xb*910Jiks)mo4b#Xhddf<_7X~sy@d+s5EoTu{lK$Xd09gAoHKSV14cJzY?38ob@Ak(s4{F6ihuSM%Zp||4ab-t$Z#*j$&n_UWwbOvpiX9yY;%}VY1#5jJp6~m;*B|D!fAh#nw{l%+LZ!dsvf*~Z{EQ`
zd((~mZnG1mwUIfRbew@+r9Jw&#mgL%&n7Q|xW89U57x@gY%GK>R5sR_!7O5CU;H+g
z;`u&3JRM}z{pw3dJX`PgSP88ku^o*>Xr9EIm#8+Lww{lkh6vFeyS|sF8gyAW1ykkA
zxE{GJ`dt0Eh*-M1`h-k(S8JNyTQ+;nPCZ|{hxlNSv%P~8J^17sHVD7Abdm8?GO*kk
zgI$_}2{ji`x~DMB5>=>jzvApHI$>CVV8Wr3b1w#Dv%XA#_5E>s9WI-);hdrVo(1AU
z4Y7_N9qjnjaP0F~A>$@{%Fr!E&2Kr<{!`0?c9JdRNtmqlqwV`kJ4OY4c=fcpQ8Ch}
z+j#v2tc=Qb8ISsK-Hs2!?kc=o#)NYzrCwmq1>C#swwv0NymbS~=<{pI7d)a^YLt3>E
zCrqmZ!__b8+?v!Kt)&+xde|D;acH!w2$fjVBJ0PE?DIl~`GfiC?LA4c(`g09)~R&!
ze9jVex1&%^wq!Kt{kRvUKSqL%yO4|{OM3b@?XAvwj8vj`B@Qp2Ed^VwV{K-CVlimN
zfq_~V7vTu(bs7x6SOtH_(O3Hlwz&O~hX3`giGSjcL>ru3WUgG?OP!xzw(mfaPh7=_
zRVweEOkHddJ{LKP@LUo}U;>*T+z5QamNmHu?=zv6Ko|i-TkmX)@5l)A`n`ajuZb;X
z=$;~UOCez#iesO{S^-~5Ozf{O99W1dA<62;p%EBWr;YtkebR9~MF!s3&tVL{lf8dr
zmSpm3Q1n^T{3(j-!Q{>Gf!-?)DBTx%YjlTif2^+&@6NP`Rz_nG%9ccBR${Jz^7Nf%
z-sc;pfwwhpQzI8)15DVBfoe~L^smxds#2bL12
zV~+r9;&Zmm97`<_X&P8E9R`|tE-aPntfo@tD>wo?K48=TmaBa#kmvSo;+_cQr6XJW
zosMhvP4Si3rv6Wh0=n$Fhg%;1rcBcX&W97mgGOR|QbO?(wj^tpv-Me`R
z1q=)k)II2l-wfMP&>W;jZGV509e}jY7w>?R)JO}S<0>J}KcL$y
zyRk=JGK+r=;|0;lAsuBlbwGw(w41_0L|hO`g)TVf+M%it_aQZ|yQbAvp8*{^CnSlEAZ6J{
zycA}AQZ!&s*k40S?93`S_VQ9bVk8MP9mnnsO`zEv>5F>^gC?-3szy3mM;sI@g>bJ3
ziZzNqL#8XL<)<(m1eyo~krHH*fp-on1xIJ+`-eB#!kvZVJsqA>aNOb}v`o985V^bJ
zYP#RNQV4VC0tdwZNR@-zcGn-LflIsdI2eI-bAMH#b@+5N$mQRCi11*bodRo^fkj1a
zv4X6j>%=N2D1x)>kSmngtKq4B>56`SC=dq3c22s~`yGw>o9x&@58X~Kdw=r2*!FaL
zyPqWoYH2T(1C#@{@#eRqQntVAZhw7Myl0I=^s_*jB&#sqA)@aYgi!u*i-)%$Xl+5>y0_xDl?7irz&66Pt%l`qyc_Qj{GrQd#Eott7&
zxGGovLgqQKgh{DP*B0dkAukB5P5aNuf+4-DO9@>K!GNjLdrIY%b-|6els(zdsw$Yc*gJ+1Q?5D+p5cQi_i^n@<7s^oVF_SGh96k93s8B-|1P!c;I<4B_dQ!Per7I&Q
zD4|(GK}q;Epnl{fkD27Eo7x-)LGe!T@y>wWv{T8Rgc7|3RN&32E@~vz(fVLbD`w1w
z4O@-=l_0PhY4&p;7x~YUVJummIMeHbR9L+Z{EH`QKh5lTsXPfMLBx_&+jUGczwZ#S
z-te8X)9Sj9&rHsiIN&|Vd5QM`?gN;b2>E_;iTEzlfkHyU8TY7t!(4JuX?1p5$PEoIE7pfL?8RfLefnc0y9B1O7eVV@hk&Ir-~kSF%X7Lpk68
z!mQ_35e+hS`5;Pegi;lc!bhFa#7{)HAqOQ=V@H-#SRgemmk%=SPcM+|u(30(>~s#f
zN7r+UzcfP6*}Wg~whZQ@2ZIjlt>)W1E`+#;Ajo2*zK&cM3Ts$iY%>{XkNslbXZyaK
zRaxU6^igxKW2?9w?TX=H3Z!=RFNs4xNzZJa%Q5KKXe>|lpd>zVSDQxpfU7!wvbo$i
zY=pWq^1+#JO`Yu=WReIfWYw+Ggt&fDj|9y}vE$-pNw2LhYh%#Qs!X5T-4zEHx7Ss!
zM2k7u<@OCBcmjUQ0Z}lw0#0Y!jC><&
z0(XL7XWXd-%F>KWHmedIm*8j|Yt;~OR)E|ncE(CaxUkqI#
zl-+8aD{X7<8#t>U83U(o-uaVcF`8L_Myf&aKYQ5wBQujX!T%%ly%C+89^#&j&fgPr
z+UR!=$rtZ#jYny9&#Tb=JR7aq`fA(|CX>xW7o4#pYl*BG-rdinwHlNU_E+h+vkr!p
zb|jUNt|jR()r2FruPog^ek%uTdyPbpMgC=N{iyh+bjRe^M0V8S*46hE+h5&)pqF^O
zt+G~qNdOs9mtNHw1#|O7=#7FQ@6wNT);7g9Vid0AE`N9-Lx!w`j@=!*EIYyO45}?5
z%NEVzi++?eg|*Kn8wf`vyLuT(Y$odvrMr1EM@J*XPMLhpki!%eSEQ_(7mTy|t=`W%
zb3E{8;1l%>NX`-xBsnEHaD0TXXC*#?rqtZX43RuAEb>+9rD`kRMYY6HfbvDEm!lKT
zieSaCQ5x0!z&mKq&dzbY35aUmNp)&I@LdcaGb(&o@ZbS_rt0v=5rI=)0*1cZXd8-(cvfBE&1L*BWBxz`)G{hAM4
zhRFIE+{5!Gt86s;_jXcSTnXr5Z!cC=pI84M!yQ8?|2teBm~@oj3G&`xjJ5HX*DZ-N
zH{rgmfqN$uOpAA~MbQ-OD3so2S4I}O{8pk0{WM=9vSYi{vGrcZR^#V@fVXP}PlmQO
zUS2oaSi2WwrG{8{`-G~vquW-D1IcF%X0q@EUQ7-F!`cI
zlOZ{{MkcXvbZB5()fQJp5j~PR>e^-?WjUc2`^8NJ=`B!7DZ94J&x7pp^yEW;{}KT~
ze1V*tV!?Cv!0>s+6WZ>*aI|(reuXsbmiF{7wLwA|JmB7vv!lAc2p^Nj;@j5J0#s{8
z?>7OqxkSqxZfTcZA_C_G95+I^g?;AGuPm1<^|t{V6#-jif+P2wl{ovUSAvaG9i5C*Fj
zC+kD)uEj014`mxe{uH7|+y3ye_Hls4fDvN;L^8uCE1Z)6_s1cdC_2*)qEF*vH+YDP
zd$gxLM}Hr7j7u=;h$oDxF>k*nR(N+ad`X3cxtliS_V(J*#+24M_e9x@%)5Qfi<=~T
z@2AGM+@acmdbEJyC_s3*WCuL5k_;p#$z$zCV+K;z6U^M%KI3`%-#6&ds8R~_9>hEn
z5zkeyM|_s6cj%)k#q4}h=*EH$Fs6>@7og_kL6U9j`i*$PmoiA3S(fG*_->m`m?rv|
zUs*0&OnVibOFrm>^oVD}Ev?WsW(5phIs(r>k5W-t!@Ax)Y;pbS>hsiz`ag9<8a7NI
z{{S)lA{YDRI3~jOB5_P0llZ$Ffk=@v%)}fBS5hM;u0JsJ#0uqK8y^U)TrqXpHJ3Un&c(_tk|IGt5A2?m;AEQd_YYgb8L2#bW~w@lW}x6ijh*y}Ne
z68GyZ^IOR*A*4k8j+vf>`}zkUGXggG=Kt8_s+w;tQI2XJ5_V;+>@Vk;NRcbz&?YX0
zPga^7t;xulFNq{~7d_jmN_{F0pEnGqzL=1+{cZ5==f+*Bc-GaY;5vraOVx$M99R>E
zqgI_?Z>Wk;JZcLC3s_xYtBEc-(%-VhX~(faF=~|3-?I7{rO&)s+qRC%dT@1+1((|A
zx4t@-))m!%wK|i4jL_;oGY$kbX-z~QsA8mSt-7PS&)qAJA5YQgz&b5(j|A}fOe||r
zI5IZRpv#w`wDl|4#G$>VlOz1<{wC56ALPmn0IDj5Cu5Wy0x2B29xYtr>tEP^9+)VmzCk<+Gr(s(&v^1B
zkfFaU)67Mc?Cof*!Gr1a3FjloDCHeQg1*$(^FA}+{^1wp
zWDLvQUoCL3#J=BV(eK60>RP)bbevp>n19(_zoUO3sg+b*fAlhy{Y&6hF5&zKmMS0Q
zNqNzG+Cv5-L_!f1x;SSZGW!M;<@yDqw5xE8YVI{svw>grP
z0-$^;JN*eKu_wz7RcNb$Dq#*Q(n?aiV;Y+bbVo)Lgp)>_Mj2X`eRQ2}Jil&%x&9HU
z&soy3ZOhWm7>^4wk|{j7CzaNSuR9+m>=G!v*55gVdLY?A*Bc=(;(;8!h=0j{YSwT{
zZxSIkBoyW{`pRxylNfTcTid-W
z-nR97bJztYV$fUc+i2>B@fw0ysxY~9v_-+h9g#7|op(+6D^_>+pmQqgAxSOQ1M$26
zzX!>Ie5Cm&eq%}KaL89Vs7=ly63f-vO!5_Mq!6|5SYoYis6P8ya5#H_u+v
z`daV{z9b?h*rMw?hlt4@%F*2$_0l?V?%gK}Y>u$-z!E!SVRnaffLmg!M;7hL;5^>O
zjigDCz|qw^cov~ENr5Xi5>_I_W~alhZ9`d57k4T>fCu5QXZ}tNDJRp-V+gFrZ!{^u
zZKf0mbd*J;WWR;KjHL6J+uV|kh7;Ev)4>MaP%ql-f325_l^60}edyrd6d)&=_s8f*
z2>wkgzb0t&O|$-nb0>Km$W&L~fK2t}KQomNkf{=ot^yx2l`)dI!Bc*tAzGI`e#g(d
zOT0w6uhMaU5q%N8zQAc+Vd|bL-b7@MjDOE;V?lXM{hU9)iQjNJ=}dcsyBcG&OM_-n
zC`fhJlym0^YJ0kY4xZ%@c@}DSCw>;I;Ap1magXtQuK2DsRxx&IoJ%Ha{fH6AHfZ`B
zl&V?B0r?ilt}ibr5s{03`(xfC*v8}4%7n*VGw0}?-P|e>M(<(k@WkTJ`;~}grfDP#
zOTuV3+F&AvyM5U0L-iU{Kc*k=9Nf2t|~r1cP*$p
zRyOp`W-a^W0bVPcW5*XAE;=QwIgoj}z){S0HbT9wicxsD@bQ@)01`062w}L5pN*Ow9h+
z0|#}k568EF415uNpj=r}sE=dJ3(*KH*^yGpz`w1|C0B~rOIojZ`s~QXdOM+1T5T3i
z^Ylo7%W<0vOZS?Pe0}zVO)MigfzhBdDCiB}u1vAToEm=Lof#lS%W4Gma+1~WWbLqM-$aSBfc8s;;Spi}zNj`QH(K}I5wwzI^sjo*G
zOUxMqHlFSRX8zHK^ec6zu%mOp*(*RN>~EA-#3#v+MmYjPcO+$N%=S+D@&_l$FIqit
zZj=8p{mBMNnhWxyVv$yv8=jt$smB$KOxtzIUeC!XO1tTyEJfA!Eg$T1%SQdui>(lR
zR`Hz^qOkQXzwA;B|4TXm(=srSTSoWIH3q`rL_Ic5hQg`quXLtA+4@G5F)EA|(91)S
zB~R0!CV=Z8?L0uG>)UP4whMa6H}$2Y3ZNAe*b`3=4AZbjvXxsXA^zNE5nEE4{#)tO
zG>{QOqQokE3f$U*g0|%miVBaX-tf2hwI{PRU10aJBLSC@hdsSukHz1A(em*(pdwT}
zu){;Yh}WBtJTNR?h3qm_xA{Fv(fg@dfNQij11bW0_kShb29%cihol>bP*Fp6E#B^fO
z3bMx@_YO^GO4b*t;Vy7Po|oUq+}Q5Xp-c2@Y76L@{MQo#C~nuLpjj_rE9!?qaRCG>
zU)b^qR=Sm)!UF(f0st((lJe)QXXV*n`}rZA?jkgZ9|{0==DQ#IiU;z%?^Tj+@{Rd<)-z{lG1mA
zFYaq($qqJ-urk|jxIrofbYW`@ifuBnGptKE${PPA!a@Jc&OW0?v83zx_{|JQ1xlI=
zF*L0ww9|L4U30``<45B6t=EI)^PGvFWrrqK*}6_M1-bBg#KQh~ct+W$g+|uIjkK8$
zTk?KxW>PT!UlXfiPyE5i%;y_dzQ^@k+|@McyjF>(TLWONE;*D7CO=fHOM;yoBbGjY4`Yx
zl83K+eQs;KL#i)*z1Si5GxCtu03XTX+L|??^3W24$Z%!Pu%%Vy!WuZEAKm8fWg8kh
zwcAY}I!gS}Gqp%@GiJj)p_=4S`N*v8pV}A`cyL`%ZjrRia+wO+`05tHGe0Q;ExIL^}07-+yzBl#fN0mWAWKs>uK@XAI|jeA_tJ}=wmKHA22DOixjJ;S}V$^rrq*oyCL`Edma|h
z4+Ab~*U#K-AIEL+Sk6U68r(&48iXBP$Gjl$Dey}_^cqxrOI`+@*2VeM#PnNL0?sK;
z9k@p5vqt7GwgN6g8T;G!h?g?jGaCbRe!F@R-*1`<97r&~16Gj#ifwIuE#b5F@x9m1
zLiE?h~CwHI+dRA#-1h@@-C+2Xv|NcFS91E!++>m$Ze
zwjh!2{jfJ|mj5H`lAGsw;I>dc#PFw2uSkGdpzXE{fpI`BedZ0la6`6BPl6^%lN8Wp
zqJ3qD)R+{~tn0WAzO`?EGZG>$S8~pY*XaRq@^QYqungT4Nz5Uk4|O2#49gWpKK$tM
zePaMid(j2Npq;*8{2YUyf#`q(9CGWIU_j7B;(fM+PWqveKxf4@he{W_TYX6K4MTpr
zty3~Vly}Gxm---utMFGvN$*nER|krAfSZ~-BZB6E-&D8t*wX7by+}Dbz!=6zm5_@pR%~1F|FUgK;8pGrU^2!w_
zJUkC%I`q{T%TPs#_c8>Zc5wTb8!#uP7e<#!{lofqDz)V`*~Y@MCq`Q*rPil)N>odi
zS;m9ern5I3t){)QF!+#_r9^n|6Qvg4oTm3e^O~qNBDUq3+`DKX7D2x+PW!lMOz~!E
z*oEq0b1L##((Jn>!XOJPyKDXlO623`+t?jM8LT04zwqZ-laBItDg9$x))}Vj11xwdzpiNWF<;k1ta>`%}Zs)vi+{AEdh6!A}z&4cc94HjFQoE
zU5_y1dg0WwYg9S*Rkn$prLpabmHY((p~Ysz1<{R$^qd)C&wzf#4E9`F0*?OaipW?m
z2gm)3#Q80*csrc1q%X1#l9%@+^|4d`R4nj1cq&z=EX!pJ%oA)Nd=+9Y>%cFO(004M>^4G=CM!zV$2b*q5cT}(
zEDVSK%(?3B3{;DvFT0hj0Niz3=5lHId7*&>#Rqm{(w5*;=!Lrc3Yz7bf?-Q}S9FH1
z_6{gMvr@1x9JJYP65T@EtGaUHtNwdp+WwswD3U2a`!YH^K2)$k`fOFA6MR1ZP(Lhx
z7Igh&7$0+}y-c_0NGP$y?-Sa~Je2OoNKd;6mSOL#`5mvDnbWNNT@)D+H76O))ZL%D
zzy0w3)0t9O=IPYth{Hj>S&~&*!NR=zK*JSOfL9Y5Gv%#}t}Y`)ODzNWQ_7(y098=sss97+WPhtzq(
zDbAlQk%GEnna_DiCf-@Cve7H0_XtIw=;YVVP5YRo~C
zXh6<|BGeWDJ_Tk{`zJ|t6-1U03>9@XPjZ)&l-wkXJHescq0#pcu#o;oPY}k?dW=|v
zQNSi{ABn_SO7IfL)1?b%u2l`R569_e8#i@!7*rb0W@=JlEl#fkSwW|}$noixGx>ae+NS~{8TNDVvc0-n)}1UpR~@t67?_EiES_)kVs
z+y#ZlE=-Y1!+lRhYB5vGw9%6*D&rCoR+n0RnAq6fY&Cf0t5%YMyrA!*zdotD*mZn+
z%+vGoO_q=*cgeT&mHY}KySi_rx9Mg1>(u|G<>0@?CzJ>5A#Zu}fITvwKk)z)rL3;w
zS&$*NCRl#PZiYV0A*#eDl%UogjWgu8;p)K>`;;M9s8!Sr);uD+d1jQ0
zxynwIm6Z^{Yd~{I1?v~V=#5OBc$&iiu>tVd;B2D;*j!xi?1vJR0Y)pEcJIFvQ(L3s
zl4Q(`Tc=YGvvspAM{7Qq^OrYTm(}+u;|fIhwyED<*slm^Y?4OlIw55vE1*Nf#%cU{
ztE1_=JR@C-rhxlUnMV9uM)2k8T8DqFeoWcy@7j|e57L9#mXCa@-hpGXR6lK0$nEWf
zDX$Q6GndHv_k$kGP792*fc7m#rxFRBoh_-cx{y=n-~31IK*Wha{|c>)cYjN>k>XFz
zjS-vy+9IR$DHE?h7(fWgPfqJF~HWR3w?ZjfjjD9=j4Jen
z(12Fh`oq8Plf&^h##BKMGrf|R0Zrpm<0qQ`VwC(>ixHsGHDdTO+W}GH^fwhU3&yDm
zp-yz;3lSm|l#LL5iOcH@oT2sAR(venp5J|9mKx6rBvg*_(Bif+kvWA)u%Ia?qeqIN
z^>fxvLe@?>OUKSpf^Zk08tNC7A<}6ryYt(9vLSBj$bZq`>k`dO>K&SnPl#~GNaao{
z2R#Mwbd+{NnkU|;y$qcr;ck@993ffo
z3Imv^sW9~r|80GwxZOk=`tq*Oq=$o8Y5P$aBag6_4_C2o{aIR0Eh(~EP!U|9Zfn?-Q-sJBG1{3q6qF2X~ta75uMM*N{D
z4zQ&KMA5V-WI-EI(;qwfq792!SX+ZfY2GQgE^fgS@3Uu3-dDT9RQN`MNmBc5QQz`_
z+idxLL!8mq$8fQC*5p}G^EWUiNzjm&PMnud6k6Ah4aRA$KN^a>zrD%OEBpAyF0BLL
z(4qOq;g!Ghd2Kb&cNXnQaijW+y1Q9iuU0O)4Ms5r36c6r=R8;N3;2|-*{IN$*1h7c
zbTz>!Lfg};?p!_G&er;}nAikWZH7mZCR+vc^SPAy-c>{U%Z~(sVB$34
zif4%W!otuyBAdkuf}`bu8VkH5fmLA>=H8*9Zs7H`vajoX{LLD`eRruMaHN64#Q>mQ
z@nAsWdb~&?2Q&PKxEa
zjobd_PO?-?i8uJpyrNfOh%xT0?$cFd-O`hii%P0=q4VZlVYwm@I)P8n<`O)9b(a|7
z`;nKwr!=g|Dy%+~-no(yP!1B5pdz6(@cklLTw
zO41>-`~4_52p0^``A$sjY$}fqaEW{3AncL*+sPlp2l;_FdZ_GoyfbOHj&rLC7!}i@
zDS{3ULCQ%wRb8AHgV`eyi<;oHw7-9RQVG`X`!7{!|3ie{nHY&sb8s$Fqh
zYuZZp3d9}}_Ym!X1}&_!cM(}OvmM;T!1a>vCg0244LCQi!p?Wg91ivP$ny_nh4E#h
zt?%GYG%qu&-=w7TrM+L%D$DHE
z{M^{o_-NL@-2I3#6wq`e8_MF1WTG4Jtd#iVa=6fVY@C6*78geO<^}40Y~D4_a1~^z
zs?8Sfj9>|zw_Cp_x^o9m}GMbubQB6_zmaV~8(^&2^jJFIzW4a+G
z&b%%7J<0nlET7vQv-ap-ZB{c9W=MYv@21QMInuGQ%ka3{m>mYIlV7@>r(QEyHecZY
zl73H4PR<&5J6cVxV=+Cg2zaLS1uw6WHRr{}tW+i*@T_S|IECO65w_0pdhX#z#{4)jfJ=MX~`YxY+Be+w`uBI4Z7)Af|cXa+!7zTtt<)g@l-lm{Drk-v{
z-`DY2LfZbmOONM5y(pVpgPQi=q(n*^?dn}6k|LENFdlE&f>NdJQVS1g2akll!g@S~
zzJk(x@*Z@O@Te`)ASu-%`fhtb1K6I&({d6!mO!#1?|gsRYxcr->!H4K4v%K
zM8u|b2uL%I%L*6*Mbzmac8BoXX8gwaxBeXS0tA&KIuZrMD!0|al#V|)G!Vgu>^Fn5IG8Zo?Wfb1KJ8$W)frcSjO
zmF>X)BGUX=?umhk+vM1jaIm3V|4A!tv1?q#$Vip4qdq5m0kj|vn0Wh
zM`CRzRt@;=O*$Qgr&pUJZYztcpk`tcER+ZBQ}1x-Zy&yhyLowI13d4WEMSizoW`+H
z+twyV&S#APyw<`q$a~P=Ing41l&G1dqg_=+X2s_8)OaJ^cgSsdg)rGd|7^Mu@S=pzxD?0v%)f6qhi~e>;E?vVmXSQ3-N12ra35xu2F2C;1MU-H0xf`@Q
z%TxRvMw2JQCR%;qE~t*FBhzr)kh;?FYG3DJef84#aIluVmR$APLPvWxqw)u`RClq7
znbJLp0EiKIoImwFBLoho-~8&Dd0J%y-A^O!PO|zUv!zG$1GonHVXh=4C2ie{ccG=L
zz_Y!;b*mx#UFKDWmk0Ax4Ng2*DB=S)QBn<(wc!C=#&T}c*HstVd}?q4j5nD!X{T^M
zdDF&;q?0Q9HOtTDW&i9tfOX)@KClkky!56gEpmV)P-Xeu-`Q1wQKYK@I90Y6N4f$V
zoT3qELzyN&=pRHuW&My3&L^xPTBxYB_p*~|>eBh!ch$P;MW1T;aWRI(OVeK4>ky`5
zir0GSHaQ?7(}|*a#Ye4QmHu#9Mt>KHz0m7EXMTs}UwSLdcADM3AtHidac}}`#Mw7W
z8Qd0h>9!dQ7*7d*cB9!CA@7zUorm`#!6BI-A}Ln<0xK^3NNedk`v%Av9dIj^jo+5p
zt^_J>B=X$>te$H*!s9$vJK!G0ZS$VBj!bU}xWMU`$Gv-zUZeA1DewTcFK{iyToXmT
zxHg&>a8>KxbOq`+mlOU2PY05j4)G(Bw;tjx&$^A_W+N3nT!Ra-^L7U`?DlrKu5T#p
zU%jeQ+x}al7*Y7AhZ7JA2?%t}Qfw;Ur`Vnql|JtVW{zOva05FxGjZ!dr&DnK3d
ziR96d&HFPLA
z-ZV@~_Awz%y|qTiiA{Z-I)W~G2T5r2FzhK+-?EQiyT`c=daB6?S-GxQwK%#hL0v5w
z+a&FnKKv{T6DDGb>Gh=${AK{aA7|3W#cvx>1ZsB#W%u>zCLUVHf_PIy134-VNW#nv
z)`SBAv)as_nO{9Q=73W6r%Z1iS*!2>4Mzi9N-2$=g}S|m=}id9fU%zcuP#gaTRq_f
zM1BO~RIvj^Y!a53fw39aD>b%ufEp9mO5D&SbRp~~ituHV`TKW?R%aPl-lfqiN6d-euE_Aa&zBL_
zFks>rIUIA7x$-GH;$0G^y^bG=Q4S36fogL}uu9+{V_l7(UmCJ_5t3QLk9~+Cu-U9b
zE9&?EkF)m-YJ%&!KtoY_6O<0pMWl%IE+8PNpduhuM0zLmu2iK-Q55M2igb|{s#K+g
zB25w?AcUHP8ansH=Xu}n{c&gR%;kqOnsJ8N+2@?K*Is+CYCD>}jp-QRt1RD~$bTCw
z?&VG7QU=?BE^>FnKQN#*cxp53vZR&Vfao^c})_;zo
zJ)1v?FFG$THvp{H_^)ioLC~B#m7tp^6dAT$B~y_DB3~*4Zb^SFU3q*y<5C3wTetM5
zF|SOki__iohwh*n=KX&O{CTb9-C_`x4lcx!HS)V3cTE^f_2~0#CvSQD^kumJRY~yp
z^m+JF$_CN(6P?h9ar|Ux`d7K;FIX?I^@>@$|9qr0R?P~i=){Aq?mnZ+^XzoWi9cJQ
z^_#z9P+SekTbY|z%R}^ZQ3r32Y12#v?KT9-zO{U_KRAu$;O_P8itlLOK0mv}aCm(8
z%<{u*M8bjoeE*QwajgwiAfSB)#Jp$1DejU0@^0w76jM$|$t!rr)g~0Z#pR}SdB_2K
zu)@Q1W6#)SP2(oTTd^Lor(65ck?q^Xn}Y%uvzaelns0kf0{peIx1E8L_#AK&UtWvj
z6a>p!z-liW^k7z{$WR!|MUI}{
zSI!^FM1eRz+jf?!;2`f`pVzC-|G_|cE-b4gk(WK%Y{-<*roQmq%_Z+n%SAN*XaJXV
z(w558NOYc4ROC=7TCLLy_iAyv5NBdr*CYWUy3CRpHzdNksz6s$t4AM=i?fp?tyF0w
z^Gk0g_G^p(klK|j`(C2DfV$9ZCMxqwGfV3jb*t?Aa!hAw&<6a8#8irkmBLASy=OIz
zvPQu>?;vZL_fP6fc_N8W;`u9Qf2<15^pz!->fX>NKkOx=zvEfcis1!=Q6)x`-5$B?
zS6{i_L-<~5TeLcKciRGLA0M#}J+PpfiO6u84E(u^FWvHa6s+H;U;J6!yG?|36DvCl
zq1beXdYmM2huiPi>EdhX!5;Q?WFs>T4b2ZYJZIEdKIGqM8D)6>)YPgc7mJ(;+Yn8j?QFQ?4z&A)OM$Y!50}b<4-8Jd3`?Toz6mz3uknOUZotCpd2cE|6^o>m+9UskFxKYmNop1i!lrQKrXDeSFh
z>qXVZ2C7fd#+Q}(<7;K}Hr^+FM|0gC&2+Mz=DM{z)2erP{Jc+9`)HIqE^x-_dcl`(
zEF~g+m9>Gap`+G?ZzZ$y_EN{<6wMhHtJ2Q4S
z{cO#9QY9>*KleOkwEo7KWF+|y?8WDYUGZW1JN9IC^Rg#F3oR`{`wC*m`)aTJ^2B*a
z!RF^GdpOtRMzOes3L|ha0eem}&4>JD}yX78jd|^YrpK9=11Dsl(-#0K#Tqx(0_&s0Iz#?
z6Jj;dNNcJPNpE6d`2r-hK}OvUenjBOUYHhtJ-$H;eXz6q17g8?Tjc0whsCs~D6*X6
z0&8~3VANAf2Fn2s1JMW-8-Fg=&XRWTjlu2DIHmfR4S`o}{l)St*qi*uLeX0(8yB9u
z#tQp44B3(pOX$#l$0^gB4|1lE{=BR%TXB5n$B}BxEaYbw_$%F)3?e+&
z(bknSXS6-5PPzXeyTS|p$)IY1?{>~C7$>L?`E&NsJZ9LT?QrqUXREpkyUxaWp#!>U
z7w?LPaVi>4U<{LF4UBz?dX{x_cFb@+7#jatd*veHqJ1|z3Lx>A&l^dv5=I;K-`iQy
z9_Bg39{DY-eCPDEa{hWoEOxqnYN$6(SeQT498?v0awy+A4!j{j=!a)!R2J&NoW2cq
zrrAR-CG26pIXeeOXR-~mb;TJqP|Ire-aItq?uDt)eOP-MNSUchCnZyJeE;8C#P0tp
zURBaLdyva?npSfJJcc&9h=@vUGv~q)A=#S#&`Ne8o)saj{bq2|CC
zf|g4u7WlczmkC|`UmQpZfz%$e{X*cSpS^Lr9S~Z5B-jgUg~T0c^+E?y6F^Te{a-1Y
zgWx}m9-$aM4}mXRkcnE_r84Y_q}%lMUY!(uU)?EAw0X8|Ed~HglBPJ4wx1(cqyu^-
z!tRlYDE9X#{w*9{B@@0e3gG}87AO#k6xg=;3-YB2b&D@o
zmC~)IR|dU=fBDevrfhtFZLY34(eRG8cd>liz=PKDaE~V(fUb8n=RdBXE0WUZ6esZ3
zlOLkI$^EmIl}^tAjkRw(x_m!1OzUTnAAiV3`NA2Uh0v+!$~NO-<#c6WXiP1=~8n3D@G=bRt5WczGgO!GYx>3?V;443Zt%J#u@
zq)~{BKt$iq5bY1MB_NqhLZ9ej+dR@E)tfI;&2?9D-O{*YPRVA#I=tLp47RPbH3jBZ
z^W@5xtBquSM?b{HE`rAZei2R9*mUcPF$x%Exib|#oJ~)-@l8#l*#(#-lo_kI-*<^{CTdcA*{BS0?sx(gbv@q6XE6|_QW@I|1nN}=L{D6
z5k5RTI}=s)y@>YF1I^EYpm+k^-#h;g(c7qX`ljr*=qVf^SIMrIQ@oX
zF(p!|EY=OY_TE8%N*Qea1QxV!FAr`H?GLRn7HpdXD^u{N+8wMl7i^gt6zZ{B69LPX
z`FMpGC1!f+!H9~=;HNkw$<{t2a|MdzY|E9YG=Qaqt%W>7Sb16%jK|a;9Dlk#BC}l!
zlg5Y80Hsm-j*lDXDfQuCnE1-}=zxpl)9FJtj!DzFXyon{5o%wuPds<%!dh>Ut;l9Y
zfx_~VIfq4kpWUYqL>GJ)t-2!wgzi7deixb$6^Zpj#N4ncS;)5k)=Xg>c7}$UI0n8O
zuv`CKL$$lR3s&bt14Y4pR2$&u44frX_PEYL!vBW`G1b2cmQGp*Z{7mi%;izgzTV!-
z-AC9ihwo;n8<#$s>+MZKudE&j#-CQDp>+$=0n_IDAI`(&|BCm=kf#+dZ+|p+z0o$4
z;9Qme40T$Wu{4S}zkEX!sd7>hh=mT|%voRbrN47s*^5P|%;J^4YFJdwHGQd8`Wj@8
z3@E4W0pH8A&ns~yZI6}xX8^2B1ni`2@EU&PzYFJU9r`k-WVo?|cpWa3nB8sPvN^h9
zbDr^)^X!Yoqceu~ciAUt$~LmYr~OtoO=~8*1UJ0TAZQz`*P{AJ?kU$gb^
z6nD&+_Rb*DZO?k4g*RG`9Zt@|}n_-500ARb__Qr=QXA7Fux5m+LLyGQP
z!cMduV?tD>M>g^x7CuWH*N|KaMZ?dz*z#8wjm(X%+)Hgl@_{QmX@LU%i91FC9?{nw
zbK`KXix;n$&aV@_j5Al$#QKzzqiDV_qN0u)5*RZ3qEw+<94ZHIxIbG76r8i&#cGUM
zghhCJ(paibk8*eYQFC5ysG&Q91cGm^hE+kEj>fcz*~
z3dQKcvW}{(`O8^vH?5v$po2MZE->aYIzN)$s?!#QtJIDy~LcH
zoWP%;dv5MY|MmZ4)SpNSG;FjhIk>xP1EW`9PRFPKDzMy^7OqC$jTZvl<8tW3w>C|4
zyN-{`3UbeSesBka84aL5WC|wq@fiaz{k5NAqC1sJ19d$Kr_*OF!~hIue8aIswk^FG
zn{2SVSh^H-)Zvuj4rR&hX~qYnpaN3#>V#^s0sFkXlLwrz2Y)!cLeyE)L@
zrOjt@LGZcmhuqPBwx9Gh-cvtmh|PiDh<*zo^zE%rWwi&qk!^c4(*7QBUqsl1ubj*G
zkb;7C@3PAwZxg+{E>K+vXN>6EoE{Wi_UqxkYEKE!Az(Yz+R!77X;*-GPte}_O;=aZ
zPL5Vbx8Pt7?L?06HO>=u9Cd-aPV3WkbimvP3N8UHEiGI-m3VG*voZ<_>=Hfa+K9k@
zUMDVYcJ>Y`@uqNgSvLse%igJIZ*3EM`)AH?J$mYpF6CJ*%#Q{76tNP=;Cc|*wLtTC
z1ZMdP!++ED@DjufC;%?KePk<8@7%%mR~r#^DRb&{N`gBmr-vH=j%@>fj>kz_YVVdu
zHW*S%6#Eu)&9XHviaGz{C7XM-)@Ly%3|>38&H6n>W6>#xVv}6G`gNhJlS3v
z`1@8Ftz}yFVet#UiXY1PtTF|+On!H@w&tPbkP8P}sR?Ke)OG|cXKHFXhZou_%0M8@
z*JoR~fe(8|PlyWly=-eZbWCi0=6rrHOvC4@6}N`OBrTUd6x}eMvXSTJ#Z&y&#dyPqEBL-)P*#iz
z^YHhE;A1;u?it)qxOS+F-LrwR?%u}M*vv1D7Zk)T#LiX|Sg=Z8`fAV-9c~>OL4I=y
ze%S9Bi+x2onKgVN(U&d2d>&~%3207M6Tx>}!l&J{M}r=J25qNvS=wih3A3(XS^Q*c
zn5t2Qr80Vg;I$0yLbur#PG~$mF>rF7thT3H-}{9>$QA+SZ{QZy^7Hcp_}ZfJ5}~{1
z>s!0D34EwP!?K{d`bJ*B-CA`}Q(XKbrW$J))?~j!Tk!2@yHXKuofxr`3GmkYS)RYQ
z<~ImVsF2XWB_yIOLOS?V1$VN4`{bhSG?tEk8o2->B>=xIGmw$PSv4*Jv+y?9CMjnGE
z7oRG(3{^QThaPMTeO#eGeZ+lCEhvc8Nh|Z97Z5zbhfaNAa9}e!x4*d{7j~*d{CrYGHtoNHv8>U+2Pm%wkDcZF=1u+#
zDQS~ABwbxyavpP#t0E%ONsUN1LU$Z&hS%|T6VSVN5$qgd`znIb38a1R_=T#_!YX{g
zM}DzEiW>AmnBZNVgrlvw(*1W3nD7vtafG)HH_~Q=o#&|xvY@FQD}6E{-^DXLr_>!F
zj15sS3+GbNd-cO@!3t(Ef>DVvpfMIjishPqv9Pq`WFsozh^0z6c*MD+&iPTqO3??<
z6q`SA2>MdK%|R%UHMwTY+!ulATg$h|u?dOGP^lNtMMYYb9r4+=&2bT(w*}w0O29Ad
za!`_z&1cEX&fWQJwn4siQ2k-!7dC7NQdzDt)&fl2RlEWk-
zTp__KMUc$YbF&pYS`#hpJpN?1CFIA?pYKQ4fG!=_#>_7d7XU}D>pk)uvw%2(*rF5d*qSXHjh
zR9r5pmsxDMhFQC^aTr$V?^cxe_4Pwg`xbvX{u|QmCo5;pZ@^oW51Qy_&X6;Zr&6ty
zUpedRT4)6VphqO$rn*ZqYWnCIbRN#U%KK>NJwsoeh(h7>WeoJuhLVoiLKo8665Vv3FPxblS|JI3G#Nq@l|k%c6kH7cK~u~
zhE;Glb+No3)hJW?{O7xyeM=A6_}M_SaZsZpm14+#^2l78Yjv?N4@5@rzEWEI_j;!l
zUtyL*%3I;3<}iy#F}(Dk8QQTKT8}Vb;fB?2`P?5A5dXv#&QG29_?rTphrR|Kpr&)C
z8sx{tJ@I%p?rb}A*s1KTs9xW^EkW#uQqK!QJdyOd;d!FA!e+V5rh)FlI}?`z
z^_bso6@0&z7o|>>7QJ{uYzo3Gm0~;fHS!`hapQ;Cv&S>v%=-GFXYZ<&(EY5AiFR6i
zdO7&DTh|8U;qtSrx4ZZ3TV~1FNG}U~B+toJ3JUTsPfATcob)sEFQ4s^`N}yHv5jL)
zB|qMiJN*+k>lJD%sO4~_G?@GiT_}a)`-7JaMVLuEwj=9i7vl+k
z9bOcL7iR9B_{o|rQgNc$4iygnpd8}A+>xWsOM%iD-jaPfe3BC(KG3{98kgNiBey+T
zCy@Jf#r702wU0BijGGvDi9C;DSyQP>#tbQr!0`iJH;l(o-uhmGly_8KrnfY+c7$-I
z`fBr#5(uA->A&U<#dyl|5rkF#;K7WJDZpYa4GbWFneXlG{W#8;1T40I+dwWTmw{VG
z_W07$Qhrg#kt`%Ta(gO%G(&HO
zHw?HQh{VG14V$k)(q&eNRh|1?3oX6pb;M(BwN@Y6`NOYZ6j^u!S$|J1>=J#34|8!V
z>EIyrMkDR5Xf)8*>7fJUl<*Q?kv1M~&6LCyXOpui-3c20jG+;Oro$`~!y`wvJHhka
zdb3l}s2RPNA}$$^q59`e*Xd>=$Ml$ayu!TkmqVJ8G2xMEZ9lUQ{Fij4#dc;n}x<
z=WJk5^SO4F96ELxm$vQ%b}$l(2^<8??ct%Ja0~{cnZ{NZFowM~HJ;Rwp3IJ~p>#VY
zt*!`THvKWmg>m-}w3>#`x5yK~+%W$W!uBgEl8q?~Q3y38w)JjOQKnQ5T@4^NZ4X`;
zrmOpv{W-r(!Hq2EPMUN__`*&YYM=;t7;-$otv0-*Y;E-sLc4Bym3|M}akJLb{N2sQ
z4NnRk<$a@wec&DC^B*n1Yt8y2^N`z_S?IvJ`m|(J!!Hdt{2;UrXTHLg$fsmHqXN-+
z-g`J74&Y+ht1@=W?CrKR&&g9
zFI~36i1KlR+VqB(64X{y;XIY#+6sRnHR^|K$@M^?a?gqDKY#wb3G5e*N==e?f_(h^
z_~^+&i5Ako4gTeMMh4rTKY#d}i(bM!7tRwuhlp9VtOsn&cg5W|GmCpcjK>a`)wuyj
zzd7(vn{VGUQPm#nr@8G*d?UTHb_KTQ%7i!;j*M4{QoDb$(^8v0-y;0Kk<|c^4Y|

z{)w$hlhLYYTYj%yTH?*GO&)rt8MewUNxROP#w0&4=QomW?(gmGJetALhhiC2B}YcO
zX-CGAF;|7qp
z5TXj4YbF*tIy&UMm+66Zylk$2P--px%mz
zJ(-CT+3F`K6ATN|4I%L~47y8m&WSn5Kg=tZzMV+1e_;@39zmXDZ=4gymaV6@j8FU>
zkoc1vzUy;1ac|YC^0}hM#c85$Yo*VbMF9-_A!V^BLQql97vP`BXlXJsY0PS;wGeR+hM^((q8EO0MV4m9g%
zpLlo-jsA|0r*@h8dJZVohNK2|GgF21^Q)>DNJvOtUhx}oXt`sEIFn~8^JmoLn6`w3
zlh54T91}{OW>niht8uxf+FX&~jsPYly!nmYzm7l9fRq(LW+TU}NN}1Up8FI$mCj?7
zrKW~&S06b1)-edr{@e^7nEp-TEwEARr=TcaMvAmKzwAWT0J}%CIbd%cwdj<>&5+G5
z62Er!c{Owvy72OILsR%r2Xx`0WIMFkSC}V~p|%9ou!(5@9*oFBFFm{t2;%PzyI&}$
z@!{Vd7^>+6ugA@5=I+V~KGeD=d=+zcjq)nDxAN(9Sh2dtXZr`v8E#G!6`fYiesC5W
zWYmGduVjpY#t!a-wmQ!f%|qOpbKhoMNy(6E#`OmMYg$>ZXRq{jb98%asHmt2Sx0!7
z%&kDcqF^uuZ*Ol+Wo`23fW{#xntuS7^}xG~W5dJG2_O0dso(yevhhE@{yHtyN};60Ag;s`&9fzyj_s>+XT@
z^5*}%FgvXW;NNn2jnnNFCkTdu7%4px%*OS&^-^D-?n4X8yCRme_G=eROSs>))?4^x
z;)3HbP`|(=J#4Jb6W(p13w+;5Y7&0WRKG(NH$xjYgzT57@EIXi!vAfcYmF-ZTfi;?>
z`26xk7Qu%eAL(S_$4s*K&Pe6A$9ehSfeXW9;}yA$C&sC!aBuHTC+5&ga*-nqQT6uL
z!W^>~6Lb1-`1h5e$F8dOOCL=6a~+A<_}?!1eOJX&OF`1lzoJjuj0$*%bO$84rG1}PmiOUOveLCDL#NnTkT1OtIx262W<0(!r!q@}}XMm9U
z?j*Pf!-<=W>2Hz~CtSa1Ia=TRqL=4r)6~kPxtBOSes_Kby;mu!dtx+Qck(dA-B$W@
ztxt9ds=`b4NM&jDh6gLYJkd=S6N9rE-cwFjPnzCsn{pveLv2epUyCHoy-m(TpK`e1
z8H4UM)-qi{jp3BClQ&Qrz5K*P2+T%L1oxqHA%q|ZVNwnj&F@-F1?xtNRp=YW;&vNX0CZ@E5MMFOY}istgvvY!o258reV
z?`mG4I)7a=y_YSWp7X(6w*hVThDk&byB__6R;=KChaK9`qlAkTYbxSmV%>n;kqA3I
zjx=|_mM(6k1<+UmyKH{;!uCO>=Yp0CqTaLDH)
zT3_0(j1&@T>aFeVR8xH=K&>SZEa>a%f-KD}EoniQ-bX1Ecv7#ft$CgvAIOz71ucpq
zp7)ZSQoKKiyWrVi1@S*aHQO>XdS3sVQP2K?tOQ_1fUG~*u;v*GpsbpcW*@(dOh3F|
zBgH8oq?Y9D9n^Vn-8)Co3A&*&5n(IBH17V{?T_fj#0~8VsQE_t5cmzZukxBw~rD;}k!yluqj58w1T#J*{<>`Id-ds67mXzu&G
zre|U*_+&rp16~_!0EJ^{1;3ysv-ND9h;t*tFW{RC{R38W%8aNnPR=l=LO
zm@u09Gew}hM_XIlb02379OVLA_Pig}|6wp(KP3Bz?$_&F3?-in7xzhj#6{!f=Ob(_!xwp1>;{8D^uG
zp0p(Yak08iNGtoJ3m5io`J8sqEiCoH@A#hpCpLluuKi#psnH?^(EtTGr3Q@Ve?cX0
z+^F(dGb(*teLkb;ma_QRy)1>O?ryCeJU+-Y{q5W6yB}n%JECcDw*oZg`@~!0!9%mN
zyDO0Y%h4XwTUXGuRDtTdrqj9DLOaJ8gMS&7GBI}C#v%lC0C2Q9986<1R|yp!upXM8zdGP%AxCDj_~6}9lXmzXB@C;(ZF{r
zs?5+0Q1iw>MxHWkf<1f2X1diGmxEovMk39AoL}q3>aUW?vGkl7@ynWYVOF{vSj%vG
zON$si5)2<~;ktr9qjpP!-7%vDFqF#!m{KoY?5@Y7WVe~7mw+1tf4fBhJa0sdp91Fk
z$Kc>S0C;>heoF&iM1Y3;EgM~?B-arQjG&oS-cw=Knh5?EIMJPEOYsI@Pb02OZ>i=L
zqWR~&!szC(v{+GgozAYmbjSQZcl`P3>c+zoh)NpBF$Eq{j9D|WNMB#K>U)Rw3rv|G
zJ_%h>OZtj$aK<+TINCGs`y?K(a3Vjg~eDRO`+gRWpCVHRhmOyjVv&a!F&%0QVkcXx^R
zxXFf70n6_uj!h5SJ6dkpXV-Tg85#L|;ZIf)IXXI0lynUY4bcY++{*vhEeFAnyz~z0-mMF9NNllYl{iXhC$J^85tQK>yy{v6N0%e
zM?wZ)F(gC5p6;sj#FZ%A%-34dv|EH6l(PP(x~T-!jVkS2H7Fbr2U0XiE+!GZ0Z;;5
z47yD|R1l3`EimFH1k+2LPd~6*pXSe%Mo;VQ$wJl>?|1kXRVn)gLR@O{*
zo1%gQw{(=T7Ndk>hbun)Iwq*xO2o*$BCh*DB;pN2n@xds0)7<-^F
z)Svo3IkEM)qi%kf^Miz4teEYctYw?1!5NwGR&c5|{O3TB+OZv{3
z1~eBThXMiuJdr_44|EA4O|Xuk4fLLWZ4(9{K!*Skg#Cpa7Gk1A0VSV8(X_`
zT9WS3U8}|Iq1j&gW;i!N25
zrz3DJNnsF~S(F>5Pe~EkImrV{3x~XTppol*E*oo-&@x;~F&4ZPla$xGU3Wdp%+N5>
zqS4nH)gHwNOJ_E&u)Jkq!Aa;l?Q#GM(bZKa!aNiBxn1Fy4?M{u!D;;<>mFzdnCjKB
zk}B6}nP;{QVIdXf4KKh)U`|IU-*Cjyaq4sM9M!w#^
z6eUDN7}a&RmE}?R6ca{{T(UnX*>aYL0`0ROGR{Y;k7I?^Z>W2ppt-`+!u2C@ZB2}m
zDroA^5LbcFQ>U6fcD4LQ=$gwNRKWic!^`fpI@!SXSV~4_9(1B@vW@TGCjyUfdwVMS9ug*bGUcIyGm<}VIe62f!#1_AtSG(M`mG=I
zIFPZ8F6H6Hzj-P9PhQsU88WLS`<7Wgx24j3U~ztUKeJ%E$7*i#_b|MUv#Kt((Jx12
zptPHILF*)8z=LVP|HCPw<;&%k2g~H&s6s;uf0<=qZ=+8
zW~`;Rz)JWV-1gt!3L>)_~k6O04{J&AG|Xp!6k%-dUWD@>pg
zKs$g9CZHWwR3z@1S>>XQWqQ*Zxci<+I`I&|%GN7_ba=Rb{9G=xnwRYS$9Jw~RZJz!
z0%1)e_ebQ^cb6H0r>-JbG=Bsa(dvttCCsuf|0IT1Zy@s0LaoAN7-x4X>O>7gWtWk
z!GZ~??E5Y#d8wC2vSl}|Eot5Gd)mPV4oh-D#U$9{U+K6g)lj-|(TaGke3B&{zq)(g
zP?2-fMr5n_D)|%6v%Ocd4--zZv?ctvy?-r$c3jLXwx&
zzp}DI7?UH65ahtObvAB8_tqavNlE3_)lG~lfb&hz0E5<@j=sL1GWz&nn}B^l=b2Zx
z&@-((jJTzrSX{3h;xBW1@vnH^{v_zj+T|z6`CFfhP2a9cI%u(C
zD@b0>9w{ALi8OI3s?`y@n_<}R_sD@a`0M7LN}aF0vHO+MwRXzc(!X(^_b8l}W
zVo!#MI2s-$x@XQV7S|S>wQy=EGxKr5|4ZCn-vqgZ!MK3{g3=)=VCL0D5rc;hBfyx_
z#|f$XvTg_hX};K(u3TZ!PTU7Pap
zcYl2O@$NsN>!Jnw|9KTC&o2wt<(HWl>AN(9sIXR6oH5W@BN~+Fdz3xw6#SNo&+`rdYr%JqQPN^A*2J}CmtvZ$lJ{0(>3HAQ?K`7Y?
zLJ-o3;ZGLK%*-|uZ^l&ExqMBz3glAs}btmc(_DtW32;v3DNTm
z;P6>&Y55#NrDz2&DDk?^t
zOONm2jw7LscXBdZCl7#cHvwiijeWtTy%N^ZeF^Z|9GHS&;o#W$Cd0=^Vpi*N6Ks!?
zx(iiC|M{8f;NsHR)~3eWD?k_dHaf+J8wXqGBoqw+iX4O+{{G0{<;3~v4=md5$cWq^
zsX$gaO^)2FG8)6#J&F})h9Cqt03H(jj
z1+)iVK3+nFl&1zK{ZUOv$6>rQ;9bEi504ZB?FrmtDi22J~!9@~JZbQtj%5eE9lR@;UsMg|RU+P+$!W4>Rm?@Q{v|Tf~)_
z)$!iAabrdLuA#Oz8R5gRvBdyaz|{G!Pd
zCtC<{P-&_w75Mk4-DM(h9lTG;0$=S*(GcP!|M(%E8}`!t2+
zt=%OXU*3DY8w~;J+bp}}Yzq*t`lKbd^DK1o#lF8H{0+0kACkS;EeacQwgx^tQlpz!%^-Km6-gLznn#vi(72
zYIAmaA{TP_4P676Ox)24*qh{|tRf*14hq*yr2xqpNnu)3Q<v?}yj)d>
znnWg?%YzUOE#|svUG3&x|EDE+(+s)nYmvVT%VxCSWi8f97)s6JDgQ@Qfv9_3sMb@D)gJe@_7^JuvXl$ru@V2jSjxqgfxB0j)XmJ;33nO_
zh0;vZ^EBDYsK|GiVsE;3un34GI-wFS0@%p+uOuNDScZErE0FBm{#NvqrvsYNo==Kq
z_|!mJ#(+8?74e8%tNkqFgqJT(bgC94^1(vQ@bVX`@d29nhRB%^t``@bMUdzR?-nLH
zZU)rb$nba2EIyzc>0r$T)Kakc^1?h1zxo4;U5h>CI!h7TFmG-Da+O5~!IEurixWk<
z^|rduy^`yVZjN>eQ=zQf$1xT2#rjImr=kKRe)ku)WD!Hw(BRP=f|TCJhVEFB!i>lLwt_U@9AjFsJ$PtX0cE1%hd!39@p*;q@
zOmb4pgti=G^6e@3?QKG1OhE5#Jr_48XBVm?1_(1&4}Pbavo=r}
z7_~WT^ryDDk6YVPUwg^Ve>wg^M
zW;?~dp}pat#mvxCnk&b#qkD9^xYQ6>Ul#LSeZy;l#Et?rd4!mGlO2oMe*GF%%;*GC
z=7GZ@r}~3gI^;}<*f)cHo0G6w43y=QUiGPoR-K}i5ZEc;W4T!{f
z(bN?FMhAH>W|vLaIz070)n7owdlzRlNWhM;Dez{ogg+`Sw^5jGa=Bi64a$92SE`}=
z$XP8dca$~!YSsd(I?|?aGuHJ-ec5${Oc4h|t7f8mooRaq9finxZNgJo_UZ)fG&iWS
zp%Hui*tqMB4jI*2Cn?xuAwx1dvP?^@BFTW+j+K}Pl0o0Sw=^zY7&(NGuYqCSIA6`_
zdwq!(UMK~WRlCpD3#NAskd*K;<&lC!H|9M9%c~VJ2lZ1SD&Gg8z{&8k=We%a6Q&?6
z;&tXnS@$6e=dS#7`>R4ZYB$~P?GqL2Lx)<;+-cEssoFDhs8>8Llpz!=Ehw<}8f@~2
zAfqGbGRdRV@54nzMY{+sB=?!7NTlL0zy*Xk00I#s(0L_L&hXJjWhE?%tT!>aib
z#e%1)k3!D~dwQfDwJR&hYL|;VFWr2{I%swi>YrK75LYl
zESS>jsFN(YB4+u)8Eeez{UqZipB!ddZmmGOr$BD@Kf(lw)c}H^y2^$O(~O^qM98wL
z=g|}7A0R+a9UOj){w^)O<}zJNQ({~}+baL#rYLyP^38a+zB;!mFkWxo)lvHvehvsiX(SioRKk5eI~_tv?oOd*t(Z;#Y^O
zW4v3^cu2WlTZ#BvP_2|~BN?*wJ!ZExu>o8IirhirL<(JhcA`Y~arQaw#;Tj7TTr|A
zs%BXc2Xe#BmzUPaMTrIoiCz>l`?X;B4t@7E4ipXXoRDKv<~1`;^+hZ~sgZ-wvBQgcU?G8kWne?dxWIcp)8nbv59X%PbpbG~VGq8MuP;2u
zhG%D!2$)vE$Ekn&>eZ`rAl*$&SSC(VivK@#mYFZ>?qp~l#QE}+42{-mc0gJ(KYINI
z!WR<%zPPL`xk9%e9S}eJxS3=jl`7Zxu25P~nHQ4Y``AXp6qaC)SmyWBi%!6JSjXGf
znKmVyI^Li(ei1-auwu4?kWm=h1<*Co8!C=tfx!nNX9|zZo!Xn~#uD6{STA$bJG0SC
zT5@i$=oYF-Z^i^9ywj>{^v%(xg4_O?xbiX!eV&K(6t_tR7TxVs+-^|0t14vG5U+Z;
z{&2rHCyc&MW81SO%&p%!isSp&(jtmkMerDd4jw@%%$2A@-11+pjIqV|YeHfoq5W4@
zR>s1~x%*8_W!o>9s52XI4Qb2=$&WT@w*Qp
zqi8`1Oe+>Ukmy9z()hmL!T^za!`=OiZhv3avLkcA5OH|x1%X=hUI2&;C$hYDxMUX=
z@8;KHZGAkvu@HkM=3U7`fB8*QQu(oz30+~H5I{5FA~a~#ezuQj&7Dtx2bjvb|CykF
zpGSe*1}!`S%nUj5{RJHv9jyx3wktKOqiqpxssU@B?FoWKK(Xqt1*>p_HK|FUZO5am
zjNHux%vk|=ufZhi%PVgL9|H+1FJDD}Uy2H3_VxpL!jr4{kFX#X0s+df)F5AD?sJuV
zV>Ne#-fS=BOV}HI>AS28`|-nYY8s*2WdVan!LA%udQ4z^Y9NI{rfsVVvR6}4xW^d<
zhy;xHozLJLtcWEfV|dgYP>nx5dg|?b`==Y>1I&6^+!d`{>ZyS|s2&$2dT@fo$ONkZ
zL+(j-v1P~Yw{PoIGLba~9i;GlOMhZW@j^_QrkS!2o|e1qU_t+zEM
zM64gpKX5XUuom42XP62p&$%46?fm~R_SI2QM_s#sAf_2=KjvV
zWt&{#Yv%pZ_?8*iSc3p#Tr%Ocm59Tx%<<#)~Oa0H9(M9%$+hWWsa)l;@$p
z`@9!ip3Ku-6ZMm3-lket54HS}w26s{LoV^GL^G|Kn>8&C=CNiF>x_2k^kGI`t^S4P}6W~z(rxD=_Da!op=s5%OY0Obk@5krj>i{<+i>}*SdZUXZ`G9
zR4+=ZF&h*?TX0W|X2EiIB;!c$XIf2ysiHH&pI2oF9b6oB~m
z-{7Y~IPBy9%j!!|D*|o9Ca&|3AUQZI!A6=v{r1f)D#qW}0G>qI7dzH~p&T-K{1UhWKu
zkDP2zi~cP3Oj@4#4Ry>$D|JPos{0#Y$EKT
zUab3qmPC<#IeVSM)G(Y|*)_?UaVd7{j?$Zun)qSfvm>e$zHts%yy|~;Jn3X~HFr$%
z#{Fx4+&h~6x_$=_FAHQeVB{FRW5@Y_Xbh40Jd>Zl0}TRF#=kk9FJ8*Y&i(-?4J->T
z)9r8HzKyIwz=n6}-B)Ij{&^Kae^9^W3aCO#P`XEdUEbdc?D;>Bw}-jErZMSIqxVvP
zzL{-qK1%gsqmkwfQq?%J~w>d%s!@TauQza%OeO(f
z1>0?mFxk>Y
z6jlXDPQ2ECSbnKbj3PbuU42tRP;}M=ayfgZArhGgS)Z^HH-yy%Z{)?rxJC&yi(}w8
zIPR}ux-57OBkups9UaI!7tYF#@=uX(~t>yUy5om@8-H+4TXmjm2b2)Na4|ZEWb75Pa
z2^5w#e99>{ZGiK15Nz|zrGDs!Cm?q6o5~6{JBZI%36HX)f%$aCdybo?mLn`6^}-szCy}we6PJyUX5vJmTl8Bcx@WS^8o_WM0}CQ-v!^g
z!HgY5&=&CgiZsX_YK&pRgUm59jlWUX+qWcKd*uhaoZk38oVdgh7jt#_fScWKfM1^*
zlc?mWj3$4pfp-{U?bSfpzU>(o#7)A}Y`~^dW9H(nBz23AV=xNLIkVh53MRjA@0lJX
z8JYs8;~9gfyQS&pI^rDECk>wIEW8FZQ1+ah3-2`l=7CWqw!RHsNqiuE0ewy-C0x+w
z%r4=0@W3COWWajRKe;~+S}Mp{KA=hZ`q74^wU3Vka(va>UZTlm&>uz4=FrvC6E{kR
zay5sG4b;In4HKGJDXVU}QOfuKX8A`zORxwiAo!^J`StM)FYAYcOplb*4Q{_Qmff*0
zrWyOVwgS;Z{6;Q~Nb~`bqMD7;Dyv8{MAvp!8wCDiA0>7IB3_zUy}{M$gWc10V~kld
zSe?&{rw^*0=1OH>iY>_{bu6%*!!ICrMtXB{huhm}5$XB-u+}XJNmnQh
zki?FRj}xC<0fzK@NIj|5MA3&lO)
z21Vu7lO&<7*wo(R?*SF@~%`F#i0o8{J
zG(YT4wq6ZeC2;C}LYlas;N-~}=++`n`)cT=&jBAi$8@-Jhb79*;I!=@oXR)#w}_>N
zew29fie~=BcnnjpGTVCm+?x1@Zt2>e-8k&NwnG^5cj(W3q^i_1&1TGO$<4Ef^
zyo}E)#d^kz`^a}WNW3We8wH#lO&JyGkuz1N{>NHR;+w`_)t+G7B?J
zxlG@t7n1+64H@}5(qT{Wd8YWD_!YgQR|An0Zj+Ul@$w7{xCXX1!d7rnX@hpHy-04b
zYj9GgqJEg6%1+2O(iSu0SwMK%f%MnXtm#zSJqbaPskj79%Da*VFbP*(M->)<;zrCM
z6+7eo=bFvS+~TRFCzXrcl2=p!cmXPk&!0a67XQMW=UzljV-9wpw2;R!8SukS|xFkWj&mLrdRsua`fYBt5nciM_|YZL`%Wl>rezZUiT{o
zFa$>XqR4o_;KZ|xJDP#!{J@ikhD8i^?u7*Q!9K=-Ul|XG_kiXfSyQ+l<>fm|V}X@X
z%~V^)lgt3aINmQ)5;Z8eo_N2CBOzJ-4;xMlyw=v%kHr(F~O9t$7=OF<-RT?t0sBX~?g1zmP}hQUGpGli53w;lV6PqBNylI2AcVTlbCGhB|69#GkPg>nciR^B}}GX`8|!fcw~AOF?;npG|*%Q
zA?D!KFgHxc(@e{Vj%7W2ushNovEFs&lHIj`<|0LLSr~-Qcb6y1Rxmv9Xsn1x?-ncZ(eB8DBW=ldf>dnQXpEn%^KfG_ccVxdO
z(&k)tbk5hfT?RR8uoX`|_8k2c{i^bgJFaVoSM!~SrFLHg_t6n4hh_%ITLI|V%f`)M
zGh6!sl=?vB>S@^Ec3_O`s%K=ho}7UWIspg}2TPrxJ#LxfP*WqAn-igbx&3ke&!eyZ
zATG7P)oh)Ihf(q@&`U`A3Fg(u7nHnP^s?eM&9Zz!8(|}6yk3qFMsY?sZVIi@ZHhn(
zZ*R#93IaF#v)Z*bMyCO66|wtQ_|X;!5J3$f-BBKv;k`IJC1B=b2e!=r6gVO#LxqHd
zF?ie~-!em@?z2-$K+7Fp21CIM(i{D@YdisG7wVxzcPL<1zkTLPh=Z5;KeE1~&l);c
zfUk+1*WY+NrWDO3S!0s;-zs-i#=cz3EV~1lo`-gbW_zZOKY72tJe*>Vzo}=w@ZPvm
z3vgqGiE5P{klWl-d^mh*p|V2v^3WKZ#-B{T2B&kxd#a@!EkA9J#n&p#PB(Yg`IJ=N
zZk{3bH1%qTPO3xHx&IMvriE7Fm~_-vmRLpDl26oKP^07&E7Pqx8_btxN7_d9z6C>_
zgn7rt59S0V!iRk>6$-clV;`Cu@|%&CMxI}(+F=<4folxs!6cAkU4GN~2YkYHhTZFgKGbFFbH+_w(8d{
z>AdgX9bD4KHOLk6bEi*InX9!8zv4fj=g1!Yy`Ht>OBWXxo7~&vgkALWL#;-;uc@uG
zo=~yAHb{X))4yDsp#jhO#*_9ZWql=o0=4ZEJ72ZFDwJU`;D~hz`-PpsVPL}uefzxc
zcF<=Z+awxy+#04rJA3e0BPj34T~WR!ExP;qN+K`60h57%z(h?A4Frg>F}2BMAQ(e3
zd3ryyE^~g)t2<0hKXmdrC^VuOT~RfN?fY9&3jcL7zd>x5hwYSHv-s5@PaxZ4@w-Zj
zYe-*1;()6u_vL5EUG<2jzMpSu=t?-2ha>WiwNE7l@xETBC$Im3Ns@b6iC$^0~2dnXX4)|R#O-WDklC;FI
zC2mWNZ8YFhCml?Jo7$UjpQRv82y|>|gdLE08U^Kn00!70Y5*61120^h4kvH~R2wou
zcyHX?gaBO3r&$h#KkZMVJvwh5P43wgr2wjLY8cu*;7PMA|MspU*4-aTxmI~SVIT8?
zUWOCJh*}0rnXGP_Z4~YJ+Pq+jdVfx4=IZ*Mp=suNy({83;kp|Ap3RPL2`pu%t40BQ
zXp4VQxI9xV;D%~J#K1lv5-`eX%U6`lP)}px<#~l3ATE}mi*_IHxzBpt119mid%j>+
zdkx~^;%T6VYT9N~h3M3OVJpNedJJ`jkt5UVZL)bO=`!}23-h$0
zbk|i!f@lQmKmMaK_FqF3M{^P#$auv)KHeAMgJ)9xJyj<?LAm;%5pWLE>HhwH9{CD)x~mduU|B;TwJe@onM)Fh|hM_
zh>}g8O4dwZTh2rqCQ|LCm`Zxj5gebD0CD=`mX5d*YT!_aWU=TU&|jIWSoJBSC#yl$
zYi#G`y}iZ3(g51S%?;R~3NK&AY#*eh(II)ofY)iS`RwsCpwyR98V)(XI$q@Hp>lhM
z_O~vQ9jCep=2YXr9z{-fN+i%;8+^A)R1C#Ed?YBz4Lk|t)h~Sm?}4{fpSIKWvPXaF
zRQ)I>;c9CnOjY977Nly)c50qEl?<}KYkH?%_`7(Pv8&oVV%CfJ16gz4XaE%CsuI3f
zJ;98DI`VH1VwPvHpB|m>Hw%h~x14wRg7Qc)I&0NdR@baKh?EFkj?PfY^xO6>B^{kS
z82SJ(8iG5w0m*lGSOEan@eg&DJiMHoNRR_ntgH&xt;X-L@_l*l);=EVUg|@KX5j@U
z4-`K89{Oq&Gxrc22+b@EcO!fofu6(})nTG=pn{
zMUv*ssCK=f$J)DQNNUoO!}!(g)A{(EfMR+^JqR-AkCgOG6il&9(K+*eL1^XB`UCF
zduzflVW>1=p{Lst}2j)kg?TQF9yi0Jr;eo9+ug&&x!*~4#q%skt-)bHZqA!q9&
z2gv0dpMI2Zh3bO=l3(KD>gZbjmlj9umDs*J7U!vCzZtBC!DNFGg$CqbGo3l4$UAdo
z`Q&PcQISeIH5%XC$CW_BeIJEG-JoCNM{N!T?)pvsNzqC4QdF;z7U;KShbYM-Ps}Vh
zch(bI{!n$%YH6HOk@txYT7pSv+ksX2wI{*+J`fis&#yMhhJrZdL*#vqL~9`v-7%Ss
zCpiH=s_(k^Q8ya6skd_pM#5`ogZJ$LuMs$+zA$6`d5@BbiU>FBxJx0;pS|Z70lxMw
zZJxVq>AJKVC_sgMURSX{KggY1PZIj^4qj#hJYhrRl)h(xL&0VAFvLjd?NYTZf648_
zXv)S=o#wfKUlcfj`(sMni*@U1G71Vo`Bk77jTCFrxh4`FNYf94AY^%UT5(h$+Cwaj^peVhW{@&4Gu-XHj^5s&;BzkLQhHM7kfTA5no$;uZ7s^rRa-E!8f02~87$Vq0mVS0v1D3?nW4C9Ta=tke
z&F@JGq6?9O(uDGru4S%J2#m?`3@zSrn321fb*&1hZULdKyUuZ4Y~Hoa9|Or~Ysz
z-EH-5J6BWvh9i>9NJ}mG4C=u}HOd+r>RlU`$RKrlhTnux&B^-cE)#}r9)^JuCw4-p
zz~p)8Hn+paBp158TaXj5f3T6Lo3H$zhj!E%adQ9~ih6Qp7|d3jki^
zSYIb+XLlbuSreVpKd#Y
zMDpErhhqG1ier+Rxf_7b|FIhfb*p21X3FdZPD*M5)pF;={k=gV_0C&*-^<>QqBVLQ
z{08y+8N;Y&E;cuOMxI1dBDgOo4Wud8=%p+p31zp7wFCV#H6IS2-L1EEVFZ+$!`1$@
z((3G5x)*?h)yqK3V2u`Wt^(^~wny#hZLT4S9>UVCMV}qQedp&#
zHuVZmO4c2(i{gC0bc{;ImXx>-;qH%x<>|(CV&^Me>MFaao^&5w;y7LbVEZho9lNJS
zS-VDB%U9fz{tFwaLM6GGq9(*itKD`B)A#i^H;yYkPIsodQL$FsS>*mZZGr@HrgEb0l8(HYY&5)G97!Q#GwU|myi=m9R*!+4NM!op
z>*s`^y7M|DQj5dgw)V%-?sQIgjBT#ZB$S
zjsxD~zq_p`!@Zst&~>G)NbkNCoY+G3bhCBzcC`m-SwRZxFAo&Bm`TLpm376`pj_mn
zrYzLgCNfFO$m+5xpi%|zQF?a0{JY3W$t7Ig$Ocw1L5-pGp!x}uTAv2i-?^$|&+g0#
zg$zxU8apkB9QMNrrqL1DvKC+YUHR8+&zN#d$+OngP+}g_KSUPhKvG5LvB5BqCO&gB
z31?}_JiQZO`1e)^lChqAw(6ut;95>O8cVcnOxMJSkK{=lk1m%wd3a)CBlmaIApC|#
z;9majnI)>YlKO{)zC@I)yR)4KRjnD2EftiHE;xHN{-40;E*pt#E
zg;#;1FM)O&AjVI=7+zCj1%xXY-rm>hHhSZ8GfU|)=1qlh`1W_~7#9k?k~6J(TkFW9
z32qkzrbE`R)D6F2VjXcV6a}4B=2+g~W-a`sE!%Ye`1rutu?XVk_>r;bmLIoSwk7;V
z?6@yVt1@$P(4!cfr<~2Z1&M9A
zs~z9QNBzDIB~!*&_gk|h5!N#wv?lu$A3fs~%HQ`}KkR*w
zEy1LmF1&qRHlypgr@kIO^kx0>T-$MI+Nxuv`7{o6=GgU)ww0
zdH^ELE)D}>3N9+-{bPQ8@p@6?&>XZM93Dy*@lRjsAL%d}hCvm2xZz*9UpFjOEq^la
zp6Kp`$%RSbV{b(2LWc@uUq16Z!j!!VrJqP>AmT{RwJ|gG)
zafSW+NB9~UqyNN(?$yo*R-9cNc9aJ^AKKusrHv9>M#H(_!>$wInQ~*6Z#o{N(=}dL
zdYXb+RRV-tpPw@C|58_391`7=m3;jAv*U9}Xib(Syx}pFTRq!C{P-36DPnkMb6YaS
zb{?!4EIV;fJJ7`sxqio3QJme@_iqqo#DOj!qWzbDFTZ%zIoDqI_1
zv8j))5dA@W39WD`TD3J(ylAe_O9-}gINFz7cIcA?qBe`8onVi*Z3YPoU)nC#nFmah
zCymGZasypHl0^58s=KX1hqGYGdiLM<*2f=fY6K;O&427>l?-2AzCH>>GA~@4k7#Fo
z5pW86`t-c+fVaa-linXO71pAM7vm1DTL3dl@q#x4el#$)vbZsggv5D4c?NF68yx0sXyOiYq
znfP%rX-#J;lz%ZW3xDyT47RWiYYC^n-VXwkC^gc=SeQkVCR(WFR+TAXHTN-J3cDHo
zIIo7L&H2Lv@86hCj;g8@EBN$u!U=XPf%{r36aMus4Xx0}MIQOMm~)jb*Wsg_%TIjP
z;)8DY`fK%m&K8~&(`qSFmrRi~Mb;9rv9Y$*n{`xW`vtt|5jI0b!^LKsS$um+OC+pF
z(1&HHrP^1yZHj`$DZwA5@!p_`&QR~~>`ofLw?kCEj}t8EzL>Aaw6Zyq2<4bL0#C7N3Aq4+xV}Gz(x(fB
z9#%wQChzS*H@ziF!37z}{p3~1@OuG1MC)hzLHCyyvyoOfr67y$QZ1_?fj>j8Y)5{!
zPlO`FotYfmvI5j9jR@i-=6GN$^G>FcgYTdsgWwNd+drBzMnGbMdnDR00T%3wVYzTO_L%#Sz
zJm!bmC`0PG2#hgaIg|Pnc0{@f4tahef1-2h8_TRK!A^)VvyMvNasY(fXDwaKIDu`q
zV2cH|Hl0e6m)6fCQWHOMJ{gSN725mRwBfNV*&3R#I;bS=L}qZxqAj;d3FD@N1dT14
ze;oXYVl$j?^v`>-82{%WC!81*^P`k-Rnk{{=o=%docK*LeOH>VoKU3mjL?fd(t?bY
zu%0ZPR_D_UU4itHTWeOpZZOk>Fil7OdxoLTA%~;mnf&JHW=3VK2bX$=d<{ahvq@WX
zZuUbH_Ah9tRbM2#_`A^eZ!TXD2uY4!xkhcbos`gbSq87;iyF-*U$K8F+vp^xI+D%=KwiNkE+X&!`d6*yDZZTt+g-Z%n|?iqGQHY@FjiDG&M
zdsFJ$uzB2XIqVOydU48@w9hAO%}&nWi|+>otEAl#@Xc??uMsUB`e!yl3nr&Go(!+C
zY;C`tVd4oZGmDO8X4KNJ&Am6u
z+#tFje@gp-4$tic`G=BjbIh#XrsbtL1{h;ysvS&~q=B%mc#1cxe)p+UjdF-(ci4&x
z(|8e-nZ=SYvtl{s>`$Ek
zV=;lqSG&b*oMu$6ywpMo?6WL|B+$$r2l2p$1VeF)f#-`h^0vwBqfNiIiH=p2%D67{
zv#RR4S)SE9yQT<+#4sA7I9^NXy3eF>ZEstyKRM>^&=_B0P#_NC~=?;k~w+Mbht`Nh>=>$}?8^o{Dw^jBsBNQhcu1iNqI
zD^_Cm->}wGsWbmu_x3`P^d%298wZ!Xf{Xz;Jm}{nBQnwgUN1EJ#E1#&uD$`HKC$LDO^J+dZ`tdWypfu!$?0nvyeA#Vjjj^XEG72SuLU
z2HKuSDle1da(EIEP6lvT&zh~mNpJc+0e%8!3zSy;!xgf>M(#-U?{rOr#Ejl>{J4$9+nn;AQCS4>+NF#7>#9p@~1hXt3d`z;Y7zH>j+;VzUuFoH@)_
zZNqYckmD-)A8ks;iFe^t=Z8v7GEUrjxj7}5aruCbX{6$3Il8hl|5@ixQRLf|`;rj9
zFg`cHBh7GQu;Aj_Ku}__duj$;+w6s}cD3-Z5^C)YN-=u;2KM00Ojoh8CDN
z0p9kE%dZf3x8wan=TErBx9<-tsRIUl^ar1{jifX0`xx>V4O^v^!P}L!TfBHq8!KBz
zN}|ym=f0cPLPM4IFTw;eD=V@5gog9c#}uE|J~P+R<1nl_#-j6H`$$pJhyve5+6s}HPp7jX@vuCRO_eu1yqoV*D-r=ME-zxzTCW?r+zN;n-1T8hfvSbC4x
z2lm;URFbcj4AHysF%mr*iR@
z_>e9#ryX{cXNS)VCxOO3Nk3OmaJ=P_zW1|GL4{anhPhBB
z!D4v>Q;bGjS}c9nB}r~#H-~PbvVKuFlPlWy=UI4SEeI6(?(Uaj)%eb=ds6S0m_Kn0
zV=~uJU=rf4Mr@CGT(hcbOay;`!x&A4#1hGinxQToO5429`4Pl08}-!ZoqZ!@YWs
zD~bjiCs$V_hhdN{VkvrJFjlFbV$KZgr=@O%;r}tS?}hJS0?YBVwjJb>PQ-IQ
zopRbWMZ|HYxmZROc!ucpQW@dfs^JpTc&up4lr*N$s#O*ii;~ixj+dvGCec!xJ#@d)
zuINY}hR2l-pNn;dW`AE+t4x6re(UAAb0V2o!O1JCgDkH}&95`e#url(|AQTOJ$-uvFkJg^jf(npG#zNva
z;q=zM(b;m40!SIAF#SD}X;P@E$im9q)LU!Y2PK^inSaL|U>6zu(gdZ4KMVEfW9kpi
zHn;}@{k$H!q5qL73NPBk}8BVW-Xx3%81B>ZcP(C$-K(JLW8
z$+_{#bo|MG34q{_+kdxA5tKWR1&ylCeNak~d$u;xt1cwY7d{<&DBU34bM+?aNo(;5
zzgzv@s}vfsuutzE!;96Lql=rE(dnC^@2>VIqh8xt)PhVHQwhCaL>EXES*uG7BXK8+
zJF?bp2j}_)NKqyS65>M}@oeuaT4uRQ><1iKBxAGbdmjV}Ij=p$qm`taVij=5;Viwz
zz8|J*SG4<>qTo+Tg{T}Ur?&f`@9X!k=`WzycZTSE_{{Zk9`V^;5G>`MP{N{=Q=~f+
zgVdbQJzQ0|$E}ci6hJ`a_b+c31vxt_s=kqhq}eT={`RFjWTHsMd~^>@+(O|p(F&Xn
zyNxr;9iQ`8`n7o+4vlV-KV4AdGq`0H!@^WaqLwoahDoR6FhYck&sUQtm+Gw(7F30gQMg>37I>Y>|2ud7H)#$*tgB7)J4Z^tk0@I>yMQsz
z$<>Zo-Ey0!|3M|k+qRgULLZHcM2?4>o1dy+?C8g;QGTzP>+2BcM$7-<0*rW-#E_uX
zi%O%A5{-B}7N9%Xri_=ua^bZn)bnjo%^n<}1R3zjLeXwkQoI*$tB#uXhzpIG2DP+~LmUV|prQ|FvGqhf}IK%`%
zQtaj~Fi}vjOWSB|rw^D$NM~{9sxX*SY?drG`zlO~l21KzQD73
z6XBQL-BGU(l<4I{e{uT$0`$P>djTt?s>pXNk+zTHm0Sy?R*aQUtG=2`xK7Y3~-Ru
z2)r?vG%nJc2yr$@MaJI;eTp&HPa<3G_olxlqltWxMih*nK_Rf$UdD`_p@~+!YR!ZS
zq7stD!A>wQO#IoP1mA;a@;Sru9qkiQjVK&+UeV0LyQN-uxlGS0%)(K%XCdRBeDu(N
zRrUPqyMM8v)a}wg`z5l{)-}c?dMK}lKY%;VuzPXaM7jvYH6B?zeEmw=J@HD(eg=ZS
z)WyLqZ7;UpB3Dlc(X_h=uwblYYRz{&pveq7W;SYETsqp{1v2H!PVYb$(--C6atXJq
zdJe0U$TQ0u0e+Hti?@L;dHbC`eA_Tg)W?}Sk0_)Pjv83LXrO)A?#ZL!%oADdjrTw^
zu_EesYUxjR`somLZb(RT+At#z&zEe@SX&XJqi&s$_0DYWT%uvr1yPdWn<^da8QwqK
zCJrpej?-_CEiN&-ia^M1iR1Cb=
zJSZak^NcGPO9Ga*z2Ano76gy4sjg4b9b0YYn$vZaSL}5pZdnV>T|8ssI1-tQhZ{
zu-D}@6b7ZF^SF~(MO__+gl%7um(<%m_MqG5tmMGRFUp}X2-7VqYQg}2jQ)Oum>ku>
z?_Zin5M;&fkl*JJ6}3B&TVF0wpc@`)R?K*}K&OFsefy)cZP!73lvMQ0-jgCBq|3Tn
zXxln!fcSI^|C+s0|8#|>e5Fq^NIP-9nS*vNVyR3^&AG0oAwPkd;%`mF{tpUlw1bmU
za|JAD)%V4#;*_=5@fEs37vAWXdk7nokUVW;Z={i+_WzMk#h=++PvjjGwKyr7-WjJi
zIk@2!|F(Xs;*GOEDfC&iO4GLP?B$Bhb7jsuPs-}EX34tAt6uAP7P7|I{F;;^llo3s
z!QvrR(mHN71)uzf!JvzN^d!j-LoFX^eY1oXQx>Sxg-g@>zS)
z<4GR43SCj$N*HD-TYB)TbS~!i*E|^`mC3*s*}o~?*uR`$eC>impy<~A4>nkH8GUc!
zQ#S31tCqU7$k7ArMz0kLtIW^t0i4G;BqS@dn}=DAiQ_{BR-+dJ%s6OmRstpMQFLxZ
zzObeSyYsx?Y!CWYV(7cS5qsIxefn(eNGYH4$t>i-hnTUU_XKm~cwu_Uc1P5PVKYA0
z+tLlOT2$`}%NnyuLDU_|g%_2U=o3i06T}6r5RNY{omlaRNJMt0&m@n#Jqyo;vJPLbl@eYO{jwdE%b93BAE8Og%Gs!>
z{o|o$?)!YmN%=g-f%-_8|9p4(O^SSJz^{kzc86qqF>sJRul{nR+a{iOubMyjvNGIZ?daNm
zU8C03oIA}8dQM^$N2y-+F2$k_!`!M`WoBZf2YUxGm|%ApNUuCY7Lxa^5j$D(j5%6P
zIH!}lk^G>SxS-yvq#++xn!ii)_v{?e%%LJbJssNlQ=O^E-pJ_h0rRm{l?p;z;<0)n
zUm|w^<=~RrEh1v;xmwi+y(t?*EK~zY^s@Drd4AB4;iZ}VE6vtO?rZ+Y6dEa=XFN8D
zzWh-Q1MBqE)*qk!Xsw~Cg-mWCtHGO!PjuqfYW%e$rJz_F*tsc9k7Q6Gmg5*s!MxjT
znCMQelf8FQRVAfR#cjQ|yT#9vXUx+5v~|_Oht}jDzO$4vxB7fkPncR9VNqNv^Ztd{
zA5Aw@NW;PrOGd-|=W>t`pg}#~k<<0_5Q+D^ZA9(Xl?;jb9+qcqbv5v$(P7y4=fa2i
zmA1!O6&Lk38l3fF%hz%Fd-6w%h{W&xIw)ZPguu+(rvCR@X#c&I7vQy&X|q>RGZvy>
zE6=l`LWmNX1h>u8I1R$=r;?C9^dXj6qF+favkG^{tt`HSnN-1Hw0f!iD9Mes8fax;
zdW~Tz3hBL>3K+cmnvdN%uQbLUHt21PkJeVOK9x+{D(ik5;Y92n}Gp*9zXe)d<3@Y
zBP8D;PalaN?Tmmf&K4bNiK?B|JyvpX64}z+;a%s?E$s>Cd{?c$P5{)_Oi^l5Zwz+>
z+G0rmmOY~Zr;#;)vg2Q2?)&c-%TM#tGqOyTy5LqXeCY4O5h*1z
zTcAg`If-`fZz_gLz+HI@`7zOx?VBz33XWd2J!!>41Q?&9_G8V9Z}ymyHodi?l&-yt
zB@8rO8P-#xoAKP*%kq5E)j|IC8Zw3_cGUL-r4@12BH1a4nB)99x~n)4N1$a#oZscK
zwfkj&cg|_*9E4eDXN5OrIh7VL_3AE>O8$xL;!Hei@OAH?$vN4)FcyDM
zwu)R0rC+Cx&Z(*gR(E++iuk+f$II9-;-?+k4wax!*FupjaVB)zunyDP)feY;
zcK*@UwwKuy^|gREYec;X0+oX&wq$0~(IxnA9Kygt*xr=nlocj3pJ1qmduD~7{V5dt
zr%Q5uPy3E>jN|3*LKe4<1YVnZDgj9QC@E2Sv1B;ocp{jP$Ww9jR
zAAgF#UajJ%$|CfH+`=~e*ZM836f&`RPw|o|S#pnTotqqh2f8
zY~ey=qwA_Q>+1dL#RJ!k<(;6A%2#Dko?*+-T$hzH?dpyE(psD=pDPUPd^=YJzgn$l
z(8q$=@mxFCMR_{8VUwnB4>)A3Ou)N)_flU&!y;i#h!OyE5~+;X_ZG<#uvb0yl^zVJ
z;<&E9oqfhUKmsj!2Q`e#%2KQ4C~XXo9D2S8mB?XJb$bna>~@xDu3oh0M37SKb2qZa
z=XQwp)baBI^cT%%CXHi`97LZj1LrW50d@+Q610i(!n8jLI`8M%*HF?>wq1160#7<%RbDrNChfG)
z!~wf~iD~`_-ARRj{O5Z$5O6lIMoK7l=^V{Z`2ct2gN)Y|=5);Iv3XpuSN<>M-vbO!j66XJZ822_iUZaEv%nQP(Tl|9Hzx
z=38H*H{X~0lD&K4oU`588(S7~0KI(ofP*0Hz_;p1rF=N`+LS4iTzE2)%IK-uG&XH@
zdbPc3R}}^SXK~s0qcaY?YHT4pyW&r?4U*AV`{nlQP+&&ZM!WBA&`=sZcHCkelju54
zE?+txda@-6g)a8t?y!0|JV7_TYc*1TvdmUu(YbK#nJFG8#iwaBAK~`Qx(iNyi6G2n
zvZT*CdkTOQ+;NA0DLuw*L}?n*RxPK>te0^xP6C+gwu_YbH_@G9-fEJO{WMv&C@hpy
zKIhA>$9ksdgK_-rnjPcVZ^VR;CHb*XI;$c_@hiTv>0NPgR9dtSV=}0_anw2_Ey1X>
zx_Dbv>lLA;Lgm35R0B~uAxTN9Il{>}Nv=dcI>XstX!YC!iCE0hOKE5#iAp(yBb|hA
zZxL=jevrXY9L3Wyq`O#kpKwGx8L;;UDhW5}|7eLOQ=<-~1aqmfQF>!nu|oagD7x%A
z-D575ht4joi!Eu@o}>ZKWbn`pm2LC@nSl
zrM~t5>df+tf0_OlWK>2~^~6w%ZPX${6(@*TZD(^zUM#aOf?9BZig`}$9xB9>kYMDa
zI(S&`)X90Jj{WYBxyAKF-FPuzT3I+(6g`W{30W_3xMwbdr%?
zea2Kjy3{doT`AY`29E6fbTEkq;Y7Ic60P1xpL`@Pz8b>mY;t}Xww-D-O7;{Ii<`tf
zlsuGozZK0;T;wqr{vxy4Q}IpoTwDr0dzIRu#yOzvhw#G5?xSN|15xCDQ@pwIdut*QG_#BiU=eD@)`nDip;C}(R%
zX?r;cN|K(JEXh2
zyFt3UyAL4U-}ct${np~gkv}Zw%$}JmW_DXc!1vO_9`vIaIl*~->4V0PHWv21M%Z#`
zxZTqXMCW@vOg69(HeEl4qAJMIsi{v)`)3
zEGLf&MKA$%FXu5`A~TLb@~XWOCGopPa65iZEm
z+SKZ%@*gwZ_e;fQEeyRhWaj6`9jSES(tw9(Sw>$_y-U*e*59rprL$#$cTg)*P@W?5
z*hv?1RT?|%lnva`-{YsX)5P8Yk?wK^R?be#SUoby)tFfbO8UClIcbz+CMuixbdpoZ
zf2}No&1RHs{CTXt)P>qSu?cp?1@zn|~>hR&6D@8Zp+)!Z8@7fjln
zmuNg~Jt{gm?bm+CQe`#j(|*CiTfapu=B6Kw4XnvXpd%7$t!3YSxft9opfdA9>++14HV|XL}=nKfjEy
zNAm%{l!#d$$x5}n)Ipp}mbgK?8R#+HU|)DWgnM@UlC*rUcnF5}9CZ*7uB|D8e7!y%
z2&*B$|IoED0Z+f)x`d3GC`jI92hB3V^d^t2=VOLMbYMQ&2MN2Loz;_SMRRuD#&ata^W8E=96F8ZRjktGdkds
zzM(T#XnV;k)>jOTC}oM7xtG5ZN14jf6NJB`iWsP@@Y*Ar)Gh60EQUQ3+TEyNQmaQ)
z7HjgV2u_^Iv^^ay)V6&W5W(vcyqV*A<#1E=aM~bb*oS*-&2|12Q#Mz2_+=0nefj=>
zn|Vw2pHt4zrl&qU19KyG(QG-{Sxria+F#UnGL(M2&Fy{8Hembv5!JmJB%UQHzZ)Vl
zWUBI+^p|~?oCA1SyQ&Z-(F%V4>bXK+AVlJ3Cq`{yWPJ0hrJ56;1H(_YT8f|H=vBOa
zQQag8R2oUHu&Ev9F!k1p4rBXtAH1*#Dm<_WKpDc5cU@+SpGx$@9nTt(EUX`>rOfT*
z(F9Ts8?SBwAByoxhv^gXP{8zDh!dSU+9KJ@K+)4-43wCV+h>1(fNUR9nvE1
zq2|Zez|NR6aSDHxt??G175tt2M`-eaFJA1+5ns3Bf#F-kkq@PaBmc{UWLUSzp-Ww{f#o1{i#}%15{Vp9lc2x$&1hgooG&py8;8Sb*`_
zT?-#&FP9R2ZLSdQXt8MEb`+zdSsXp_?;ETUS!m3SJr?>ci45hYa6YG0DX%U#f354q
z6Lp@s;eq}h4Ry+~i~DKGmB`I9Vt%@t27c*-#rXyp$L8q@cY7s3e89$VgSOsM(A;A?PwHY+2f0xly|J4V|RzX!GS`3sftd0croCE5ip1^9c=I
z|3qX0AEkZZtxu*~ROWIo5EMBK28F*pIzJ6g#$@KYF=>srzyP3%vGPn^L3!Kt`dX)E
zC!`{?`uZvCF){2!3@`>vIW8k@U;vW3iM1Q_-)VOb;xDlB#VcRYfHFXVu5)XVWUmhT
z2-QUkdh7SD$uL%1-X)8Li_Jd-Fx$TmKRhbk@TYHfR1a8*7_QhbtUMbZ@CO
zC@whv*f_b>zHkz5r$=*IN03&&?C`{#KQGFHHlwDp0Uqcvv(x9ac|W|AGC8|uSYXu9
zYyXBc%Fp^ucI$UMZx_!-`Xt8*GErMyL7eg7oem-+2CO7kp(`@+rF2oBgoNa3+*6{(O3r>Oz#dSlsA3(bh(KQ(#mTc
z=4(CUzMj(67k(@i203E=JT||W%IcBC6cmL!nb~%vd_fZ1t}txe@*oZ^w0MISH&-Tj
zJQtZ&`;8j*_8C!1c6WZ!-W!Xd=Qqc*b&#>1W|ieD5ny*oDql7MY(>C4^N*nNWBXH#
zqWs6+sas(}2*Bj_SX^06?fGh+ahNeQV7vKP?Tm>7a8*C*fRR~0n6{L!WWup%Vvgj~
zdr5QBq0fu_e4_WhKgY1N=M2p(ly{OCUY7}6ZsHy4K%kUQSJkycU`V
z$gTZ7>k#=Q9-+Mxm3!jfo4zt|>py-aMj~-zuXK3S{~F)ic5)(z8A&8Le<}v?>ioYR
zCH(!p&mVgjt<4;r#XXDQ8jezhozyn{-Z-n`fmKTo`FL@&_xqG2QAbzY4<#i4&5*2a
zY-cM5-~142pwc*Zptf=Cd9>_Jh)c+hQ(b5couzX8(5koLO6;axYidvSQ~PboCOcnR
zwQr}dhM=Yyg6HK-4LmbjeCL~%o2_dcOJOn1U_K=TbcKijGChYT9GD8au-!vm^k1D{
z#N+UeccA;-qOU&Ha33ft9-#juW+jPXCHKMOO#U1LYWICiAo3|c(Xh_RK=hon>DZuh
zW`Ng`_u*36aJyK4K-;;|=J0Rvji!485m%ivNJlrNn>xZLw|eE5h~E?D$3dyO*Yjpg
zgmVjKD3AyWqL^m5vatw_0iQPvn8N*qqXY*JkP7)O_#_SA=3wpbS`CL}RXfsXHF)A1
z_Sx=jhycCp8(_dSJUs45SG{t51Wa2}Z}X0wEC9?DJ8c*7AE-x#^8U|8P@UPdITUV<
z@r&b0yX#96ulg4rT6eSVD9`cv-9*CdggkApHU02tDsMoEp-V-@9ulrI9Yf@h`!Q!UO3Wwd+KE5ea&w2OW7J%Mq!
zEIb(fd@6bFhB&rKsP4VsI$LL@*RL8&OMXBx>*`hcqMU)0ufSdn$41!!MC`ChS#s;smip|ZC^vW9u+_j11<98M+oHnr=8Y@iBsEFMIq
zA;+3URfgP5KSm8n>x}HO|5bcSqO7SMw(EMf@2WD0-p4D8Xi!6N9Mfvc_~S1@K^zGd
znT5&yJ;egL!^F3zAFu=?$!|Zaz4CSo=*mZ;F7(-DkF+sJ4y~hPo;XXr${C+okVa@A
zCn?^PKY%+by*}`F23Iz$CnP3hmXyIT5b*n63=WbX+ksKpf`4aGD%u}OB!$fyw6faU
zas^@0{4rervG9at@c9BJ$=%86LuJ72MxpMBwRn=~bme*{R1T5x$FT0f-TrqT754bM
zFMSFxf(-KiH8*KB!X*}Ac+_G)QWEqN|(k0?SKChYt-6KQ?Fj+VKl8`s;FLtk~;
zGz_9PJ|q9E{XSO2=V&A@6?p1LTD3YyRmDr5&vQd=I*byHL!q%U6=ZTt)a~a(t>1i4DCB#07p0f4s?
z;&5+zt)#&P1EwvZyB9C;zLC|v^~w`gUR1zP)S%0TSg
z+qHWSqN5U;Dyz>0ig3D-j1B&*&OMHM=YCh-5IE=)eKm=-$jw!-4~7fwZpLh`&bH4w
z)0^vJYBng8EJECntM_9uQ9(JLqRsAfjb(1~7Ywu=PL1kXLT0czeipB3yR!n$%khaI
zVYA2ZG=I`8gcr|GP9TAEdPS-haqg$K!C~V~*UVP0K0e*F4IK!nkS&eHwFvcxNJC=}
z{2CYBwF*qMYYmK#CIjmnVz%AZ;6)uFKPmRADB7)X~6rt`oiq)
zUzdFtgjJT{@cBoV{-Nd_oc~CJUrcbtv=ieZx9e#I)^Ob$G{nqg0U`Fdwqlw{0
z8pedUy0@@_TdLm*fAKzNV$dPDIX^~s6wR>yf=uhvc&InHEq+28;T{h)Gv{f>-&yxA
z#@O;F9bFy|abY=?gfKO46NfAGHqd>t%Zs6oo3YL8gZ5gc{Fr>c<`w-YzsC(B<5-=S
z=dBC~cq0702zZY%CPj1|-IGryR|Y<_i~7qR-*sCXyJy}sxvF?Ek}sB%`G6pouHUoL
z^~W{KKDs$UI}8^^Tjd&}jFo|!gg4w~nuC7ltoN84jG(}i>>;`IcIC+88FX;7P)}N>bLS7O?7VRXPnw_O;7{^2BWuKuUJ{s+Mao+
ziUIqQ_Y%gs*!|+bl%qRhC-9UX%R7_&d&;Z-^&9U$Rt{~5r>yy?-}zQMKD7-^JwIY*
zgd-ajOEFQ6mh2!Z$#lgg7Ly)F4TZl~qp<+=$s~F_Ud!nd>(#RN(y=MO_)o__Y=jlL
zwX@jQ$t7O>sd*s@KZ378`*O8ZE5B3>KV##Gx1}qX)1gC
z6!yJQST%Bx%SNw$)FsqO%lH*WJ%3I2NK
z{6vNS^UP@yuhfF3)gV1nlj+e_>NnwK(%WMxy0jMuML$UVHpJwHXu*D18gs(zyN?f-
z348*`sOM1{-Zzj0jJ+ot4&OrT7pNoKMkRP-^}_9Q#+n86nIUz}D)_2a!ntoFxGW<&
zu|xYN7N@*h2oJ-xI3wYl&%_+XaM|gP{q*5hlO;6EF|Fo=P)^+gVyw#TY%H%?!AJg%lQh|pGD!erSC!_(apcgmYKL;#H^tlx+
zfRC#o8qFT_VIju5@0T-wV5F+F;#!DLfW9jZ=kmziPZP+P8*FHO%C)PBn-tu6s|7PJTPu55?Y
z%RoyyT&ANOT50i)&j^MZ@-)c>Ig>8c1-d?6&Mfibu3e~OTtEtn-n$3Tytt1OaNdwq
z_I4MGS#r9$LA(*^Nh-sX#TPmqJj-z@MInpd7x`=(kpNA>COz4_n*;0^{qO;G_)6uL
zaip`&hE@m;yLQChL$C$UslWERdXrKkKydt7kmQ!V{R^B)(EbAFJuVK*brtAL9Pg~|
z{6r2?QA|4SPwre4F58;Q0lxj12AY@#5F5S8H5#*PAu-w6fGu*5))jR^SBR&~o3IiS
zwfD#A%PvvUe4#3BzQ#%Wl%JtICJOw)5XL6k>pMsS689TLZJEod79`@zOz1|NQ@fSx
zU-WOo^UJZGCZ@-8vRg6n5*e!6oC<1nE`}~9WlbtFevm{Q^S3zeT&rSi^OC|`Ngl39
zgu&rwn`iAe6WJ3{7X7NdakWWuk2c*h6vn6Ke&Qoj_`s(G;mm*obBk`Xc3?KO+OG9%
zpO@ylJ121a@QFbrAaT9>k&q&Q3@rVuF=H?B?W!pSL<&PazFLo?!ypY!!=p7RF#JcN
zBNXsnid`4+cw!8oVW`ef_yvO&H(Me62NLEMzj^a`2BRW%!A+y4@62OJF$<7W+`pXx
z<$zze!Rruw_&jgM_1B*W{~7T=g4dYP{!%psrV|CCiL>m4z?O`oI>p{b+#>5uB{_am
z9jc<#m+yv9x@Dt(NFL4KB$+%F6e?BtU`PDfqYl*f(c4{SSFi&3(`M+FDU8o(B05g{
zK9ks(bDPOHmO&}~e8lNJ;ReoR+%S0*fcyD7n&-{NSncCRkGw!608emAHIaEjR{10#
zY3U?q6c>I}Z9cr1O76L(Q1%zdZG)*?mzv+xBqO9U1D+5-2n#`5(z9Eit9~9~9iToO<)e3>xjEd-Zci
zP^%QyYSApU1pvhW3l`<++tS+XpUs|m;P%|h+zk9rlxHsTYyBh=2p(XEIU}vy>mM0x
z`gc^lOmZC7YKQ(Maq7H@XPdPgN@B|^ta_VWU>7YO6U>axP6ZW;$PKZvvq(Z~Z6U5{
zTTU&70Lk29_-4M)S@)-*{Y=soRP!^7lpxCB?`ChX+1D+JxMR{L63iC+1+&Q2`DT{Q
z8Su~ClQ|&{QAc$fI~e-Rx-4wKR=Yjk7Upo`(T?&MiQi)}rv1Z(b}!e_Y0p9K7fwrT
zf$golNbAU@C%2m=K@7sd%Ucqn*g0YO8wt|m4v3ZE&-A9k)++9zr}iL~4MR!u^=0K&
zcqf+Xm6rOLIRWSX;8?5G=a^ii11X_6`aL*NccTnM52WdvFPAGLcGwTMH7b6DGiaPp
zZB1hd@M`r9qrsAZLP4&;{Tu&CZUs_N`F+_!9005WhU$@kGGV0f$>-00+~VBPamyF1
zcwj&6@LWI3_$1z8^`#VOV3b@ue@*T1pOOA1Z@S&|jcj7*uLfBma+b-SGc1DV7z@m1
z`WSyJXNg7%(!n!#2F3u1fy(N(JYaK|OBNv3Vs5C=ba|Nu?s1FiU{4RW-%PurC3~Vw
zS~gKnyo2OT(*V0rErm4`SLg_h{O;xA*qSEX&REXhm7aLq;>YLq{M4vHqQ|`uNty1B
zTd`bCnAayJ{=s?pcaD0vBa7Tx?AUYN)N~`#$*N>c`H507Cf9nr^`(h2U8KZ|9+GJVy<^lhN}S7GQ`l@duNvk{C!)-*cs-3*
zhaHxCS#6W);eI^XQ)q+Q9#@l7xV`<{492AVI|Boko6rLY;w0h4b1T3%$B(Xt3n)MP
z|0zFX^Vwf7&kW2@SOX$Y$ILyZ18%cDcbA#L*0RXi_viWr$4=0lEkM>rn(V&)%lnek
z{L9*?lzQu8nDg2o=$APYVpqH^7eN~oc*Equi>}RfMk7%rvG+;_bPkEiB0U;YGeJXB
zG5=LxO<*03gq;O)72g{EKvzb(pl)RNgD&m^@VK$#L_9be
zJKCy2BVCO$!C#uaw0E3vB^Yq$<>tKZm^~c@7uYWL&lZ+_Ldmst_T!yrFuK2XWCXD-
zF-vY+wTGb2w83(~)O}q*@(N&nrs)Kw9vCY<^3Ixk1pd5rR43DGS`!B`=;21?dK_c#
z4WreweMO(0s2zi4^VBCbs>ie`%f|Vdbf;Cz*>Xp9Oq4RA-?wYde2RJmj<(?zZSfEZ
zFr}u}Y07{(DCno){lqq)5Mjvl;W6no17>%%R_MCnHShd)XFYexZ{G9W3yW{7>CeBT
zNw~kQ2O1l+7)BtV4}AxClpb8Xze}BdJJA0!*A^(dbPy;Zl5iVv9~VVGX+`I@g3@BK
z4N;ht*i4ACwMoCpPQZ+8oKwxwn*Whv$6|g=B>Q_4Vo$!aTvDvg0mg*w82AIvB0b&r
zm;P4UE((&7s6MgtLh7iLP^%X9Fjf*eb`7~9G3d1VGrk!DE1@#)0hMK(Xe~HgS9)?z
zqu@R-FP7tmN8~ey+8m$QZb}fLQL2doxAXT#%R!a;Tqrld^FX;61->NpCVy%eieyIt
zqkTdJfrHodp6wf25^PC#r2HT%@(fXC1?I~?wFGi@EKe;MG5&rwSn$rj$8UX|?TR;d43gBR+55sXbtZw8p(f)63vJpGn
zV%-N|1ipN?@tSJ4#PL96lddPb=dpg83nzgX$(MVI{;Tw6uTx3>mR7
zL*K%1BoNcFi56i-o9JQj^IOfdD<>FhMsB8&;v#K;_F(Hh^!6rHg(J|qs%Pk>xns~J
z;oDqPkg6=qBLud;7OuDWjk_0m$-y3`luIc`Rd%*CQI)l<;PWwR7j`Q*H&9+5dX0Q<
zcYt{okFTLIodd-ZQFtX?nTh!RhX8l3K|k^gjE4M1`gF=#l~Z^17uQZUO0VYEAn6&+ykf6%*)rf-+-VoibCD#LBUa!zwNxoeI6^u~oD)5J0%dka
zf9JVm????E4O3WgmwuMrxn5X&dAEw9(O5k&7no|;V;rfszY}?u|6+I$v?xSd>bBfK
zqNdo-zKr~YwiOFNvPVH6aW6G_Wd25Y@b6aeFW#;E(-b{Q(%0+;gbk!Mar3b&VR5DK
zl@6Sgth^1u(>hxQj-&o^I+Z^d_n?!QomR8=nwTqU(Bz{%B%e}PNb!$y0h^pqjxi>(
z-KsCl!h(^gt$puLYc1}#S;~KaL-yrzTZ!UNC32UIo>;-CJ`}!4a}Jw}>cHW;NsKJ4
zaMCPH&+Fc4PLR`k94igT;p(T$xQ!#X;^x~qT}xZJc^(|T@D}5{;q7wNU>=JTS~Vy}ljT-4cb1iv4>ErtUN-!BF-s?`%J
zUo53s_6>iSsC`*2)O~p
z;$NOH2IfD(Bg(Z~c9~;V=)6|2bfYRYdxGUOzK#%`V#{=Z^n{v9-azXhOim_~icmyb
z7tG-?C`^$O%2pTklN*YUR!^dsNzvD4LRHoVrNGu%ta9Tba{)g>i(}v?X|p!mD$cmB
zCJlFZi=cs~@4Tg6;G+{?pz;rqUvYd4M4de?w_96vB?`c{Q;_b~0?um|CBoh5%_Mf`
z#IGM66^DoikV5=Vno_?9D5x=~a6T^1@uS=TlXP_5__b$||DDZ)Q^6!!X1uGS*qlIv
zqwNKYB&V=5RW)DW!~RV>FzC)-R>P4Eit(U>90Tx19B*W)jdb6ct-20%R`0b3AwygY
zDi`uUE62S%?Un3vmF)clKs1#}-+!C0obCr-Xx)3(g-b`Q8|nz|(6?d>lpGZytWLm(
zd@;os|9Y3#KiB{%w|W^UMqVvg?|D2MDa>K5BC&2DYezd}Lw{!|%Z-*+HvxK(M=_9<
zzzf;F_|vyAS*SCQ%Rb*=%XdbU{~)B!w0QKP2@73>OkbdN)3Ph5urr5u_ig0w_sj!g
zn@fF%mQ>y$CwoP1wu0romCZ@NUJKjd;eaFF-%mD2`O~NX?qV7)y>sg38?BiI^K>I#
za~<^Dus~#K&P2G@L6?iOWg0p000q`WjlVlrFzM<(DF&pj^dVuP7vWKnSFJ7^&&;Ux
zrN9fgePaRJJp)bgCxqo~y4u4Ykuwkg3qkUPBBO&u*~ShG0W@QQ)lz_+kE#ePI=r_&CdJEu>xu11*`89q>;)`&
z=F>&}QBZ(f93=Xeh@H*l2_2Zx$J5s=)_!~09x2@#=smbgOeN<(?Na>m4KbVLNwXMP
z*#ma}q66x&Ja0m#62L+VVyh{4u?&+_htplA9|2lDe)&Q9Dc2HL658<=g3Kl>7(9N!
z3byJsQ+36yF9&z0p$PaF6+tt9^)N*5aM_^_3yawHbsYW@jOAkR3$y3h9#K5&_!+8$
zrHxLBd;S}X(y0Zh8#5c71yv>kE%S4G^p1TN!jw}(r8i;SZ7xtA3#{iKX&9be8A0xu
zFHOHKsTJF$#UGp?<9<&!^wiNUQRF?MO5TG<&-C_Rkc*_RqKA)VDZNF@N|~2cW|rVc
z57{mVY{ae-TuFe3eDaRu&mv|>|E*EumT)IG2MTrle>WRUlpJwkY@UI|$}amY)W0bR
z4e__ZkJ(SFrj%p;dX<|W52gPNZVu=>S6PzOIFMUnGjbRlXpJO54Q*8u&uU5KW$_bx
zcMW(Bf$b0Du_yt^RZra7eMCMq$BE~j=$k7GfiiFK(hM}|b5fgg5K|)jRDmr@?V;Jq
zD%s#vqqZJrOJ-F$;xLbv&8<;OG+m3{N}$ATYY?y=EG%ZGDQ>o+>vf%ZDU&ntEP+j$
zJwc`A&*VWq^P{K=yK*>FdIG&_=GT_VpKF7@gZVX~Y~
z!eMTz-2HI5uYm-9UckAd!2dXd2kz=&U#jIm?9r`&E?)a}g@8e8=TBy??*s3hkVz9j
z_rJ#q1}pK_6a8I2h6Vtupy=1!Rz;^hML=M;ZMO3Iv#R<7*WUMU2}DQu8#?4akQ5K%
zN_>_tQnW*dxpI`*0?V7FV^QP9Iq)XC5}MNf0d~4E)YS6xbR&(#
zIX3Ws3cH#i5H4N{yO>Q+c-cWX^EYAu+h5r=c}$r;#};V(krPdD+$JCV(_QJV$Oiy!
zYX0eC$}jupnyAv7rjO~APb#O1P;SKsmz`e(KrQ?o?q!XnwS*vWu64t4I?weu9q?N{
z!tOSm?}|%pPE)f2x60k2*tk~K@k7H=n`x0#`;7DBID29|3?S7w$`$vQV_nwgHT^gC
zY;%A7ANPdP6OsGTQF{kl)(r)YPeT;tJVf
z67bVow*O(a(pEY%_CbaRaW#cTlkO__9d379D#W1x9C&~Bel0pEt{0Ni&SB}mo(>A{
zoSE+~dbjK9bP(iNGyI6Q47F?Z*6P8@nP{l?rK!5_(%{+t3{M##xsL7ougB|to-Q@}
zjk5~VNi+_Iik_MFWnmQ9d^2WUv5g>=%yihn{r@Z0DW^j|?h0%+&dpY5$AIL-Z5@mL
zH=4`=|A{5c62L`{2S>D~kHm&Sy5JX$hieOj|<7+aG8vGlug#akr;OR^Q9hy$F8JiyeLZmt}kqABSv@^t?)-vbln4Oo^udiLP*VG~Dmg}`?ktMBC
zfH~qt^1S;);=C;5Y9r(InBL=Y%-!~uOn!5t3PWRN%5Uhmzg7s@=sx+6rTufagJ*IZ
z+KFkF2J`Sv=_?&CcSM}PtF?$on0Nv-?v1+IMQAb$oQ-E
z^GF!MO*}a&Z!Np$S>gBVSh2Qx^1^ma?R{*uxr6Vgq!g(c`zk7%?Qus9Jl-VvhN|xw
zbeSwuEFU`{q{H)$e)jW*)J$f$ru*X23b^xdoq-e%6Q9E6k|55V
zb%A$lGftkczL+)V{g|UuK?mMy_AWjw0G;aK0X3}k^N)ysEh91^Ly{Q?Q%vqS@rJFL
z4Tci*!8z&q`M^|{99v#n?dQfR(Nw90(>0)EEusJ(X|az;MN^F;Cl3QoL(ZMm(988!
zotKZuU%Xx~FptwxyRyDK-El;IF*HZiR&(sCrrloop?I)X&2@|)Cd>ij;4I^S$sHvs
zDo>MXGW@hUPFawDUT6IZ;dK@H3fDG%yZI|vnUl)}J1`=x7h}9VX!)$2D6g+?q1NsY
zYNR{{>~TGA)_Bvj-t$ZtEppWqE3NBVG|nQwZWW9@XesLdh+e1u${Txiia2qc@z}&3
zm*Km5&5-@VReN;`U{~93pY>jKaJsJ9R2QF|T5m60-kx69xqxST6!xZJFQF9w*!ST7
zTuF%SD@&r%OpQ%DiWLyvO@;&d6s*lC(5HM-KmJ|J@RPy&D^=ld@0GA~KplwjV+P_6
z#lq%Z+H?qhyOo)=_6^hzW~y@EcH0boH<`-G;@2npu8@`vIBsAp7d7Y@+vH6+JK36^
zbCels_Nlf5dLL&yk0weY&vw4gZe1D}!cCzPj3|X|8tRy}887$Hc1NQ>g}0;#>k$V9
z`_nLJM8Y|p_67T}{DOfo*k9vcX}HAwu37iiaaPqw-=7A#TYkIzEUjxjg(Mp;@A9pv
z!&kHV@N~4Zn#F?s`E-6(=8$pEQ+*qtqL7~gX|a*DIxYm+XtO$GzrPX|GnyExvb}=x
z-Qm=}L*m>git0F(hc${afScb^@QPqlgXQ
zd{Jh(zb8d_4@%WC8W_t1xFRmhaG%($)2Tf~yg|
z0fjhlp^m5+7ToW0fi8pH@Rh9{FyaWR3{~&x10!miy_Vd+Vv_&&{+luK9|ph(A{}~y
zQ&$@*i8_jf0J9!_k)frLOkj;#SRbj~_F-uEz
zm7C#5Ca%0-A5A;MjkliX#}W$okw(wI`)&vi(hOl04@lA!^-)<|+o`calG%u#kV4_$lDoa<$-NhK~WvnjtBXn30PwFhafx&m>4biiaG*gAJbS;2M3_zps3mMOdM-8wvg<$Z=8B#`Adk)GrMQpFE
z9QPK@b9D4ZNUxkO_=M06n%5f)#(WLV7WL0(=K9}V0F3YGpFb1#!Fm%*`Vw4{JUwg
zV_9-T7a302&B7;{ng*`tj85-P$6xS}(++->tWDl1H$LZE^ivgIWO~=KuYF5>hA9Ps
zPkfrjwk_1zN(c__^Q_fLeqNp4aAwmN2?Nu$ZKih73g6-K^qhda=f^|f1q@%Ai?)Nt
z!3lJz`G^FI%g8;(FD_5^~ja
zLyb{^-ZuK+N4{;KYJW<~#Sp`5DTmp7s&
zIOS`t$kN!x&Q)?&)u8sPmiX7D{Yk?0hy7xy74iD3)4BPTCW+{q_gGwuvvmw)w_J$w
z>-2G^;CyQwQH6rTW#u`6KvtA{1>5C@mnPRj;!DanNt_HSB1?E;1s-Si8v?HMthyqx
zdmEf@881x5?#@}({c67qe%5&jEvqZ6HZUk-=$n~a-QP03i}}B}8vKhZBoJ35v^*<@
z;^NHx=G{+z*r
zp`JQgn$l{X-T~oAnBz17!RICG%gMrP$bKqTe-|00&G`1Rg07~IERLAjDv~ae?z4ls
zm^wKiQV^VDu<QFpa248gBdm%FFUtGEOc;z$H{2AZcwjRs$e^3q&$wD4Ed?5J*rzd`PRVJu_
zfQD>vQPmOrs^`LmutDIiz5LkEr1D?(0(q@}NLvV*(#I90Lf3hb8A5GTphUSuv~ISd*&9jK%RTsr-sG8nG>n@u
zoI1x}@W|3K9&WVkToV(um*#By5eYJ;J*}VYDhUm}!S&^Ed7A);H$mDjI#3HZBV=z8
z5SFap@)6;gO|4Z7NMS)%I=txMn+pW5De`JCYZl@2hBWCq=XjiR=4U)o6vJwaErJW}aB#`v~}5hHcfu`UDhyu8X>-+N?M3G$N>Ohb@!&RTp1&`Gmc%3GwH
zVt%ahPtoQK$W-a}vI!hda<;Dh2We7|EWs)R=HF}$T#
zDwK+?+J?fVS->q``NM6aHs8m-uZ0TOmI%S71nyIgnxYXZ@G~lEn=<3BC$78jA+qYu
zC}7Z*CcYI<@O4STmzyiI9EYrB@_u6q;*b62%4GNLQMP7V5nm&DpJ|@D1Uzud29`tT
z_EM9lZFlqQ#4M~&sH!h@7-$K#NWWWIWVC=CF2@`*O6tao9(9V31)Ii$%Xl{VQ9dg<
z;G*6(F&-}en9Q|~91mvzwP1G)E+i(j6I^lEkJq)lG|f0NS9sB9jYTeIXo#=QuKRaR
zHPu{nPi{vs&!3H`2xpsTV#U7+WWjR7?<6|2q+8?c{u4^zXXN02*~L%%~FIw6U9KHG*xa8yVUff>xI=6GWz$DSQtZi5h*X{*giwf^<7n^CLTT<|73?
z$0*074NNI3xHhR$I`*5`R^G&6>}ZGNWtNrf<_TrdI>8q%V0t7!z1KY`ZdVzzPh&`L
zobc}r2u;{5&*1y98O>O(yi#?XmqR%*^Mu(vc4M$z{IxJyEpOaeQRl!+*i{X(P2uC(
zf@f_TM#lZ`+w(f2XXqayJz|zEmogk{?#J(x53IG)x5G<*VcVWwO7h^SAzt+^?c*Ba
zd;+-}=xn()!DAVr7MRW_s(2nQU$gDYu3HVHGl5z{J`3PyQrMCC(r~mP4mi8=Jh>}w3)sr~b(Hn%hZ{C|-Hf(MH|feTcDZ@yCt3i^-+INr8{
z+vdSq>5G$3`4_7Q`v=bL?PM08mVeG%kDN;d6T|;L`EoSnS)ZcZ#DYuJ?hU3f9afC+
zE?+~K^3CbdBD8B$B!8@fWt=T%JxG4R
zs(?(S*R6yxwLo(D)&(edUuD+I162)`BLNDsO8aoxzvxqNhfWN8>h!McI@l9pj*+a=
z82lao@I+Yt72T=^dO??7~A78Z31VqJzro@?9SLRflbX4#mic-;@{_AW>;};gNcF
zEWuQRj}jSXu>YdAa#>SA0$urK)=ni3&Zf^wTU6a-zE$eT*!V4WL`;IJAVb_#_*W$<
z-YO#o{(E`-uI=$N`lAmw{N}{~%{t5;W=6CvQ9mB;>HN!elsFydgg-I=9i7~?#rly<
z@LW}mP7>>JkiUIwJ6}1r0C`S>S%Z7P)oCxt3fe>d!HJ^Kp2JkA9A``QF&oxmKbSBJ6VW4mjL~IL#1#
zf{tP^!nj*aIC^sf)1Y<~4lBLLi0Re$^wokqjI3dn?#LVI0~uZS?VhDt)$r2=s@hP^
zpmzVuA+l`ct`YP}OWX9B^Hv7qPQrDe7gKl2m*49hffXy4jAPd~;nEqD-16H$8dh1m
zrW$d!c*iL`uPMma?-@fc@hb$Z$LUXtf=XFsB_iTjDt&Ub@&
z_575=<)z?Jd|d9~9Nz`s)ipUP%@YPQR9u~2t$en3Pn29wAAZ|6TyT
z)R}H*89-Yf#@%nFE*Ma9`w-@{%3Uvtmhn^0`nLnlUij}OhMz1*mL_A_?x}?0$(^h~
zU3k(h`eE=FH@xph`BxXZ7If6zQM{$4W;_{xKun`
zL++9Cf5iNVcaJ!ps6A8n%&SQMMRfpWPSQ&o+_@
zEaY=&;cYJGq@|}CWUEs5<#^0b?a`JD%k0U72O!AOTOLoFyRlL+!1k(>K}Xzvz3WmG
zNh!W_OZy62oTyTEe1%L@V?k(A_LxUFKvN?M{V-lQ&FB8$gqA@@1L858ms>9Rz#8s6
zS*bs>ppE4K7v?jzIdh$08yWQ`r~4o*0?^qIk4+J~i&m1!{Sgl?EH=MW`Z_2rF%M3e
zeX&R-F
zKSg=vc7uJWx^=dNbbZ`Kfzl#kJ&MUz-s@!FkuRmAK}j@uPdf@qRXgo;!=?Bd;#+ZR2>6
zOZfn1QJ+1{bCaAky#vn-h@J$JdOPn+&^CU0-MA5nPB_I9h(7L8SHe0W@jTx;63;&M
zK+A!F3e+;OFBY!WETBv17B&Q@oSJTJA8@$nIE4pXV8drAP~G0Gk9guvdE6Ru&)E+b`2)!iJC4W}j*yfsfdiqX!F+JBJnoR@gl%>2h
z?qt;0?V6-GTC{>Il`gElWvL{1i&d)|^mlrIn$*@goVz5&{>5kIoVDXlq18u
z>zJWYULWp*)TR^n#Z8tiec|5Mac}JUdb_XQ>1p_J&3|dJ=6t6sG3PpVAZjxjt(MSw
z;18+bOyq{obK78OV+vn)xu4zKjA%yM?5WC3>89nri2H%COGKV8a@^z4{ci4g)TQop
zhw6cW9vH?JR2tB6=yY|m;rka{%S)nXPDOd)emNF#ESx^BO&-sd0?OmkzEz2NQ{Wxv
zO5M0>24uEHY8aESFw$98SU;p=X+IXjpen`n1(N=QlN~#TNiz4?>|y+#2FBqs#;rrI
zez`AMn#OMq+>}Gt-=M4ZD*Y;hy|)h6sS@hr_r`rivdTa;ex-Fp{a>#$4uEm^gVd5C
zSlMTgAR-|(6pu78p}@S3$QXyfE3e|2!XT;Ti+W|$C|MhJ@Fa1YCNzaPYSZ{bWoZ)Z
zJ~;<4&OtS|%r;JzIZmYA6b4XigfJEtO182V^%`w{ZkgInhY1$9Xcj&zu%+rba%r5H
zFW2$S;B7%Nad#^d;hl2)02JQ4yV3dWI*a4;%Qp<0yqXLk+Gr&}`=|ahAhbVj7%g0E
z4IdmHOK1`^I?ugL+wJiPTNHI5=kJ~j-sP`upv>#ttd9j=UPf^D02Ji?c3T`mS2sAh
zw6vt;IEil520eGzqMl#TQ2iJ}Ixo1rm%=Oitd2aYfi-2IbeoJo-%^m=>ONEy^C5pE
zT*K4KzVN`8gdCfxh7zNOI4d5I`;G?X{^y@ezogdX2VSW`Cbj7k;|
zvP;!Be1Fk75paSMAtM_^F8F8(vDVs9_w1_=k^ZmkedOkKANrHw7~cH>50P)~42!lU
ziN7TOOvO2jX_i@*cj~?Dy1!p86dRF=kZybT%}zsHSoJgbu#F&I2
zvg8FfRW5VOU9*lsl&2~|Ual)4sBVcy@|mNI%x=e3;+_er$z3O6W0w#q?3Y!qGlq8^
ze={)?I!-f9t}+fc*11TM!-S7F8gyQ-5zo!$c>B5T-QAP>dhqfwgOJI%tH+kWS?`TV
zh1+mAPCVA`g2N=DPV+Y`df-HTVyUJ-P+Jx<6a?F0rf>r>LMitj`9=a(_2jLI>QA}6
z^-op;3!K}6Zpv9;>UmyN)Z%jP*9Agx*{1ue=7m%DxoWpdEvHLW0Us%@
zv?MbQJ<(jRf`wPi$;dV!$A6aTf1Tk!?#|tX)E%WI2DO}`3T*IHIakft-P!Y$0sJ*
z@WA+(otVxFRuRN0ZnU$WYBzgsjQAQB(dRrIV%BT@SBEATCP(i2gP
zjB{&`lOqEeFuj3T#*Gb7_&=yQ(cLT7{pkIIF~(g!xpAXjSDu5ezkwxS@Ljs>H{c&h
z=zjnstbu@cs5F7}$L}P3Tvh1{TVu%uvi-{edA#{2MJ2)YVwC%`+q=78J^mk4UmX=?
z+kHKR0-|&(9U>s0f>J|BO1Cs9Dc#))(x5Z~gLDtwDK$zr2n+}4+
zwPr0?ti?a~bh?xQS4Z??!c%PJ&a0t-F0C3M!ZvDL@(!4$ovfBS9-E9vHc%s@jp1Z
zx^gmKI=m0+(&B4>FVTqzq?2%)F$~OQ3hi3`<5uNA?*G`d2{cH}CyBZcE{2xM=vWGu
za&fEcXoT2I>lBwjrBrkdTWfOZfVwX-p2GsWJR-#9HE9Cj%@dj$UVc%USyReBYiE($(A*M!poVC+nWak2JGR;J
z^l)M_OKm2LD`3c@J88DnSzeQwb)o6c1+(38&BjT22VG0B#T9tpOqCn?iHP)z!-TLS
zk89!!oeL?(+rrcauCo|*C-3e6bkurb^Hb8Xa5=gC4;xsG=oz9
z*ORd!O8=eAwIE1bXGf@pnVj$9fqyIi0BS_WJ`h_(vgnON4+ZG~n^1CV_~7fxu6r3X
z$s%_P*C{k4ITjL27Ly;#F$TKiKV#RM)JDbyLox`Bn|NTkjrUzce@f!|2i@_`CWQAs
za#wEfh9nY-1@hEI@iK>Y6?GiqT)1aQWMS$($}p(-#T>@KZCaWx1j7YqU{yePBUsCT
zYB)1wwDTnEv=IjBodj097gd>X8UA!%cfS{|jiRBqq`T!V4~|zXbLnw((_ZztPzT(u
zO6`t5bc&fN^o5p>PMT@`%sv|qc>6Q&)wYbO3sMbziEQRCOckLh%wP9Y87oUSv4;La+09Zmh+(%lCf0HMureKtBcu;TN$GMX
zM1Dv2(?=rYd`EYrW<9h`71?US+;^mOTXAG~-E(C8rfnZPJD9X%dr36hV}1K<<8*w|
zdW`=`@PpY3ERc3eYTny55u*-Q;f8t!xzR4kTq3ReCXInS9e-9tt2{AMi+?VFn|Wjl
zK?HBc7loVbQ9HSP)&{(xbrOr>E8tphbc5|xhZbg$M|y!{wy@(WFV+NO)R@Q%!IP5w
zc=$H!^h*j?gSQ(ffTzr}t`*Ect!;HzN9`WxczRB{$P|w7W<58=5bZ`&)OcS)xz}na
zaRU5nEw`UfDVusiD<6>Tv+2zd4X1FqD%1e46GygWSS)WR^}I=t>R1H@Zsn
zxc_ocf4==K?Kf>#5!4ErN)kyiA_;yPW=qPs5L*1w*F-~6Yka9F*PoraEv2|(s0XcPydJ18UJ+bk`0L84#49yzTBzHIA4JX*4f^~$(j
z^TEcZdacZ_jFld%x#X0!v$PT#N2oWlGLvjo^ZAlSoQ8v}RLj2o2?^Zw-L67hV2J|j
z3BZ-f)h<8G+8w4ZeBQPFcFo)ojt}6NZ#zoE05JJ(cHqGS%(h@B!SiHFQ1JEq6?dl4
zf>^1iwMykTWaUrI7?Nm7=$f1-W)UHNB0QSco<1YSfp#l3;Pz^0aWo(QS^TTpH4~@$
z+_2XHR&4r+m%XKp>dd{c0{SyweZo&I3gv!}ZQwOOPh5P9>n*$x9xcH{SdX(Ls9~yEFV%uN
zCDMMt#6f!t3-jVeJCgqucH$Asf51<{iV}z_NhG3eKLUOncgX3{Dx>MI+q%m+W7NYU
zl@VR-g9Vb4ONbjGOb^L<3;tauhF@gTqW#c1bE-3sXAkNDRxG}~iPE`uKLwvn;g(JB
zqsY0J_oK~T3-_uj+mw=saDCuSU!f*ewk0a9zM#9bvP9YnOUpJF89d!59KNDxNOlpuN1)
zF*|5O=#LfWUc*4u;kwL)z?>uekMb9&^*HydjVQ_f&SghG%{lXzRG39a&S4)2vx%UG
zXnSCe6mxD1vW{vhfT6E=fdEI;qcw0}j%jKwn(`ynFixXV+T`leUh&BxO)gd+Scqx(
z4SA8Ju5^a49&A@VSHxqaY?OWNk&3wDbCUw9$Nk=Wb%4g#%1}WV28}tGm6V~lSoMHlPxuD
zXaWL(!TD>xwD=R#c1lW1%Q=rjp^suEztUF^I?5`$s3qni*lQD!NkL8vZbCj#j_S)x
zU8lYgR+y{pwY?hO<|rgmiPz-$j^0607Y6IQ0$6v}T@##YMLg{yhIU&kZP02oL?1Nq
zaC@|x7tNsE@>G%4EWQspOwPd(mD}pn5%4_?rnMdMS>oG$uoA6d*yX1d+v-Sw21iTZ
zTCe@=E0G}jL;Ug+=@w#Foa^hnJFa(vSx0U;-QebEU$nfM^6}Bwbqg@B;{AVwR`(mc
zf6!wLE5HLxVu6izgyh2be`b#Mwxkz%Jd_F3V&WU3s5f~&buTi)0$_1#YL9g2#C=Mq
z-aa8upsRG@Ig4SQIM?KSWtAOD6%q3rr^}bm95v7u7exX9b`%|T3p@zQ>n{0yOh_@A
z(70Jvflf2j8y2f;u7m2HnsiyU7Zk@_wm#XVodm)MG0XQIr4AT_u=jqpurqf&?K6Mv
z@w{U{O8y!BDIFZ7*eKD9?hm9L8`=}H|;+tq(O(WgrGZpOU-XRS{b#QA?Der8TB0&Dosh59W
z+q+sqyOP#7-O_8~=*vCnqnlx(`+UZB;b#J^RE}+VXlJy
zninP7WTz`Zl7wPnaB5?EL`$!;jw*Shjo~azA%tjB=K0FS?*c-q8NE+CQXKb4aX5cw
zRarbV@ipFxs8OfM&Uf}=O(e_`FEyt|oR63%i~#PIVIslSu)4bgPr`l)dTjiJ
zINsh)A@gNlHNW*Zd^tX2wi1KR*3b!?bux%I6m;q;0~YtDp_3&JPyZam4f6F+OPn&;
z>o}}@m
zXg9qa3+HTkhdUunjGa659p?m2vJ6SP^2a1t+kmX49
zLBLWcQ(|x+$O$MPHhljFQz%CA1M^dFhSrDVE<4AKDZnx07VL%I<|W_oe?XVTRiAiK
zs63ri@wvgm-~q51zTwg7aE2GYpP1$M(62??s?CMIsLxUKgWZg02#x@C?Q9tDcM0}4
zmWG7zHK|!%wX&d2!mKYMvAomiJL*T45M_E{<6^EjnqVuZJX|l4eF!_l{|Gbo2z=9xl23
zvGfUexE!$WQkNx?SfeX){aaS(dSc#7P;^c5b0$I@W7O%{=f>gD$_|04I&wuRA=Oup
zhHzNl3_b}gmJii<2@IpySfL7V1{&0TkQA*LOV{18-q1WeTXN(e%rE9Wz)ol7@)#$fuQ(@?E@kAy%5rgeri?-8hq>OrIJK?l)h|o+r33
zYF+TeuGEgYRB|^)H&;*F8WqKUx-#16HcF+G=>HWQ4zxuAkK}(O|x?px%2=M;G{>WTf(b
z%No7rDmn%#J<8a6|D#=lB!!q@P!5Wc7gC1OG`%Q|F$Gi4zjTa792UwXAa$YS)XWw5V
z++Ge&W^~Bx_#Y`r@PgLF8zsEX$5~JI!X)ir3KwR}SR9K_eP7wxd((C8?KwCwB49-S
zq7cp(e~Cq*s%Gf%GRR1GM<^;bNRc0|n^KOy8E+mTTS&0<1+S#VLk`_8d9H|Z!aU?Od(jN|O7HEsdD6wT!s
z1Y47tvfmXaUOn8(;gw`ady01RU?@H}0-epjhFQdYi81H0Itvc={VqA5mk>b6?(Wkb
z9QqX&t9Krk?|{5e)a(~ovk^McoN3BrnQt{LkGVBoiCzi>?=Pyxc=zWju;ganb~e;<
zQ!UX}e~X=;f;;7uCKC?V;i93FmFoV!mE+8r#_l^rMafU;L=e
zf30RL0!nH3#|L;DjMNQLg^Gn@CLM
zo}VC8uO9m)RuFebD@wR+>a#MiNqo@|k
z=z};;g$~$8X+@kmB;K2$li!jK1Ds6HQd3
zvb*9%f|S)w6?E(4_2u;*_@U!HB22lS8gK-KLbyCE03D~5uJNpM23^vk21jgCF!P->
zvqR(;0Fm5z`8W$8Th-$2R+r13zj)qgp-TOq9U?!(TJ|4J|1N+o`Ed5Z!9zYC9Ndw@
znuA1^d)Q>P4HKpVlaAt(=eDlm(p+9FNiJL`Yyc~|wTu3CW~rn|e}^BPZ){_uHXy_j
z>)b$&wV<1N$JRHa>|7mIGFeAjnCbkE{;kp042i7q7B&HZe}?P*vJ|(L%qa`Sd>5ta
zX$UQ(dZFHL`|`A!dsH_}_$$bIq?tYG-T@qUPh>6JyCjd?sl`Ie#LUS`%@%rO)Lh4^jS*>o4=aHtUzI&-o0IATtWEPPW#LJo8>OR1YXl9`}^V>yM
z7q9x1Kj!E=XkujFu|&CvzfI>moSl_+r-3J4B*`yqtInW2E;rH|U
zdjnKUOMf4$Th9M(8LcpTK;0%y_EKNQ(F`E5VIc#w}QK!Am!scu%oxG
z=cX2ahy8z&3Ffa$rT-IP{t3GMi@qSv{4psg;UK-COdydBuPmu3|5ar+Cs%u6O(VVh
zZer#Dyr8v_ID|w`Bz{)9v+Dba2ni?9R=ipw9Q|6c*6XQ6GLhhh!Y>T&&vjnvIo!1G
zDJs=Tw%7MF$Og^7sYTk0pjsvCh_R(YT@+7>b0i~PMdXz%t|>l1rmS3ets?oE%iPH_jO@4{%E>I&mRvLU51nObX)N$EwScXTAvDm6HLt$W43jYz0XsW
zFw{;Rl-YrU4_q$4hzu2%-q*>%>FGIb4QDtKkJ!I%U-3v=dz@Ttdj)RuEhXe@@K~R^
z+W(FpSnbB>*b2n-Xd}pw@2*FLSDT~d!Cpuz6)-i_+tFyV!JBtj7O4bhXe`rg%y`K*
zLcx4QNf(L0Nb@O1yiV<`y(^k4ORIeQj+m-~+pd++{n&G(ANv}j$Mc9Mm!(20zkFUx
zon)y`{y3*NX*T|T633u@h%BKt?G7<__#vrzKP@=@0|a|Nr@aEzMs)ix1EI{U_dj6!
zG#8MwID_$&=wVHtNLmuuJez&B3U_XeB(|)6aX!`~pCNaWYFN+Q68T_xfH2$q$MzQU
zK$dDO(kwB9Fe_@p@gP5+KXAR4szsyCqB{&-7Oi(N!?_Svo5k=z_;oG1nR^a~DZSDm
z#P;Mm@pit08!Y)X_aCioz^-XX1yD7fg@)AFlS^=NxbhjtBhRR`h||G!{gkIy0LaRoSP~n
z?Nh4RLugLyvp`E-NXU)p0Qd||efXc^MT>L)!OpE<4$xGJNQw*dQ$|Sk7hbW-a;yBy
z7oA_f+pWw9KCpO18o}fQ+tilB7Fu+6H1v;1x|+R_f?zzNfdiO}}7e^$MNQuL^qk8LPnodVMPB;RBfx@3qXw^nI2R~qU^
z1HMCPU9Wh*Is!;wGbQkJzZJ6QUGr1mV&D9JWXIQEY3fJ0=8lU>!_%bZP_
z^bH472#Gi9i^#||xVdEMG$V<*{rG&$7|
zsREq#k=@RIVgO&R*Auq}ELp!<+DtV1Tdc0V=W)z2@fW`U(QLPO$LD=+wR{H9uimT8
zQ&cu)IJzfyTAUYgIJtk^Ut*yO15|=(KhURVCe&hqP3!`g??S4~!Rpvp?Wtq4FKBH+
zVz(bf8t4_h+}gkOsfqYU!?AGPe)eMJxyxSA*6GgA%+7NoR861TWTATl2-c#yHl7mj
zGd1eFyQuzr#tVX9SvQgZmnF%+tZB?WuQk1lz^$r7g00Bk`8M<#L_qe-vB8!|zuvDIDI?7)YLd8UV-#8B(PZMrw9vZR
z2DFvULC%hsdweOvdcoA6pz~VIRGK&G7PjeyB&$iMO@QhKVUCwG{&`$>R|h%Ddqw8K
zF@sZ2$T88~Sml_cy)wjT5Bp%suLMgam+cz%xw<;4+ESQ!S^q(J{8!B2@;>?;(eL#O
zWym|McfDW2dvP|~@xk1BWOETwByncahD<@aK1%=Lg8rs5%TT&!S(BxWS)BBG+UusE
zW6QI}^*~7f1Z=+JnS5*%xf`L`h*#RFPW(!WrFp42A4Z1#EW$i-lS;aDoCmFT#202s
zc+xsLEtZ5RRM@Gtk6xbP_=@)13P=u+w#*OEf-iCl#}?k%dQEX(NitqywzfT>39*eB
zlMu3KT@A?h=dpaT60rMc891wK&i|8=WA6PAtto#7utD~{uY|ssK|*|m&E>?}raHZy
z+gy3<17kj${_nBLDjv!lddrjGC*7i6l246o=_7Pmm>E>0zsb==g(PIbFbC1Jq0
zbd3Te71DV&AGDHFBxRn2pA%GyVtw&N@{yDP=RLtk-|`RnB
zJb%3u{~SpWsH-wrBu?`)G-F}p;V5tC>`r@Gbulwr?)j#za23$6zbii^u(uR};PsMnkBX%Z8r>6~eG#PJ^5S|<^B9A2p6l&DM
zSW%-xSD@Wd`NpSm*eyw95`lpnah{$9VW2YC+lr6AHexlkl{6PrXk-0Le(@jg4?Vf*
zP86R3mBJ7t0FYmil7-snV16~Oc0LrgRl|&LhP+I3S_v
zyH-QA53t0zwhLVZkBp!8KdZED6w;_&!!WIY8ozk5i?6Yy&N#x-p@w9h4h0p!o=O-&
zdz39Je<|qsVpLf9gUXTWtPU|_ur91ne2?RVz6+uopVsjxQCgB1OF-axBiJNr
z}Nf@X(0T!-q{ydVvk{e&7G=FqI+IcdS&?`Nr@`ellFPDp`;#^aLQ3W
z?H*>`nWXAH+V#|e12AsKZ?h{#55-W21)gLP>YFwm%Vs1s%dQrYl~u5GYnjZox+!cB
z$>i3P4%lSN>=%9reXhz`txf|BDt#|A*Xyu&sus*iP<#fLMq4c*^SOPeuSyMC%?Lah
zz@ckd%|)_7I~%X>#>f16?m>;gkuvWE#JBzBy$jNhJ^3V;DT6Q8jCH3Fa4SIiU-JKH
zwJWytv8Sk|CWTl!Qoa$@+udASjmf373eOKp+rC9Bhs|mHo;fC)!o_H`CF+XyvNqH$
zOXPiu7yXzy44%8NnFiwV44X7MDC5O!6W4oM%+_+K>`BTn*}
zvn7jKXL-ncEtRN3PeGQJF^6=FywKZ{XVqQQ0B?iBW%2C1^Y+L`AI^2L6^Ww3MAX~Z
zOB`~I+&f$Ya{u&X7;&x+(dW)z+k0B~oRvco5$R%Nz?^Cbh=})yF
z48VBU&r-Ibu|Mvs>ozGaKo{6tTLNEvqT_c7LFT~3{_M=HJyn$Kg_+&i_6}8!%O2=c
z73Xwf6j5~}I&jJUuzM@m9N>`wNCc68`s@j&zbG8*VrgmSI6-guzqi};?>NCS26&S>
zgRdWX(2?J}UMx!YRhyi1wVireh#>!bmVT)6nWwsn5}%ZiIL7RqH}1`<2QYu1VtwFL
z;-${5jHx;yv=${Do7|aS%_RMj2v10ebIj&RZe?;|GulcSyT_B1VPby55pn9Mu%&(K
ziey&3bhO}RPe2AnzJfL?gfKC|=ykKjYHx?&S6zms!t;i|13JyvxEqmRrQzVLGpWyN
zm(r<(M8Ht%-oP|B2Cs2ZsPy=QH2oB(b=zX4QAB>;xqn-zX
zHSbk=%^M&z6t)#6D>_aTlU@%~8iM1m0tY{dKjGlP=ntN=_)P8FNGz-)iR-
zNn#?#55?T76x$i==AY8ThAXbR>sfvsjn#JrlP%la;~Z*!-jkXy{XxQ`^%9eI^;Iq7
zy8khA_c?6aB16O48rWgJLWw>FKTFsJvlk{=<*gPdzym3|9snBtNNTRzzdoUU#=pk!
zB)}|}iZzGz#;U|T{S^%!#UEW~CC+;kQ-xoaRFyUyo$#e^OrOL-QLccz25-M?YVy%HV*zsfu#rFtf3ePyClmxI`y(YI&=29xxd#-EZT_`EHVK*Z
zh##&U^&@!`9Y-Uv-m1okQcsiBW?Rt@-VFVAN%F}SY=zt*Mg=cYpYf9K5t@e?SBODz
zcjtyHX2o=$vI1A&`mI01ZfA8h#K9LP8Vo=S7x`+@6|oV|7Z*8bt30DJc-IH7xll#K
zUsm?Jba2l9Po(K;j@WtIIlAdsQNYAUcKnPCyQ$FeIn)z{N&
z-f+s)9Ppz_#{(%k1n3#mgEzQMtD%hIAmL6^daql3uheY}T?i?xK$&!Ox&=XYe45{T
zaN43`d;*T^b4|B12P?pNRay`6!)l-2pI^=2N;xpf1{p(+E73Z+lSu#DCf3cQqw)xG
zFVhUK9#+<-AU{IYqr*A*&!|EkpE5n$E5LtSQ1bsN6&-&!$@0DegoSW0BLGHzMDjc*
zxaNJ&zg8++cUQ+XiV2TY?4vA@3eqz2W@R@$jlaEcD(8v0)Ms3GI~>XmH-Ii88@I6{
zoQU+J=a6BD$A^rE@kXGDYB!r7lsWd4W&_CM$UKz)ZC_!=IEx4ms~IW1oJ_ckiVo!q
z<2r2OD_8j?VhWGrOjx`Z>KowuseVVrp~)EvOhl`R%bkQhkoqlzYUQ_7v^QTV_dxX0
zUX+j9xc3I7(By2m7);fIC+JiL4`SdtL#@kc;TbA;g${j%`Lmk*psca^|LcBF={ThVbc1uAUX0i(gYOL)L7p>
zb*45=Xcn#`6lciir^mnw}?_73Fat}~NpiDcC!wwQ7wto;#^D^2AM^fy(cJYfQ
zg+(eD69hz5`qZ1$W(>fEiA=e?c9aV?3IcgN+JW9K)l2j`2c|&~A}Ny#VL}%0Wl7*|
zSZ?@Kh7*AhczBq+tkx<=jFeHE^UI|pKKH8&^m%n>1<*Dtm(CvA8`ql+ok1V-_3%8H
zSsBpbuHwNH^hKmQUTk5k)%7*vlxE9guAt0}D~pKNYKF+g2*gBm+Dl8H|76vNsh-uax4Ra=D=_MIw2!}sR)|sjEi2{f(P+Pp)dTL~
zD%M@&DqII1+cK+SRnw8uTPeGw+CJg(
zX;VO|kF+4Vch&A7Wn9PvG_8ltQ622niFt)3i}ho??s*R{Yq`snu=pvq<E!1{#SjAgJ#Qm`Fz&v(0Y#%~*RbSHSZ-2{sjO!4U|9t>Ks8c*EDm
zwwO#KqkiG+4+lo3wJzl>w#>LB5kk3oVCsp8pOI52F5LRaOw#iXW_Qg-KU{mS2#N`J
zR=A5sZ+8=0_4w6p278%}byIFeg@{k{XrjEz@}>V?ARTxKQfUt%Gy1WG>#PK5IEE!S
z{{!Q1X$l4Q?{fSz+uSfXbfC^&ne@#J8S$C~&NYlHDKX51b0~UgD_xsv361_*oh<)REaO`Hej6(vrurU;p(2lsSA&
z<;fgj*}A_Y^;{a)o~(|fJ70y$v(1*rm3z3=&Hgo)S81RPsp_0d>G5|@$~<1GN@Jc^
zV8FzCT;t*Ge(sowM9DK>tQP2wxuEGB4H`efS{`SDXFm`J9ryv$sp3s1{Y}5uv+AN8
zZK`h)_c0df+&8c>H{(kqhLav!>i{U9d9cQ}o+|fV%v3~lB7V{%K%WK;5N8I?p$9|A
zEcuEI#JXnhfnM4O;1Hr1J$g>r|K8;>Bz&hdy6+&kco6L-de{tVK{p4|^!puu_t8Qr
zKFfR=%id6H6tVS<7VGWe;n@oFwpTWCz>}%Z_}s`~4zd&ah$
znw2rQ{oP$GZ#Uo|2E9GL|E)bky?=>M&R{?!@WRqF-4S|7ZosRi{K@K|u*l(10DXfU
zvys|IQCrpgFwSa|P-tSM1JRwHC)$#VzsP|S&)4v0R_?0nxgn;b3`&D2W&t?R
z@Dn2+;g*pTvpvkv?Rj7!1N^gwxD{B$KyE%yGvSXldJqWn(agW~qv4Yg(x^Tup#7jY
zT&nlLKNC?(Trwj`Esg=Vbg;!r1ilPsn31_WFyoxp-XfzE>Dp1LZR}yXn7&MjA(N0r5a2
zCZqvC`z;1)cl_QQ0y32;?0R;W0p7?cSZVs<=VT$};)wRff|^9Mlf-4Y*Ye`_a{vwA
z1k(2j$y*k4@xg91OG@t4wKwt{su1K4y{qp(w3_y+9e|}bs+n@51m&j?4I%0VXQ+-o
z%mYF)DxH843nY!Mm(robK{QWn9BrudxiL|V>KsOxYa$^T2~Z!y@W*eUmag5(J~q?2
zB@6IcDCF^&zH2$fN%uSC&V^xiY#p{Xkq`I#-Z5n7=VxnGL8t>9*!+I)(&cMYAO5F~
zv{yML&0%|(e`lV*CHpt94^HcP?QNmLH^
zu5_d%ZkuXV_@o%ZCGZUiHIIopAl~ObHNb)gaFewH&_s;tQ*s3410bnv{qPRu$tPG_
zufz38^VB9znapGevt@l6j6YFO^+lJZne5LL=BHg5f;U%*xjL|qEJE_vA8JCcPzV~;
z*UsZtzF~#|U$bRJBa^&YRKJu&Uy&&orJSFsq;*0Vx62yD0w%ma5OUE(d
zxi*(xTVjb99*(I+c$!~->(Q&VrQIBcr0WRby_pf##da#+X@R=wp@g6Z@3anM8+#9m
z;btPEta%>z?9NK+7^D8xW+L*j)#jMIg0he@-5k$gq|3Jvr%D)cKvTk9QzoZ(%Pg)L
z@+Aw?+bmaJkrq3ix<6;F(<2bKnt^`nB(yjlnT?t+(kiEBgK%W<+&aNJ%>o3gTa4KM
z$Rhx6qJ{UrDd!>ai`nTw{4OWJL0F=s37z4aaBsS+vLS(^*eg5{$8^3e$H|UuvbQk!
z1MLP3JRASB5IzD(;t2)^g=S}-@eH)*0?AFeu8Qh1D(~*3<=jrDr*2Uwa@_Xnwc)P&
zYT4&Ru(W??*SC{woF40Qq3^6_7IzaY771CU{~Vzjht)OXQ8pgf^5EQ549(y%a!7n{
zWhn(-Y*+=dqvm_ulvN^iJ@!QWVt6lywQv0Ln;o>*$v6llB%e&n%))$WY}okgW4(va
z^knqRh*rr4v6uTQbklToYuvNkxSp=Ia5gO~&Y5>Ab%HgM@a@2vRs-yOEdWr~@u0JJ
zbXUtM@;o6*t3({}i!!Ug1w!oagxrNa@1^F_ivlD3{h^@h*?=
z&~T+KoNT>9h-^CZUDik3%MEmdEd)^XBwN}+-)K1*lY6Z0w0I<6=U*kVy
z`1Y@c>zZGk({a0NGUA!vvpmUQn&Js}!Th1>&C)f6gN9G1H2{Oc#~H%(sNKPq#dYdYN_4^O)Ub
zbs}d!F}Jsk3Vj}iv~Dv>x(+ne;L^$&m3XB-7C)xk!^!?gBBP*f-!|thnmG4-!or_4
z1ndm+wZzYplbg&oq6kF}`j^3{-But(MJ`)D_PN`Lv3QW4R}EFW3aKcuX~kGpxt!PA{({Eag+
zw<4{OYbjxEky_71IzQlQ(4vsz&R=-nd@iZzXqS_L5^f#~)9Rg#&KMA*+IdzH4h`d3
zi2=69Tgn}!gjj?lL-M~0t`rmHQ}x9vLB5;0EMUD69uEVyTq!g5hX7Ip>^CCzyX~}3
zsq&Y*6Q84A>*jm91BQhllIwF=y!T0R>aElMaEXY5S`HYF^o{w%A=SPcP>=e$_DPN#
zy_gOozG^DAjrme|iJt*2=h&>Lv>@%ZjtVb@4Zm=2ve{i
zu&BICJE;1vNRjUUcP0|Pp|nVY_keoCsbqF6$Sm)pFw*R6k5H%(#k2nw7iA$%D)wxl
zuOurSH+){S`rXLmp&XmwbcKO;x7<%0q~Ie=xzw9dUiBU)D>Qkih0FWZ2FVIhCn=wj
z!6al)F)sa-i$G>mGpTB3_Ywo4wIiL4>f!I-AVH^}p_>TcY635J+9)r2vA6)(!dR8d
zWvHhCbq4jqJjQVOOzm!LjQ7d)Plrm_13@P`M6ujx<`Zmc^p
z&7Yt2LQ{#>&Lw=vfN^`S$(NRkd*CSBsS~+4ms<<S8lQ{rfpIv+q
zLS69e{eWUNNBPt^c_vsJilLbu+S4>#prc5cfAU0i$Fr=1;F-_DONt<}5;RY>DD{c3
z*!{1KL7)?d<;W$hb3e_hA>(<&qGfx)c3729`d?LHZg#c;-#qC;$$#W-D-htp8Pt}J
z)L$a_rOe_RRm-I%|3__?%ZpZli)XPoB7#8?_i?V@XOO{yn%U2b=Cr33EmJE`@>mv5
zM28jASiTzO3c^uNtjwCy>u9OeDjB=Ird6d4-V0#Ar?^OFr`LCDBHvZl(WO-@=e&AG
z2#<14!I-ih=`r+fQxT|9f(a;I|S#&>Mw3@_{aJ*4V~wu4G(cp
zaKwH{WguaZA3&j)wiXfv1)Nu^>|lcAJSd^2TH(Z|UObLQUQY{kbyjFt-OU;y!)}h6WGi%q9ZVjUNpRWzg(*`@)7$58i{TKKxz
zLqf3pw~))F5PSkR}2|DaQMrL`aj@Gft0L9yJL|vzj`X$fw9T&DMZ*67mh%M
zL8)L-FIvE+9k+SWp-<^ZepWlu(mp1QxIqB_UV~A;Di`A3S1Z35!B-
zjvPpuYAJpoS|e17M6gYUdWOLq*z?_{JJ|Ytbqxd^*cnP)&L^>y0$v@qH2NOn|5E%u
zD@Lem?zM<`4@6t`v*C`MoUC+Md#&1M_OV1&zgcdkKR-Q?1~J~mc!d75V|DYwTXFrx
z<`w{t)q&mR3DPpR^3P3pSZF!Fn%>xu%x%b%#{iY;9#jCv&g>7t?Cy-f^ev6zaB)Gg
z0QnU+s)TmT>sMa9%D(Le1@OQaXSB(5x{Q0p8Yx~Ow^hdGVl^yv0M0OMZPAWvTel<3n_uZ;bR
z71pIoDbV%VmDk#Yr4mfI2J;d>gf#$x8HPb77NC{O5$GlHLt-K<(An+Vm?)ZM#0o%xRExsEP!fG4f1Z9axr@JuJenRl+K*xqGDu1TvvhTDV?6M
zymjCmyE1s$mrgtu=3s>h34zcaj@BxxA1qYk96Uce7Hnp^rwC_?N7q?Y0J8Q?ac(5}G=Y8Y~Gc{z7bvuvEjhbOAK%5iSeYscGxe^59}Q829e8wgRr{KN}PXt@Sz
z$n9+VCL21|`#}u;m|Ok_2sPx1pi?`AQ`@F1Zb;W}*#nogjf|U6ie8z-|8vlJ9@?&@E~P_T=&sYnD10#4XA_1%yE4yEb7`!Vb{UxfS{H@Pav4)FEe
z!t;nPREGK%X_H%OJv3SKJjhNt8W9kM-^ZvaO5$UEV`)k4`1Xy~D
zq2iDBWX&a1lIirFG`LAv(~a};9&x$K1jbS^AQFB2y^mh&ySEzik14M&CSlH1m-$}H
z6&ZrR-1eFR6eZZ63p{%tAF!wDe)6S$GzfV-Yd#z`f0`AOO-`y;^M(Q1YL6rCjErr1
zJNR%2qVeH_eB9ayFg9J8+QYhjk-X;7kFc4ZhSZOQY+?TZ>O9no;rer|%-)tLJ-%eA
z0HI6Ip9q9NkIbREa^{FJJ@@xOopG0l^Io?ANWM#M57f%$*Gvn-8A$w`MmsR|XS8JX
zt|`HxGoFH^ikaK7nFz%Bd2Dgz+T-_4VjZcY_`xTD#(!aNSPsU|8@q
z#$$&0gZH|U%Qa@S9T&*G49$|AfD0I3_BUxBzoYY-8c_Dt_f`#kebtU*O!VoV6H~CP
zoAt_sMapA376
ziX>E<*i>=ey!o!t8ABvFN#i~2GD3wTZc6zxm!Bi(;QBd>OH(C|sOhtY7#MLuZsP3&
zy%TWd6e^#6+mTci>yrD-r=^Jc#L4O9au;Z~J<$_&KrHyYQ6Sc@^5#k3e3T6yBJBS$
zw#G2uggFLFgI*^IB@t5Xf$OY4xG#UwUtPbbI7~T69cIWOTbSzY5R0!!=E5gP0ybhT
z>xR-zK6n}V0rs6zU}8!X{COq%*&J=cWBaF(kj0|ep$YmUl+d^y*)&$be&1*HH~vo+
z=vI*PZ30p_)kbm?$Ey2?KydyS_C=Hw_bLI02qiq$n^#lTz4s|@^+ZsI6R7i?*z{Y7
zuG-f$Bg4k~*T+|0=4dwM?G9A3^l4X+|H6EO*^<%XWp(_UtC(%}C|my<^47~AC5qpp
z?$l~^VBo(p8YCDf-;t{6FdkKxan^nSr1d#GFZI*HFN9Pm7i)Ge7@enXjK7|nIhP_>ndE~$Ez^!7l2tnyRmP6Xt0Fu
z38`TfPd-Aq)RiH?fftLaKzOH=RKgT$r>R}uGK+fDN;MJO8&-P$M@R&--mBR
zvv1FPa|%K?BPvPoGNAlZKO4wQvJrDXPdYf}Wo+POwOY1maLlBRei*{?jMAJS>
z%PSiF6$1BjQGwe&&J@mjhl<0yak0+J61seC$9c)LUpV{#^XH_)ZGv9D16X5@HN8Ib
z8W(-?&fz+?ap`?5bw%*i1PuR`XnoVw8jt2={eoRqPj*dK#GHVoU)>=V>8NZmQVzSZ
zIZB%INSe<*z%4`_R?g`CS$k`g7a|>ra2BwwPZXCAmcg2^c0@u9XS@KZ*Pn_?^?B`h
zpj{w=`_bVq*n;7hpitVQB=Pwoe7LZg0odtuiu%d)_eFm~eH)xOc=OVS
z0*0(@&c+PmBltVVu+YImONQ;W$9x}xA39IE)dA=Idz+jwUF
zDAJh-B|^>R(M%DH&)fqFcJFmdybm|tqsxitb=!E8s
zGXdMY&GtgpTH@01M-2H`C-yIM;FXruS^u|%Hb42hIZJXwG-7q>6vTaqtnPL5l0I$`
zPL8XCg8SS=skj^o?BWTe>PJ-%-GOmqd_IuOBbqw5^nLc*bR&whc26kXiBt`0;rqIb
zSCGN`XF9!MS_X5n6QO8e6zy)3R%!8=q^WqwL!w=}DkbzdQ0-hO0mbN+I%nZadO
zIwi!zAX$i!iHs33RQyfn0bf7sXx*E47Px(8LU%Fy5b7}r0g8&~k+ol;=D=Tre)pX3
zuV1B-onL*$@H8E+>X1~YWjJRdsRf3cNI&3^HaA&5`d&|})bY&MhEJa<2LCa;3@G3-
z{b)qzPciHjeq6`-P6!F@`~3Iu(w@C;>{HU6w~M{eI;H$kh=wO~S2k?5yKZ_OUs{ImWT)@8$FE`}^pafoy07awuKT_)E)&w4
zF9)q+#uTV)KG^?ji%~m2{<9-Gf%%ki!Xx97r5DvH+2ML_JNm=q820b6&K%^K<8?gp
zIv?{LVq!#Y75O`!-MmS;lzx!7~st6n%nHBUAjJ1
z1!L`6v9OG2NF@2=e5c8l4U;nE%fac&(>y-0S=Cr70%~^9+dS3iovCT?PfqK((I|+?
z0_Ph<-WbD;26q5psLB
ziAg_ud`^d>#g}EMwVpjp8gHF!a}8nR&VwX|vh+b9+_m0}OOBIc@Ix5Ys)96YXUU2S
zR3!B`g#=O$y@U~&w_)2^L9E?cm|$o90x>`uC+L|a{o9~vMoJ}^ws#d1RyB9KQbGi%4
zfr8;?US;PNFj*Dl71(W8L^gBLz-EaJFCbE)rvwIyGj
z<8x!#DA5;`1eg8gXjPLy)ZPE~6xric!mlrdfWvrm^*Wa8J=sS2d
zziAq)u{%|byk}Wjg0UhbQ1g7jiUfXIw5yi3kBM5)4q4`xPMvGVQIClyDjo0m%>)wr
zh2eK#R2V9IMkITf{SDU);f|cF3W0z}ak^5}ZJswg&PS7Mj|LFS2W44f3*)o<^beR4
zg7rii69!27x?~Cd++u*;`3shPIF9HGOCAiyOeSOd#>g=8q(o5QmS9IJ#>~XZ5f=2p
zG``a_=lm)xlg>@fPtuZdc%C=P4gV&PN~qZK
zqkKVBj%X=|upc){@47#Ce~Q&cl^Rn1sY@(wa0z^%2fZCc*x;D%xd*;ffZ|w*+|?Vi
z8A3Wfr3Xy9Pwz}d!+uNzc<`JA)W{~~nEu}^KrGr|t7~?t$7@S(`Z#}p4sT!pip@Qa
zw`zDG@oA&N51g*iwpCeva|haQ7`8iaTNqedi4Is2yIQAVW&=9
z6qs5EDxV&9G1f|aG$o1D__YW;(Bf@zRzjl=KcC$tdOePtQg{GbSNOO0ef1jM8gTYk
zLH^*mJwXC%8-JFGOp0$ZRuo*+cN&u4&rMWyR>+!;@x_V;&K3DL_J#wZD
zUhcQ)@(5mh`q5d6qW}B=c_w2Wda9SHOIbaL)=2fD;v0gXfS^^27HNvR{_#^BM}TtE
zCCo6rQEnbbW*D<4VXb&gn5%4IhGMD%7wh9VCtIJs!1kXxQ7U
zM8EjSzMzm3GVAs#c)z6OuH3d=t3mZ+eq>Nuh~n{Or);b)Y%BNw=O*O(f4TVy$W31Y
zMJph7dU4C2Oyh!6$#wW(YuYc1r-rJ?&CBnhAX=Z95(ENTK@djf+#fX>QB^Mc_l0bl
zzv4VK1<BEP;l%QmDAmb#4
z_jI#o&v!St8Mq*I52H>^($wT}-_1P7A>ZJGTHAxbJGlWqHwu=P0#+!ehn=?*Wf4MDf&}nCtfVE0&}9|}v-)RL*FmEfyEcRGV2wBax8<26Ni+FCCgTa&D#
zR$QzjEfSay|I`1$Zm_z@H(Hf^Jzbfa{(0pK(eYXp>Mq1F3uUbJlYFOmvRGIQ;**+z
zeFSl;2r4{^f9YU6o+l&8PxCN%PP*JWHe;^!Diw)LdU`sDXKC5w0&e6^0#mB94dIh(
z3XXHXo(7!ep7XSx4B(4aaMNCVihD!S76OzSQOk#Ml0zX^8A&KT4!x*;
z+b_r9lymzxFJV)AGS)jJ?VQp*6@ir!f6zQ(W-?c<-4EIFjTQeEz!
z?{IX;;5?nFW9-MLREY~7?e~Z-o;X*46;t5>2mu8tSi{f4yDx;Ed%*JJ%f?Ev&scSD&xljf+jqj3_B;FG9
z87vG9W>tFcENZPgiR}E!RWisS
zLAX`i%c6(RxGX$Y<=~v-tvejmLwDTh;RA98{rF94>ER}SdMCyOiPD)k*Q1s80sM<0
z$fT15v{4s^Vce6ru6!zb5EJ&Mx8JI%U_Cuvp=tN8)m_G}FKkThC3uGHV1w&ybK*;^
zu5XOt$2e!AyEAn`F$J3ciX$({zkpt)CEaV+jl?%Tnj>~~HbT43j*nt$7RO4j^B3kG
zT3UP`PFs5pUFa0h)qUWFZhYt)twO$j0HP{qzw_PT#$JO4SEBEtPpT2HlUM`$|HSebcvkc~HmpVArkPa!$3F&xv8yHcw4d|!lKe_XN>
zw6FOZ@0|xaOs%(Ygz**gdI%%c6-NEJ7oR`lw-J`??piolq&>V#ncWybmK(Tc(cpO;
z=Pr_l0eX#kM2jBpmiHe5KcLa3!_cu5-~8C6Q~^>H1{tg-#oc
zwB|+?2<=J4veD__Z1U8oE1)h*LHAI4^2s7LBq1l*p!cZhJ7Ly7lA@AnVOdr+fCyG|
z=@-0%QfL54FtNw8?Y09z^7oQ~-MDI!oxK~&^ms)F5M16mzmMIwXnXlQ
zEBjw(JO@v^O5;Jv11TUAeO=PsnY4sugb*EH)-*CEu5mEj{Gv|~|NObKW2hwy&VJNxs7
zdI@uJvgNtFiO}|)#dCRdGF!KBG3P6Mnr87FX(l{%EuIN{L$73~n5*l*IPA3UsPj+Y5%RlBe-HY$+A5;)6y;U
zKSZx`k(Hc3nV-kNgP57^Yjyi>j-ufZ+ly0Gr5+VMXb2!*te&k11}rQK%v5?QtRk0`
z+`q7w4J{Z~6!EuNR^I)%F2&twF}EJP_Nb_j#wyxt^)%(f+RqD9n{qe5hOLp{SR934
zo6=pYk_h@u1^!%VbgfH#V|by7kkz}bz)9AlzF|q3uyyj{h~lw;)d{c7z_llvp@E{S
zhx-fNlpA76qNw@!pxh3FkWG)B!=#&aEY;}kv8^D=*>mDK%A#GfjyH%wNxpKodT6#6
z7&zZLF_5orFnkov;+VDP6s)wjrcN(x))M1sG|@`LMN<0*7w#JsA#ERYl(q3`u&c_M
zqZj0FqWQCp;BB7tPQdPrwTI`fWvQC0+~0gnSn1d5>7PB+tuYm#b0OYOgY8YOe7ntM
z1NhlXyaUmXB*=u{zlC7WetxOG!jp7wh|ehrGzi?j%hQj%9FTm~Bs8jRVgGFXz5B&e
zzqWNh;A&2X_Bm|n{uL1TD*bV5wE|~Yx(RLJqn^>ZJjwh>3>kn
z5Ct~9bpE8|iz5m>@W0?YV3$plGp+F9-Rj%7byxL?kLUm4Ri=uwoqd92d^9r8J#6=G6p2y2R1%q1YXG!#p~s7!U`p+kPn
zfZl?n@jXG5>Aeu7}4q>x^skw9Co=3dlYvJxEWMDJ9XMq;?
za&_sgqX`?|$-?F6U)=|uz5Hsay=VL`F=1)4pr_Jd@Rg87Z6$z2)k+}^&-?Os`%5|l
zd33%^8U4(SJsx)8SI6g3#Iji-tusyY;aRb`No?mrB@L@BuiR#+Y^A`HMG4HKeWKTu#V^lRDQ*$MsEy^)DjU?P2G8
zZA&H>7r9>Zzt`*k&iW%+kCa0HYM`7S7^b;^-OG67pMt!~>x2cPUquh?!y7!`9RaU?
zy}pfM64?Mfv}_tN&n}hN0Ht97zT{;PJ6eYioGNuvTHl`f%8A5p81_M!-=tt-R-pEW
zU4OS%+GwDm4n8+8PkLX<1T3aaD50#4j7z^-vZyoHHYQ|r8};6O{Szn_iYRNb|0I!H
zBdozpIzZzZ5|bHLqW-~1(Em3vQkQL~W;@^V+irTJvudlhV|`upuWdWt6MM0W3hIg`
zj0nI%%W;M=8h`L`JMDsuNyZB4Z!%y#N6SXI-DdDw@%wWYojrj;HR%u_p0HPf?`pc5
z*O=tM6frd@h}qZY#0;WI^BG}VqGEe9kA4q^NYBNWEXXF>((2XjsQWfUBcDBIx8
zjk!*xkPR|RMrPNhi$n|f(&1c?68(V14M=*L!zZV(`>rMFV^Y&BeUu2;xs+7o1LQ{5
zoV0s6VU1bS!W1OMP0A@=k02qKV?fTN7e9e-=#u?z^*bf|Lq2*;>lcLUth5iJ27$o`
zKyZfQ8?)t97k3sJ!qYH(NShyR3Mbqm35n*i!u?V0jVIgKM=ig_lbx<@p!V!h
zaBjX@g|@0dFoqRAU%pXMCQoOV$sG1Ri|x_BQaFOi+_%CyIq3qfo4j$)&ui_--HU?yu90)e7W7ZO52p6;BCVm>`b+<
z`bl5oPsA{pj1d;{Suw18EZ*{zXGHGMj1*Jnp62n^}
z>3Z=orm)jXoM#9q$mg!jBpxWFw3G3q;mTXOFu1^w)ywp+{KFcA%}}7{hn0-o|JU>P
zJ}{mfy#|8lk_6y-bpjEBk5(?u+*&;}EryAFYzNmJ@`?CJ
zgD!lT#}~uS{vu!O@2+Us!p_Z}e9Af=L=EUCg3MTML9#PqAO__f!h#R5$GM+2K=iZZ
z`+bl-A-rX`OOw>$UBsoFJZ^5Hi8`sx^X_nC^e$+2o$1;M|7&S103b783IE&UskyZ<
zs&=IWMF3&2A>C#Ms$4PKrL22bzD=OIhRzNIc@6r@{e$4wyZcPJBms
zB|`uhIX4kTU^8YsT3f
zGV99Ot~>dUt@~moU=YpnH@wOR6O_rfBz@c}iDjG}n@#eI3}IDilSW+l(G3y1yD
z)bg?6_7z5T*yX9gN$zX=Wd8cLEX*rTjnHxO5JutqU};I*jcp!J<~VVN-A>cGo0FBe
zq)l}6Vc2qo*TQc4c8o6bn5a#Z$6PCA#Z)M9>r%ISgWvvN0ouQq@^|ycw0vSdYd5X}
z25Pvx_qeAgXsXB6#*ZNsk5+ouMS+>dPuCROzqNYY=u72Ou$sF2_U&I7Vp7@&h1Iq@x
zTsmu+P@1jtH%SZg+gbzHq$@p?|d9tm{TXTOC)lg+AGYNPPr^5QfJZ
zUJHFU5_8&KxAf@GPcHTB3{=qu;Eu=uqUJ(#c&*_w;gV2ke|78566p^z$d7&rQtd+7
zvRMzH(zqGeiNp;z&W)d%=bq+AjfvH7ioV>+FmyHQL6gtM3ts%_BQGlgw2
zE5=rALYYkXK3TgxhV?r@uk}eF-xMrXtj0G0e{XkQC>ietffkz7MX_2i`MW_(E&^}z*wfaYE~CP_jHjCf
zzq(+ub;;3u@%-=^!>Y253(N)UW(LK0eQ>98ez2SRP1vja&79J5+n2oBsQy~8Ywy9g
zU6yKmC40&W_FS_`nuJ#nf0pM&{bKD01vGQk9!9D$L_NS7@$6A9j^sq0pkfX{Z-Rf!
zIsbVszoHGOfb<)9b)ED?iE4fjNV&i28tmjIwHzp&skLx5>7<^_*x8`^?^X$0O&A{2
z+83edyaC%O1*eYq`%l8&a|c3s8+Xl1vSZn%vEH#b$^wo;xSko@Z@Nym+d5B
zfY~a+eH}=ayU4ZbI~ZPzne2F3bS(b6zdv}@TQomtoU9<3>KFo%dy@P=*?0U35jAo@;rhNeN+4OV2ybZ`F$bFFoXk-Cs03t|U4l?~C
z58v}Ea0EcgB>%GW{2V6#`tl1PVV$dS^3NLOc^_0cB+S_O7S}$%*tU@kDQXXm95llH
z^m)VhCmrGGa1F_-5GCwt@)7``zR{8z>j%Mle@sXin#jwSA{zZl#jSCH*XEt_Eizej
zeAbHx=dhYSJlu`bZsanOIPS)Gd{vi5`9b1QJ$c;BXp12|+tA$V2v7_Pq0%<93OxSb
zZL;-a9iLHoIQ%4e)_Z#2Vmo^4lx!vd&8sZ%piU-w02&GEXSp%tbX@lHn^jJ3{A%_C
zspgW0X+{SmWc;knAiH=KMlV<{sa#UW4G&irY(FPB%U{^}c3$mY{tOHlw>ROUvCImE
zR7PL78G~0_?LUL%w)l|chAxw_DEaF*-&h00Le>bWWvId0MJ_8}$}c==6Lr-8p(~32
zQChQpfYP4RzAn3Jj-=hUJ7H$&LPaL@ijwry6TW5$Be~?YV;Y`7-}1zyrOb{FQ-qKB
zn23$BzYOFfTfC1;+4IVLu2|fd{1f3R(bTmmw8vD+TCr$ZyXJY*Yr5IuY{=R|h_H#X
zwyI-+1);~1z^}*DYK`mE=H%W9LcWtM8MT@=GGT1iqha#ar`7Ua4$Jp}4Y{)xRnnwp
zwJ#JySEF00+v@Scrd2+%@)vg^5tF~oKRJ0DBU0&J-@>e($0c?mf*iVHAy^SfGixC&
zFEB|hOA3*Bc0oC1&5*fg(4s4Wo!Up`Zq)Cv@Hmie2DRYWe=#d&Q*_{YdrLx)k!5X*bi1r^
z>E39@5dwT>sAzt>*Xz*#>>fyH{Lx$7LJM@l1EgBN9JgwKW~Pj6eN0@a;5QSXVC}o1
z=Nm1qQF0Qd(Wjeed9!bQ&u_)0)+gwGLxc`SO_XU!A*Rwj7Mx!9K
z_V{D``C-R_u2Nxk(o_cN&wA##-FwEPUnWGN{geVvZUPJRTB8g?S8U%|vJ$%_o#GIz
zTc=ghwxge(xAJGOFIR3J+mJgt9|T8AgPH`H2i?JME6(<7+MrMk;iy-Kfau)?nI5EI
zGy6PcWk}X9XyqIHd}IF5^ekDfX46i5*Aj#I?(($r#Y=2BNILf&h&}h?kBr=@_z;bx
zQwOzG*?DPZqzfA|gsmTcWU99?jHM?2pV-{l%Zg^BYF`13D7G_qU!KxHa
z+oIE{?7+e!DNaneZ9XLImy6O>u7~4ZCud#1pKwMbxEe3EC|#Tf3@Z5lpj}ZG=?~X#
zpP?(gH#k_zJ@qgJj;_VLW={A_;UyAfNPS3L-5kqR@iKmL)Trs{?~_d;GLOMgk9jn8z^4
z{KFFF|0$kh;xfaROawMx0m3twLZe_qMG4K@8!JhQ9SQf$rHL&Ein{=?%%%NsCWNot
ztmPZdaP{6k*`7~n>+9Vu3Y9{W^tDHC(T@4@{$xyM0=coh0L1o*=$@6f2=6}CPsQ+
z8!}Fp<~O;TNd}(U`0VP1>$ZbOjpyV*qZ-h3eSd|N-Fbprw*YT9{~{P8<>>ln$wb7$g{&ZkXwwntB&YPjkHfMDKtZZ-+t
zcA@At*L+(!oS$?PF`FnxYOVu3=dbrD3jjr)$F6^hWT+#O6Pch2j7@3F5^+b-EQ^7Z
zQEqT4t8S6Q$EV`GOIeku6p-{G5hYNBIx-GG2@D1~2de!PQPneQBk=OVjO%u
zVgNsPeLEL`Mz6MVmH){LMzq2AH350S_$o_?2^63Bv)Hd13ZZoR2Cv1I6Bf~}?mx-*
zZ(jw*L=^nzA|2xC$5{JV@A3m%CnzwpAg4r8=-&(X)zYCFuY&9@2ofF%bIiSt(
z#Z>rVqg3k!;d-0pR-#SyyPzG9H~9njjxWf?cmu_R{(^#?Ha@^NbhNkwrFtS#w%0YX
zOzuNDkMRdkqGsLHzfedhd{*WI>apuxmbF~cdAiqkfaw!Qsw!oJa`z`}u{}$%-cN;5
zDK7lldqV&SQoQKU0ryZckBnxkMoO6weA=#Qc)rz%kjNj;_^l4f38MX~
zXJLBwf3pBh>Box3%+=^_@J6A1vjA`{{NQKVYw#=3-V7mVr#;^JZ?T|T|Go&`@iSIUPdGHuDD?e3*lz>k;-Mc(zWP|&
z;!d?}S^C#}^zDsjh12hB8M)FD=Il{U2{#tXA9VL*9WBBS=9h9Wud{_5yg*f=B;QY$
z&jG~SWWl#$v*!%Da>y#s7Y?cc+3Y#;XpuplirBbB%D#w%9N)qkZv-yR+>8d---(B;
zoM^{FXe-c3hRQ44c_e#qNz7?-T>FOixVg{A
zAEW_}
zP?+dz>Ty=m%;P=ldkUY4Xb=fr(mdZO_pB7|
zsd)%<$p3QK?~nio;vxLKd16r!EuPZR$Pnk_VCANh0`B~ty)n}l!qJc2Ni}LyF3xR}
ziKtM#c%XRM`}F7}6}k9#VlP`XWFg`>V1-qBp*0BHQ)&|^IQHH2gZm8w)HZi*kAX&M
z%fm%ha>OPD-c3(qWTrTzpUOKDtX}8R69c*Jvgki{cF|X=jWhLb@H;(apsElNjRHww
zyFYr`O=I6E*~2_s??0x$86
ze;Rx@9yT~^IL`Q;J8m}YUl%eLYjbGX-u`g@peu7l`IY8@ThqbNsb3L72@W+LYqd=2
z;c@WyGwL2eRLdZz$)a78FmnDqU5;PlZC3=TC&4znnk=4zsPhUA9%NFsLVN`lO3xsY
zBm)&`l@>tOB;m%JzJYRi0S?wmFi#2;VYz8*ivKIZ=kuvgflQLTQb2M^wn+gd;mBTN
zl#iL_M>V}XUQ|DtZQ5!t{v)_S_4v}{rM|YNzf|(#I9kRCQ~F|l~ylX267w8&e+}B(X%}h-&3{K
zE551Z4NPDJWfZmg?5Mbz*O0^ATCT&v=yw)y>o-{yP1pM~gkDwTMLc~l1EXJ={O}#-
zX9qX@=tOCpx>~Ng`Z>XwUSitO7c-~+phwp2{MBM}mnSwnnHnP}ZQ`(=jIIC1=%?sw
zP$Git>EYX+uQ{zc+(tD|eMf@kNanFu=neYN(2RSWWl$LD`g=8PDUi#EA1Ujdn&=FUP50N{?tx?cOk9SF}{
zt9O*=MElwBj#x>Xe@`OuWveq0O}x#i2z6_`y8*UH}|=9Of9bbh7#fKLqd+ga-2r$NU9IN0uZvC9+@Og2_-8dWEl
zVK*4(a2%#n_2Q!aH~f#3{yXM~AYYZVrgK%J4^GiNN(QOzAVJf6gAfkkRVnza{KGZ`
z-%uH^=pBsXp=B2Cuf(aLoMq4j{Fhutb!&!debeAY8<{l-dfg`IMAnjtv4s17In?+K
zv}Kz8C0_Rate^U28^wGG5WGk};eWdIfay_T65vX`a|F6qC_$Jx0Bk;RS}C`JT!GV8
zmPdDT0wk0zcGuxQ2?HB^cr?W3A||`>FJkt?fdW7$-$Sq&T3tYn|t3y+rD2Csqu%W
zIAJ;%0IqEzqJ7)H=vzv8MLLysq>@Nqk^o2lxoM6V^23aH#H~^F5s(5L0pd7kmoUh7
z^;anDL=4De%spFKm>Og&T9rdm#mGByDj&AS;Iv^$iF)%tTaZhLg(b6`w;*`Y#sJ8G
z0rHGtt$-lZ`^vMgFn;r|V>wd&Z^F(|2+&~h1lh!ug*emRO`gEk?@tZ3XdP&&i*LEyn
zK_S5nE%xOQ@h=FP=Yyes^7f}cm%eQOkVG!^t$n?N@$-miL_5N`zRLeu1Z|y)RUZ$v
znYGaWUmmcW{H40`FV@q5F`7V%*X)1{Eirz>-SFr8EjyKp6^}GF6{y8jqTo2&@ntr1
zJl8%pdyMHDYJNJMHJ^}00YZOe?VsG~uX6Ls!n3B*@BJOnt)uO=Mci|!ZRj4s-apzM
zOKqr!OV
z`wZ(hHVO~K)7C5X6*)#Z%q4TrWL}ntEW4{|+n@NGmeu;ZO?A)0(%U%A$+tGaZH3K4
z2YPv$9|aBIS&&YK(Mj73UfB<;uR(QPXREVS+eryP%De$y9}w}Inl@Nrc!G0#E+)zt
zvt?j8t`9q1lyhtS24Y9ZC05`j<24T2UhnL92_jpdQx3GT1CUX5z*GP74CDcjmDT@J1%vHlqL_jxqk4R}LfoAwW=iRg6OOdw!djr~l3S?7c`BTutio
zu00y(&f#>;kEu5yRB$k3Lz8fA!&TW!ajV==d!cCDCf=iMpV#r=Fxw9~C}kx4l(FOI
z_5_w1gVUaJ^I@eku+PsLv~nnj&Pq4@KJ=*F(Q*1bk``qg>gtho=N+%u#+*D-6CUQr
zHCku*E>cBd$PjtJE1uNoPjFsPULZjcXa5-S%-x3O)w7Ma@L3*{bh2=i3Mx_iZ`=Nl~{Qed)a=|124dV
zg6snzic~tApV^9Dl7f?2L10Ah*iUlA{WhOl%TfB}qsDzhuKKif0;9=wWjR%J9gEJ6
zeK$~N%LxU(qQiCtslpx_UH**k*yDPoruwTC6bO0TKs&(x5j2-HFQaK&z8U%~W7V%t
z3X@^D{*&xgC*oXgS#cWrr(?sg+qO^BtK8mMB-Bfvzl}nA@sXxFG<48ItGv4+11-66U_Ua%#N*
z;x0(g0W8B}rO32cTT`tyti0|Z!dbrZW$6xl^8JtmitsbaFuT8rl)uQc$2ZGs%U$~A
z1*o-YN`C6RP29cMns>EH-{GsEfqR!by+b~+=j58iHPI!j7<*{PjWau)6gD!g7&jkN
z+Yqc;Hx&`@_MSyS$66kzIV3Ks=k=65ILz@{lon^e+_Dm=
z@leU$DEx7t-gdbg$$Z}$SK8m||0g^GG2|X5w`KzN6Uoz^ehd?GhKUvG)&=j%P8vxDUl3I#-pNk
zr}1zhLAM$nu(g>%6Tg58P5v$Ani6qE)aF-{#bNWMUkp@B6>Vp}&7O%8X`{SXil}w?AK9qzc9wZXJ~nT(lcV=^3;}Z{xDHGW
zXAY-1KHDsBIbB{f!nprB^i3{&WC3wUK!t(v~a
zX7a#x!|~E}_0ok|)wrDT?92J3Pjg?q=!vLnPkcuxZF!h~>&KUw!dd4jbLsxg$tSaF
z*~t=P_B9M)43p#nK~_P#z5RGyC8N
z!Pzy>i@qBd=N1Nwfb`I2txah;mrP84C@M;1m?`N2Q%J?p{7{a~-;j;}
zgP|d|*RN)@7}a4Rp|^hc0!qND)WOe|HeM?cOTe;~J5$L~V3&?iQRnPX7-0}p*U%;m
zNob9@`D8={ZWTmn4ZI6uDidZ6UJt+@oVRsB-1)8Ca(
zyKZ|C3=`j;Jx`1qy&1c08?@;jgnb(Dd1^!V
z0dBDMhCcoLj-O47?*6=?saXzF5y9gLza;XhbWC>Ica(zsJ1&sza+20I@v=5awJ}$Y
z3+(+6(}mcv`GMQDh7??h%*?Uva>LN!qs$QM)o1>gF9)A0Ia$Lk>qF}4F)wLpfzfkL
z80d)e(;#mx`>->`ppzI)eO~@gcH^kI
zricKJvczZuLmI}OX+Bm6&TCcvB2xPU8TrS(x-&>)hBnGP)~PlFe@o>dR8`Z7dbNj-
zcX)hU`3-%GD=c(}-&)3t>2Nlb7ChNp0*nPQ{;V60+v^v5tkEZnsu^)icF9692kOge
z_*!dlEs&?XJ=dSU_14zj_5%}G@EC7|IlM8NGFkKD$U~SY1+T@2(S$P&?e4R(_WM+!
z9gTD{MMz55pOW_k=jys$ptV_?f^-Xa(mqHJJTtL|PM7;O{G@ErSW|x252mXX{oCaw
zCi<|!SFWnOT{^ZaLn5x_f=h(ew~5LfCDu*e9xay9m|;lE1>P~A(IvgN
zjJUl&l`V;zm@FYP%JA$$3>~t{heyNENjh8wnKA~yAlUKrMUchsC(>AZSaj7L;eDDi
zU)mp}TP+ye9KxfA>KtXDAmbA9Zx*=MC(_{26^Y~rY`R0D1_Vy#hPd--G!R=6OAd*X
z5j)T=wph2H2bJc;Mz^2;QX`cS4Xl`KcD&PyPqe54cU1#=_fMabFsHb3Sj2%!isEGE
zTJ@*#3^$z^pF0|}-r&8?*2j};*5VwU(?gmW{<5g@p(HaGl=C5+76cyi7!7GN~#rX6EzqNA}<_F&xhc@Ee>6QUdh$#Sae
z^uKSToxC`6abpUO*gSL#D|vTjz{2Lg|Iu+q)XdA+@8`vj*bPYr(WMPw#Be(k|9b4n
z7-Cwft<^;-XyM1@^K=!3nP}roOsq%$bk0>Zyjgs$Y~PGP=_Jn|dp4k;bU=~nvD7+jqleMU&_<8Gz1HpYx#_7)zT0Q8+P
zOh=f^HnPUAA}i#x8GH9=*SgA>5zLIcXUMmjhb$#@sPf36Xdfg44ZWFwSHD)Q&*_tx
zJ{}jxZSMm$p
z4>Z7?HE-{9Y^t#0Dx3wnzL@9pRo_?V%Vuaf1V}!6MYDrEt{F^0N9{(ctCV6LY*kOc
zKAXIv6)Q4*J8#dhFl)5(Ss^?%1xB~d86#pZ_qzUVqm@ysVUiBwq54H*vUTozk}hp^
z#L>M-=(FnO=)(68NJkcD4(80Wr)>&@b1plUa|ivDb|1fAwEW<~F+?~Iczyx)bA*7e
zl+=lsM1E7P=R#SDN+S7Q4nZi-I`WV4b35@KK^r7-kbg+(zh9(!^^3?}_xw$KlWgoG
zgzD;9=RoQ4p|ty(TdzBKB$>6@$+qH$EIbGQKKG55==f+&q~MxYr-oD{S!J5i@?p$(
z>eI^&{ZN<9tT0e1lD-{L;)%K8-c2L5|+sV<~RhqoB
z)JEcaz?4)f!$k-7=vPSX80_J1v4-Z2&jAP4;%!pJG;lE%i#3?CA^Q608;1
z>@giZ>MkQ|hbnTb2j9_y-%?<}@bcFnZ7+9!aD2e1FIvXmE7n;>jGeqTI;x^>b;XSL
z>--zi>Ye#dvaWRkNIyNnoV7p8+uBYU922)(e)S(>KNwezh-2A-{ysm0Ka
zJSmn{CT9w+mfkK{_lM`Z4g>ncFgY3AE~OF8;hAHIF=xZ27U@0Z@=Pr|f?@b5u~
z1xKzlF;w6r$LA6JB|(7hNKl~4PNHtys~Yfhy{Dm%8-+(y3Nf!h
z$%S5<4ie~k+QAGexT-t3FMKOhsH`)vVa_*&e%YEVtWLkz+w8OM$LZD1szZsv!D1R0
zoJ!mwNvOOzqCIkPrn@+`Ewj3b3s{Ab0=#$fw_RQQy)rW-Cu?_`1Ulj1u?%f4HX*Wd
zJvUV?VL$&dbegN}{^hFT|L@;T8tr*yU!jj%uIdQayUtkdz_T%D!X#UkfL4hK)ZHJNE<1^nP|@`WzC&Kadf
zX*gyP=2B+UaYM)J9f+o>`_JqbQ*Y1Z-8fV)Cl}rO1}Px+n{}yy|2jr>purGlf8|Fm
zHP%gke;vfHYL6S2_aBcCiVrloYg{Yx&J?IF!VcqpEpd0Yv8V6^R&mJjjO4dGeHNb~
zIpe>2C>kbt_Gk63pkV)C;B+K#YwSU^lEgyu>g1~xtrKT3o?GQTvlqC{6{R0XkIyFl
z5eva=_u@&#gAXi)hV+)ESeP%5w7l3Jc)SE_!1@JS69*s!>}IX@zfMDO8e#U_Gs<39
zx1g^ACay~jj6g}a1Jf6CMDtx&`5?GUdiL}~EUbKt*NE;oa}Dfz5A|j!O+~R#{t_X}
zxc88$0kT2gd{*pk+Wg`XdO`Q4oWiBKm4Yp=FJkj1T%#i{qjt{Q^f2F_Bmx1<53o{h
zutj3xeVVlF(|hoRS&H*cMH)uT#@ShStQ{NCZOvu#MTC<&+@^0FNO%gB&H{9^$+8>t
z!HG8vZckeA5Q(#Sh{%vWg>-xw%G&0+w$uL1tQb0`c43jil#lM@Tx~g=iU=zCnYvYS
zo}tn@uc1#Y6SBj}7J|D+m8+N6o%x+-T-cKC8l4c6lt$T3_u=0woEp}IA7Oifb9
zKl~3eaT7{jebjZjumD=o$irjRi*gB6zsWH(2a8cpQl}MfqZijQXs$^$;kdZ1SEr3|QqNGQdq#^5AARiq)Om195df#GTmMv1-3~36#56SW`-l
z7jL86+zo@LeJk^oUjA@!>YrHR*gbdDNqi=tZl@53+$tA?J#$3B
zSz4TLpS@6v{^jt=!Ub>~%2p_DJO=kK;To&vOyn15u%;thszTNc!Hh{b`50n8ebo&|
z^K5DKLsOY?#L>)6ptLvFqh2^&(<{)|tr*
zCY{Yxj_%~0hD2*kI|v{Zs%E1=1{ns}NH?WfWJFwX!RJ=+{i0CUj!zFS9Wd0*F3q3m
z|MzOcRS`;4{@*P-bKsU8U>VN>SCZfEr4|0xSJF0UjQHJg!C8=e>wb=cz#&iLGm@d)
zx8C=0x_~~ol#ELqd>=`%vzt}FFjQtSJYS_Rrp}2jr?Ti_%y77`T|QQ6revgb8Y_R8KPJ1bo4ib#mE_qx_a
zcCxP(vI>`L?-17|u5s<~dtJRh-`_v!ulszS{W#-!UYJ0A-$1py@SFa!s5GNcsPG9`%8EFn`68e(Sg*ez*}xsq|V-akpOar3QafbT{9kj
zrFkE3N?m!cDAE7Q-{;u}H-JcxIsDcQ;rb
zp?QltnWwvc?hS$KoQL{cu9{$BoGf`=iYl%l=4<0{uq-?rNX8Zd!~8firTs;*-J2Pv`zP3~7!#?|i%#*!N}mRjG--n_md;t8dgRQ$2>Oi3%0}
zn+34@>8W9tYX8{wr?E}AzZq5Ykd|J$eE`*;c#Z|GN2R%mRO!4fMM<8!DS8&nME@kpwGGWH7P&aWcvmSRJRcKjMeHYxs|zM@KegFz!i_?KfrXk`$!m&ZriC5
z1jDAIy;%{aDY0uFUd2i&n~?*-y$4AFA3s4VvENh-;xR_;T7?;Qq@jpRy(b}C@ZQluEpZN>l
zkH(jcA$&AMUEBNDBOy780I-9N$_{KY9Fxb2M1;OplIae&knOaMFKl^gawS8i9J)Jw
zZ}&&pO~nV}50@#@0ad=kK4|u>O?p=hj~4yw+`7t5D&#Ce@ZA}~rViEkW-QaS&le2NHItcHSt-!a;JhBYm^S712l>cgmO7giFXJVp(-&t@t*
z%_iL1-}${Ms@uCT84cUH8fp8=z%&2!jM5fv(l}?OfZ%*cwh432qwY2rfO!8{V}B{64Ww
z+}{dV8?7G4JN4l;R-(jK8asU;O(lzAkop7+N6Bv39X>!8HXFhajf2a=bEJ^+9a;HB
zGlogOi;>5#K$p`{c&8q#@yk;MAMC<_U?&PXLgTR#nMCp$2^0NkM9qt}^9Y1<`@~vc
zyj7-I#(L(|nhx@v-`?wq@yBazixL3Qz~jEcD>^{By&hk-${Xf|Oonoz&aOUx1a?*+
z_96wgUO8wM+UM3$tylEDvo_VM2(Jp)rTyB%8p>y)`#B{tH;IRQIy%gbn!lFvTcPU-
zCC~cZaE;9G6nwPZJD%t>=~uVWyU#zE_j~a^Rd(hu#7YRCnO)iDo^Y8xB6bT{reTYW
z)Jgqs9z*Hy$s8caUdYnn23b%n;tQ{mzte3l_j?s2`p;%QN`$CB8I$0(kfQX+W4cq6
zMhzB+OD484S>{c>4|^&v{H=JnD6ACNZ(*|_cau)+y-B@u2Y9Bkr=&o2o$Mp1&#B8a
zg$T-fA(`@HerW4Qg=noL-Sk{tPFH~HC^a)QAL8pXRaCF>@pY1g#&Os0fZ-UX$D>L0
z4BNDPzrje_(?@q)O5v`$V2_kyyF{w`IjSl@b<7)`ZDXD7dl@Gxr=Ek<%Iiy>3S|>Y
zTOWR1YheVbOe^lu*h3{&Ym6X@fb>5h0XlISR`w2>_RHjkBc1Bu)z5;B>B@yj1
z%T_Z^eWm$g+-2gTFN646y6sr1-~X_FOUMKKnwi2I3>A`~r-cB{EUM4z@Z5QJ;%BAq
zNRh~GSXI<9m^2Wlrw^I58H`L@0}VO9awtfPlJ0USuW~yQJGjNrlU!R`WqrC2ET3_i
zv%2%G$?o^{J6#iH{;J(blN9OzHvyDOsTIomi)msSz1dPRT|6H}=oChdpsJz&nRA0%
zu5Nwy-8ssF7e$G$HijjC3}eC)tjQB?anyFnAHC|@o}GO*^W)LxL0
zinIPdE*%L?Jms9!ZmzSXLJYYgeD&;=TF}UkThnB$rjMT4JQ%)JASMcpDl@91^l_bg
zH&fAa?Z)ar?V(!}7z<5|Gq-ZZjf2A;U|ytqpWDX>qHOm_(zXhR8b?lYa~3}eeFA^
zkUFD>t0zUyW=Z{0GtaWr3_YxEDW!S^@WKO96UNyg-F$OR%Udz?_120%-J;U|4`KPQ
zPE$O=d!q!4OJP#PWqe^{1WUW3Y+0&@)RP+m6sLBXtQkK+*qu+9o+vg
zhfH8(MZ`_CBQm#2w>|uB?v}y+f>h)IxXi>CyFMIMk`r+6A#Uv~IMVIuJ-U=p)74^V
z=z#6QeD4^)lt1qN0Z_y}=4SR|Vj8#+=Eye_Zf={IAss0&sN*%`8(MBHw2cf1h`QK6
z!@fZ;!bH^m%TM8tkFLkxeyUUsv_bg@pJ)S6TFnIRz;zcqtbH7oOfdYgo~~(M#Qi~e
zu`^`C?om@+PG_q^$kf_M&@FBQ;Mr>ZuT>`zD|3r{!1=~%AY15d^JZ3|DRICtZrUW#)EPlR;k#KK{*etfz+dtI~8b1*dn)k#;H(el9#>Kz&
z|F4dlrk09N4dAZV@J`oJ9p+qe@7<`j3{nX9Vyik#`-h29x*4xc@{b$d2@$a3N{9%;
zb0u#?-!os3Ccyah-&wymTUC4bDa57m#}mIQ%1ypNr%;H_^bAN^+}3YMi~!2kbRH@r
z2!3eDY+)fRXy$t8U3}A8JU?(?(M!X==Md6+x!o{*J5A(qAFhI@NHprS<*5MlNUE>U#wXd0V3cxPEk|bO>`1
z(y~wI#_O5d40j;*8@Bqsn6nyi{j*K^?wwOnt>mTvvzf@Uo?xDk@OS?lo2FhhpXaIq
zqn-CnUf3wzpn<_pwHCF`UAz}ww&^UWmGt2q|JEA6l&9}~dp`3>w2&t5-mQ`Or*{T;Et@4jWh%tTw3R*UW^L5Zm%;=RKb>(MYB;f9&Yrxksep`tX_e{PQumEy^~qL8
z0$>xy7#)gbXj9yPUr)G^)2qBB*>*N*B2o(;&VT#>?9JB7c|k+LEHfgR+_6turNG
zXYt1Phe0|5(6^=CvC_QQY{#vL4X(6RImx-mJ&tR1f%RQRXuaQ!*K1XVpP8KrQ3fvJ
z6J>0<>gna1419{!JKD)K3lKHhMdHo*yNxRk%
zFe(Mt6;*V7#60)+-u);$iXoN!+=n|uD7Z*B`&XvyY)R-%pmWy~1&qx;&JcaMmpCOwW)*YX8NBRo#a0k9=`uZ7(
z<>t?U1;V!BUph|tj5lr!9Szi$>Ytx$wyuPC8;@@1hynH3O8|Y6x`n(7`1Ss$0M<$&
z5ChiSz3+$o5d3Ma{6g$6f|pC@rQEajE!g(y-8l+>^HX3fcum(1&RsCnV>MSK{FCZ&
z$3TYYQZlf>3g5}?#9YaOxw(A0l4WY9)dsk7_nSLFAw<>8zHnyq`58RpLs$UcdQnZ6
zM@K-0bIJ7`0m$&XtGuQU+FKVX@ai{cj-a(oZF)sw1>>Rio;NQPC;buX-rzANIC#VQ
z)3lmCx6?PpMI?Y4$y=~l*!!+81W5j`#xqKMSuPxH*Sr*5l;!)EpstQ~m$4U9Hl2RK
zkBC#8>$DK{s`@j%WW~ekA_$WNY-o1jmR0rrq<5D&V<$q>nm78>ui*gVowe2w!)j+v
z*ZF1=Kr267&N~^0*CaPPM((9v5hQIuT<9wegg~*k>b5}X
zP$QvAdV*M`6qoUu0$>MO6)VEyXB2N`TIP74SD1dNAx&E=RLIZG+qZ#!b=+5({pv?i
z=VlrMylNk((;!wmm|c5(f)QW_J2js9p{ffWwbPM~kqM5t5ZIn-KUM{gsR@MbvdwU!
z?iBR2y)0YZ{`4tk@mo~_USwg&OzO17#Y4fyj%K~ahU^+KkVYCa)gw;%#*W?$E
z=W~mY-kW#UiEN!7EP?-g8DmO3)qYXve?}#A?{LJ!ll1+i;`}O_!#?dM;Zw(oKYT6b^2c$1#6BTA5egRR4&Wr$-3QkYqt9lh~
z3%)(_%>efEUE2i0Ze7r^B;_}~>P_{`udeQ*J*~Za=HyV&P~QI9#4xbGa*_
z==B!r-iz{d4!+r0+rmbtLLME{A3FzvgGHkXPH$cakNQhD?49=%eKo;L1Md_PZe%~i
ztC+xL_VtbU(|gLhg%F>K_=!xjxGjE8+IU#OQ{$Js+a`XM_)eRET<1ae1NIm77(pD<~7_pj=;0`j)_-(tZ&ScF?obadeA
z|IeUCsO>Ia)2T?C`hec6xj}h6^tO$9Ugdx3>4;mzu1rbUc|D-A8{tIX^0Sg5{Uw|qZJ_w0A8^-K&r%ce!@#H;KfYw#m$_KH}
z{}ddtO8J{RFMs@iWd9Mv{CcaF(HH8tUK=b)*JGH}TPB+Hv)_)H&9C_>ekO&}kpo@D
zwUUlz8h2O{AAL#7=a%A{p@%18LV^BWsDihDt7UdO^K~YL|Euc7a=wot!6&^W04UhF
zLR$$;hpgVMVkDt{bc_CUmy`rOuN@m
zy;)b27CLnVq)-dpcX;mh-f#BL?;Cqd=QI6ce3fh=@5WDPgUI=ezx+B3+;MShnaoqT
zYnS<7y`r~2_+R!Kd71F6KGawJZPz>o+EP|e{K8t$+4^%gSPJ__$;Y6Yho&V%4Z@fq
z+5j};?1@qo6spiecm9Y&2ti*w`j*rRHT`p?2ec%pdWj~I>ki{I1V+rF#02T)y$LtN
zpSCC^*Y)ehaHY0wc*63nt;M_#XaTp=Gc1UHebVt<=th`sj05La^{QQuIlI)R^B-M)
z;|9l1HY>{4otmCI1sHMezeQ$?VlSY03%1k7uX4UrcY)1c337Oy9|XM5QxG#yOubH$
zrLrit$*Rq^U&Xj->blhzyA}8r*rPksG@*zF5-?fdNyD#(t?GCT_h=CpbIa4Wwo47;
z{W#n~9(|<1my#i#eHie%@4mDreW(54;#yj@m_J5^1!hvDL)_K5A`6{IIw;)d=X&pqRJ`u
zq5c31c`?Ey3*hYukc8Nt)%bsyks>5=S!1I-f7$--_~JNa;k@o_t{!-?dC6KEwhs1S
z;D2mM?ZJUWzgU8VfkDOV$^#)Lh+5xiluf5Ez~rFE@+^JR#?&90Rmb%t(m|$^Juuk>&D5_?>d4kNX;&P0uqC
zuSt4#|Lo=iTeN;SY>4;I+*^JjRhSjI;xEqPKmL}_#xE|DuUt2vDCzOJ&#hk*GQf0F
z5!X1*vipCIyr2Fu3AFionP{YmJQI*|?BV{M%wDD@;RLpz5rUV%8|qmyxy7@h=3Uqj
zxl^M3^C80yBg*VA9SdBmwq3A#J5GeyV<#Fhshp?oAQ0Cp3D7JYM*NFelH0tJ<<%k
z#kIJHs|;{J4~9FDh5l38r@cbKn&$wc)wlp(5d&%fwn1EHBH6|5;+og`@-Xkcs&ZG}
z)XK3T$|kaOVrc3XpI3Q_ibCt86G|vCo+-dRYn?eo%1op8xdp0PUAqMOH#Rcf&qD)X
zwQ1=yUk&B_i9Bk{G*Z)CGfJo;CbW;o^6?Z37D%(EE0$@K7c9(h`6o+wQAje}%_@mIUS>!FgM8o#5rB5DJ`p2avEFlIgP8LQHu-f~P5SavN
zrd>52D=J4uIl;L3_u5=YB`lY(KHdA9oqAV(Pobpx2o)k~VX~af1ly3@GA$fR}*=Y`=HXlxr
zjU2vuiKVBzN%W^vo}i%{+Kqgv9}Ychuu(1Dkf?7NJZszx`uk`1>mXmHgNx^gSYV|R
z=?|ZSBK1-Rl=Exz^4umu)Tej9=J?uH*ZD@=$$+bYdP6{TpdnrvmnKk7^;3*H`E+q}
z9WS&KCi|e}cT@=Bj(Q}$Q}dCx>-hA`wYcEU+KeKv1(M8n4opmqlBiBO=_v$T
zT-!Ff;``@l(t6BT)|{a}fNpi)>9<5#ar7SJb*|{;SvDf9UysTB?%X?Op`2w}Jc-xH
zuSkG$%;qmiJYnIug6JDn@)&APX4}J;*VZ-KpKJ#7br+)d}6jx6>)c>qHj7ue4pjd
zFvQ#>_t`FW7|<`stBo>dY^_+S^(rqjxcKv?nJ%%?)!C-C&(_}mx2TFo&OC=3u}^iI
zj7N-xmcFHVTOigeHJnK9%evU0Vpw?C{3&+fZy~YE1Oc9oHTC9rVh~3bwhDGzFSL49&`
z;$bQB(fMY~oe$|A6chhpW}e9=7j^d3HH-h|PAe|=rA10^A6+EUx;!eqFpqX-c(F-1
zu27H{H4rJnZ8AMMi&`B|7OAVNsnr|q)<4^uK94GotgEXx_!R7VfP68WU6beL(MQuz
zubLL@+qq*)KUP7ump)X_c>SGV^zz^K?V+L5i%QWmH%(FTJeGgv0fOMIW7%Sg7bNTS
z)&2$FlLG(W+rN#bnN8&9wn+p_sCBUlKHiAokwP!>BEiSra8**SU@lUjXR%~Ix#V(c
zqtwe?oT((M-scGJf4TdXCz7}1#f|j6YnVoYKk{o)y~)2HB?mhCQe<0(c;fq9yRBV
z-(AA?iVd$9|C$IpANeG4`TJno)w6%yphTE)vYhy~At9|tOTU<7Af5r64srY3b@
z)+D&UJ(PFsyDK-qvqB&4Qaq-cL__Ji9CSe`7E4v7}3zX?bG*AJ(;2o
zxg5!Y|4iKUB9D51FNG9;z?Tnzoom(k%m7R#{vN-PDXtJewVx=TnKi$CEzT9!&AVe4
z+7_ErMFSQp@ON?B5BU>~Tf_A^X0^%PcHm}IQaruqXHFF_q&80OFn-?K;3o;&u+ZoJ
z$&1@1f9cfrAS3mx<6mwn*ME!EOOghj(zylvtWT$dMSJ3JAZt#z1`0wQ!6aER
zuV%bJn_3X?T;OP|vUqOUcapbv?;|4$sNxRxy2tveNk6}(-%@acVb)h`hf5V}i{hBIDu2bb9KiG*JCwz_6fJd~^V4gQkbDEh=xZ3c8r9nG(U4+<
z2Euz>nU8;xFo+k>m3PZx3|{bzb8LO&1nK7N31id=<&WQ{5kgkCjW2W3%YpaR$%
zqx+Hck=6PBsP5=%i&>irVE{8T_3sv
zvh_>Zyb3bBn}q_8pJ&Zd%zqKKGQ&*|+98HJ?+F#T2jE_Pm~W7VHccqRl;~d7duAXJ
zG*3y`?$_fk&5J4YY2F|3nW-Sg(-OpC?m_^n=|7y6kJp&0AP6!Gu9N&qfz}iy{!vvP
z*7=b6h|xzBp|YXiMk_TP#haEaBU%>aS|SKfdommMdnk$QV_927zR5}K&%pa9e>O<3
z1}MtC9yyv^8*uYqrlA79)AHZVN7iJCL5Yj%bvHnk+0|zZ%RF0E%sRWV4u&Jnq9@+#
z<{7A#TCd^G5aO!+VFIFCK*jkaJP=^OP#cnc+BkvI!R-xB+rRBb98@
zu0!DF0K#!e%7<-Q+3y0j%#v2DaLa9M5*pz$1VgHS1XbH-@@0dl&e3wwn)p^hKd!)G(g1nm!gcQnvvbqRBKCJsAx1Xd0%o7KQ$p-P8#9
zyxT)Z)!zsKwh(nSg=h&GbuJ
zI4JNxeXq>{04=O?jHu4R*WTy(i4~fjqR{yr8s;M8iD`?cW>J0G|xFS*;A
zQjADp%21rSPVwL#uf0EQ2V`=*Hfvq$HlZrOFNy2#GT0BWr>M%~b7*<>Umxk6=QAsp
z=BLGlH$R;>NH3PN!cB>wtH?iIx72y!K@K9iw5&@*54g*L$#?9pu@@M4RiBxB4Yv
zkgJuSu7J{){I~St?OZ0VZpKXXAO7-wL5TD{CE}r^Eo$e0x=deRDB)-
zSTnBSJLgrduAuB_)#xYi);0vx{@zO>1yY
z$iGNtjO9v_%`my=qIXsAUC!LVHi(DhootfIbD9j3!S2=Z?(XsN>DBS^^X#`PH~c0p
z`Dgj-wct$<2Vn9o@l<%KVr;zg*|U@F6$hmcM%^Xm;^;HR!Oep9FE-a2YzH7YGP>_%
z$Hr*5;=uc?9PeZ^;-y!V>Xi`Ou^NHvgZ_Sew=Suv+=-_KLdSwUZ&!xW^3iKDvTa3sRXJ!bf4tP!>;_2d1GX_m^&}U-b+|S|SNa)V{n9$3z`YN%3T`_PZ`twuoqYO91&Go!jHtZsi^Jz*x)@ic^^(4$=f~lJP>f
zaEG>D{yqo+;EusBOT$N<+6cR`s
zFb@KLJumXAWN=d37(gqIEArKIw{%70rmw6r(U3E15hDgQ!W&-&H`k&$xWYG|JLFwmx{{qpi<-CK}^aillX&3YqGFnW4!&o
z?1(%XYczVw&^G|5rLN(i)41ye@2T9hq0^H2s@man)$8V0sHORtzrWL8G5I1t=lD+|
z-svf~b0$KELx3Odx6bmcs6en163^P4Arz
z%mVRa=zGmpSjc)y=Hd>@zu!p?ddviE$y-dv)9qb}B7Oio=gxX{M>1GKW?_xJ
zoN#rOxha1{>ZeAmIr)%}G=zmH_kjkh)BaU8tLAhD>!TKC}KWUmK1otgAiFmP6>UBR|
zkr`JkJco)`f1`p311Zi=87;J`dJe>uN4Kz;A7@Hq-XiWxejeR<|%3w{BlpfeTzy5_MeDHt-q$(5~&@so2~EtWWaQ_-!wS=`AGKqiy>j
zv0qJrm91=5&KVCjzc_nX$*%SKN1XH{@p@In>4D^y5k_hFk`ck*N>xBXYOQEQe5*ZR
z6umD80r>3WG=gAP+zz-6_i0ZYv@Is`9D6cn1@@{jd(2`GT|BwrAF0_#&mg=gKKHb!
zu?5uPPI_1antL+c67QJ+Z}Wf?U;K^subX}$h(E;g$u{X-5Mu(iks%(Z3PeFv)voxX
zTWeLOl3=h3R!0>3L~-YV71Y6}X+o(oFu7F&`alPKsQsixkWM65BAwD%vxPo8%uHp2
zr_%B9lbD$Jz4u4glVPWFw>fzoZ$ZRoM#j;lf*zx2mH^%8)~#M~zZnDUR(izxr9#ie
z7<>eQir*mV;%ck_5;;mn9p?n|QfB3#9a|cZg766qHwh(d2*^x;(3g~Gy`<1bjUc9*
zb21;9@hEF0s;9oZQ>v+^n+d@rORl~!uM$Kr*+KI5HjnbjXSfL+rl~$)AGY^6@e*R(
z2Q@z;1SzffZ~bHq==26~OycGr)KV!nY}!tR_AY<+lW;dO5v1L*RD=;NT8
zMW=8dqnwE{)5TH>(lNb@X{U?Lgz%1%^%&RR>`v@FF%{}Cp)f}mkL9Gh(oTu=$wj6G
z5oCK=I!%B366gGQmF3RB5=2c%pJ)N~^s2ok(aqFt#r8sY2J2Zd{K9X;U`slo6we}%
ztOaIE(ghTx*NQ&3R?e;m(v-xe
zN-@~lTA{V5pcoxDt*mTm-SgROJKOoPa`#48!qweT{(f@9Y2A$-Wc-Q~8SNmFS($6MM-Oq9T?6Efnz2#dzgxOL{5C<;^rV{&%x^
zR*VFYCE6WZm=foGE%Net^p-s)u6CFb9$o>f?oD(`?v`rt*EWE@(h_5IDq!an03SuK
z$=_y?VH*zr={UK{LZ2cU!M8i-kok>C>u-M6&Dk%N=QaZ1mtEQSFfsnaSd}UgDpHLu
znEl-l`m;u*H|OjSSoj{!Zd_VZx`w`|M^mZkDfn5;nc=nex%hKglm(Cq9O3$TMq2PO
zPnKbQK+*#wJ97;44~AFcW$Z1ux*Fx5C%J^Sb5$d|{?Qv=FH_D*1s8=ev3eI4QO=jj
zS;ZG#g>Wv+8L51My?(ltoAFRO+%DX?#}iz>GxKKi-59!2cAn%W6o-B!EUURDwQ$^E
zd3ZcH6w%m3!N4i5={6ZJwBoORn{Xq3??umWw#vyCuK$mAaQvmYo0W-Td#`|8(EeL(
zu{dRbeX>R0J@#lf@_PmcW>ae<{ily=7{SZ^Y|puQ9u_K^fcG@_TRl}`u6^(mrmIm6
zl^Ca}fH_T$-a)L*=t$j>0&
z*w!9T@H++xk9l^?TP3J7)UHnZ_4P|>rmSsBdIKyvf}JueBk_6$(Y^iCcZrx1qo6r=
zXThw78GQX|^&@tD{jjyq`=#9nHtIXDSp@ya#ue-2c0yL
z->yN=j?Fk^k#m0ZVEzn>zShn*66=wA#q=4vPQ}{o=C06}BCKa=@EGNj1AsHftKpZ>
z7h>$TQ1!0{%N!4@18y>T+d)#&^RAs|CBwa$xU~G0-mbAH9#47b#l>jh=#qTLt|ruS
zt=LWoijRUJw+^GIM8LM|}4?sBDwv-NCE8o%H=*{NrCLpDWI5_C8
z!ORR42`>c07Uh&L)KL~H(9|smo*!$jX93~lAcsh7V;dWW08klF#zQ+b(TbR@&nritDR-h#2`NvD1Y3*>2-mb5eL}Lx=08F{*mG_y{sE3&-{a+%
zB7f+eLJy-c>52+i=_+({t2&dCe~x+_fBp+
zc<221Q={K9Y%My>lcGo;Id(HcP$`DUaAz(nZ60i@MxoOjPX5EQc-t|6-ZHtM2Gok&
z{#(p7>&W|HUUsUyuZ$9(*t=sJ`SE$c%|LgyDX}|Aa~QSyaM0W*w5Fb?QwG-A
zL5!t&hNPvcTgos{at>X)_)z4&!r;vzd6UieYgXCGxSsfPD3IHHn$yM~W%*=>^a>~^
z7~6PJ3BP!WKg?Lp*?Z|dBX|eGEeG|@!VP{eQr2niX+p6|j9fAKVK^i8#=+Wwo<67c
zS99*hteBVoa)Tp~_^R#BM__y0a*@nhJAl5t{9
zkN0EH(7@F(d8$3!*5(b=1{z-3=_?l%RO_|AVZTX-RKhKBpR+dSHrOkaYy^P+tD0+k_A*dz;P)52FA(0sq+}1Jf?Gfh#zE(5sIO|n_bv)@?xsp
zPu?6RrrYuUPuv@+V+eb|TWo3^PBDHf6P6ax?ahxTZ0P67FZw$mt!oRO;jHB<537L8
z2UildxwW&f*t$kXS1{?-nC8*}3VTiD#1G7|jHWx-{
zc#beFy6$zy#PgyuvxJeI1;T_!8W5c_LeChercbuLQ7kSz-Zcq#hDn?9`niukTvij4
ze<}}><$i+3f%78sX`sc3-J#QIH7qa#jFdnR;mjbZ_|W>uTr
z#GeUil5SHZ1pNk3QMNKP3&`$r7HR}){j24mon936c4}DH7VZ{(rK9RK-Jd&KxLKVR
z_N?1&&TQ|zA=)}lY1qunIY)Xh4_F9^u=IRs<-2a1*=-iKETFH9tp_~s$9QQD43+Ys
z8nVB__+Nz$F$k2Su7cu$A|#jN0A6>HyFTy?YwTa@-f1&e14Q|g7DN|G7j#vknb)(1+MyIDwI`F`_m6g@Pg~&Ga*CJi<6cpw-Q_x*JLs1mQprok^&4$mg
z%*lWSO{)IssbRazBamz>I`9Qb6DS{ou0`-GEhvXYs;9ybqPbNP60i36R+~_gG&zdG
z)Sp!$pYu->8=nErY0_N3Hg04=lpodq@Ff-wyMZTJ_*w(pzotBAL%KjNa;%dkS
z+dLgQ@s%x}O3s?(YB=OxLACO1l62
zcT{!)juQyi-*SF3z}d62Hy%Zjk7*kqtdAzOwCpETW6Z_>8u6$+>>zf2$pu0sZG=BeMdqUvNgl?<#gRlLi5@V<3@qt2sTefYa
z#~;dZul^(G$*(uaGf8CwybXK-I*Pg5+{yL#KIT$PC?gG-TXsmrn@|*mzM^JD866N#
zs7_*~JXreWpe(qlZ1(!>CfDo>^91yaK5#tnt*z=A+Ei-JLa*a-F{G5>gjmF)pG~WG
zAXH^v8DA_g84;{jt^0^aC_(z}NPu9V5~QqLgm*Cxx;IcO_miK+&~et*Xh5T{d5*x>
z8Vh|jua9gJt-V;q%DpLYS0Epn#5EK>~pg53dKOT{+2CFAY@><0CJ
zqQg}E7MI2#95efGux7j7FR~KC0~-E115n{U1oigiRQF=a*C+>%{V1aFaWq=3&L_40r}hfG5<>
zd-$KTjeT#T1iG))iZ*A#yazlFsEcTk{I1{zRS3=@-OM5L(-SZ!9k%L8ODp?yvAL91
zj0G#Y+!z+U|NA3jS)#`7WN>i`$HP8JhfGQjJg~I0&`LE&@6}Jj;B1?sl=~(>Cn^LsPktt
ztMQpSDW;XaGF5HanH+z&pT#W5%`NuJl6zLU)l;@&F_Lg)F>b)B5ktC}k}B7;>Wmb8
zI{0h$i=g-ob}6jYM|=oNh;K#eV)3UsFH_wGT}uRdqe>F^3YV-?q$U^^OLH<&
zs>|Qd&kAw2h5NFUwLWEE$7IL{%?*re@|1E1DNn_C_+_o^R7>=IK|Nij+-z(baB2c}
zfw?Y)e#Dk+MN$6zNDszT$DeDV%m7_R|I;SR?bm!HAcEe*Sx)6kPoxDKWei}Sjbs~r
z>|J1=c^gQ3Qa{bjekoy8B0EF~Ue(yrt#o8FTo4ys$-(W-KvX9y7+Y6BQtp<^q2mkp%NJ>9iCkS(CYmOU%{#&?=u?r9@N3NaPzU|#f{eBvst^=1AUs_nSI}S4}uxzJw)S%
zxKPE{ryhG8bxG9eqEjyP(%_3#UpbP#H;3RQhY-Hc2=9{#0Ba$qFCmcZ#V;5j&`;P#
zVwT7FEPhD5SPuH9H~lwbOK~*rofXu}Bv^UM)4PbcHMV(j%thr#B7qC>V67&KOeC7BmtV@bI7X#xtmRvyqhgx9TaTr`G0II9
zp^joM%fL@zBm3|BEag^pd=jJ8LKpYa
zo*q7#5lvFIFgkxS`^KA3#ed<$4w~1;!F77|d$bZA+r{d4r{|&*h(UrPgEs56AY0|P
zjF{#4Ks+%2F9Lvr{MA7B8C%iOs>b*pWzMOMPeFK0qNCzcLmG9|y;$@sb+vuif!E5-
zQU4}YaLoDn`pG7h*oGtRhCmF==8f1x#d4o?>gxl7hynHebf*u5YhjwfSGn+6M>xyb
zCgAlDa~^oJgm7<(0$vZGj8xeIp8)1a3NIwVXt@>T>%RMn^u&rk>=}vFkP%W0hhjDN
zqRs6|`)OcxMrNxK!QST@dk2K8g-&-f^Eaj0F#+*g>991jub03oXsbPd9dz^df~O1{
zCJHYoT$tgqUxXF3Vh~3g;We#`UERVZUP-8+Q702De8X;|*px_}+M}qxA%yIoH6a~P
z4|!PVY_NYzx;ZjfQbm(ER12i6-d&?N&6Is&R^t4bb9~#a{O*u-Dv~
z4;#e6b1A$Pdyo~S?`6%jZ>PFdTt~$jOhf)?t60)Yi|>=kERcjg-Ai<`LvM)RJ<@tT
zD1lzfA!cncLD{=J`0Dt-SpY!Yv;QM!aQU19bnQL1(Le>!17NnGdE3k-GZm7NPE;rG
z4M+s$JMFR0$(YBrb;l5N>IryL=%&c>&9z~)HY!8h!-DC!&sg8Vl?&X&#_mqhE{^!d
zsochl(N`u{NA~Y>R`ks8}}vsL$vqDYul(BrEeI>>D5{
z&lm1GbJLuTe$aVy&7G3duhxhCH%9CFzL>?Gg^gUFXfi<^vh(|k^lRUqnb5T~Z~5x@
z*i*+$JnTohQOh@35_?yycP7;WGYDe-9M!`*$AW1B+_O{iWz$^i(U#^FOAw%Wrphsw
z4rJle3(r^Qrf;6^b+~&EZsBlM)rA3kT8gm6yAtCGVVv^|F?lF@w5gomQ4k#KXZOw-
z8qZ=7J2dNZe$}IJ;&}J$-P|e*dX3y77U%y@7i<3M;`r+fQV_v6z-cgJTJXAfGa5*0
z0nD2wsZ*J-v37N&#hxKPF^IZ^Be1H>>XDC|<04c$NmzM?SRK~GzQ;dE`h)ek{PN$i
z0`Q%s;KpKwLRFpoCO#4+=CS5pmu8H%RWcr~Ld?slio(O(K)Y
zA;z3n0`6#GIK||zU*xOXo#IT^ouDxYRjcM5XWVGa%xo5&`);0-_op*qJ?W*4=%N`U
zgCJgr597l+_XyJt;5b)*27F~9$Yr+es%-Wi_>h`4paU=#(6a}E>;0pWwO-%}FOTPA
z%IvkYC8diWaIX8aW8LAES+7oJbq$B#OF;W_h87>s9LMjPKiS|{^3RrcFw5cL|fU?%he*l_kcJSZnZmee3fE|HQ
ze{5U|w{YKaO^sW)!mIl=S3F?aP5MWBaOS0U1g4CwWB<|f6&F#rgQGm-;vyx(`L8uO
zQh`+tsaffg^|w>mf6s~!ei(IzrhL$8U;%jn{Z0-H+nqu@W;F};Hvz3#1G7m9ka?g*
zbc?TypqE)ttunw_T6L=L%W;1pf!7El5t*jbO*cT$7O={yKM|wMown-1^SlFtGxNC6
zuM9I%a(*tVI<_Kd8q|{IzD37_;cCNViJ?yb-htMx&MsV)WdPXuHV$WiSKpj_i$T1t
z^5R8MgX#7Ndy%;;S1zU=%R(J^&B&6wv-P+620lNyNa&^+=Y~@h*6n6*=V?Ea-_if0
z>P^6*`u@l9TauFHQ_^NFB-x8(8I;1SK)TuY+seqSp>=UoB0%zI6JUf=p+LLzO
zchSEYWu6Lxw@Ue_zmAJl5XhB{fv&`A`3sI0DzT|WlH<~
z6~{2MA$VydUx~vW`}_Cltj%*-JcLf8bR4$C;*BD?Kd3RV_=yQbn&`I^;ldZ>ra|
ztQl{H(AJzz6AXGc$|#$5H`1hu)BiAyA42F#+o9GMJ}n5o2Q(c)C43k25W>Fw-4pP7
zR;zdDTHMLhqMQ_>F8>c-?ybr-4hnuw`Reo|)hpvD0^JF{UF_|h&DoRK@+Te>if5yV
z22ZMIrY42rAR_alUDMJz!Mjg??m<6B64kP?{I2M`cR==wQo*O=Z7qB)(p?e^dZ1+n
zP=WU;#t9-{1Uq|;SAsn}=t(j~58?48ruo_QgU%>t&am7VyEUo;&e`aVWhqvMc)d#I
zq#^$4_>llv|DZE4@72_d4sk&1z$Io?Cv?CVXDV>b5R*RnA>A`4J?;b-|MZD3(i=T;
z3o4{4+o$6Y!CX{pCj^h7(M#f784rWMBB)4RK`y~Nf$lwfyxbQ=F6lX#mi<)s67&BI
zjfNkUo?l;%=B{|!Z`Zz>tgL4#9~kQnSvXseHg3*n`B?)kIJ~U}hw{HixVfNp(6pc=
zPHBN-5a>1XP?t(9htfBDTr+#Y3s#-}1mkpP$v0h*%gd=9an#GlOq&%t4CCFTAu|0T
zoUaN=5Keja(ER;#9IG=>tC~*>QIq6B18@BPfm?h((M}bTw^(_s`z)zZw-`|CD;MVM
z$pQx!!_PM1UC7@jif!d}yGZPB{U5GOHAC3+n>^=5K5t
zUj$!_=LGNc^*hpTVOw!_Mf8F&k@EgyVBYZMi}G<}P{;%ZHzY*S{J(TXOx>0uL_Ij{
zo)?Kqhr=FaFNsS!YDa$7{O=S8%SG0hGz+g7?Mt8Rnmu`tU)W+mxAz(rNpjI3H~=qb
zkQRk2AFezGL0HiI&5B$XpaC-!-ec-Sc5X@ez|lNVj=gH^9l+kQ2O8fnKvoM~mb?OGC4Bl|1H}W!hQ0o#Xb5wzVAI^>S=h7>IZTm;epV~*e
zUmS-5JnxT8RA$*316LqDFP%=Ip&b-(Ar9_3xVI}~m?13iS-P|3L}`g3h&c8Xzav61
z005+m!ViN$=2}?^c#Jy8Za7l}hX1hvVTuxR{TFbRlWER~L=@-{Osrpvuh1lcZ@2pM
zU-@5y+aEz#S^95A7+vD_wfFT{|B~4$?&N6XD?<6Q`T16zrvx-OpggG6o
zBAPvIjvo1T9Z~o(Ehi_j_qLAEZS*5#aI^ULobVgM;1&XpK^dL03nm}*TEXMv10R%$
zvErORKZV-sflw&TDAeR&d~Hj4QMz->q35`kjus+y%ztZP?OFLPr+F}g>07AN2q8sI)
z04B=45gOQ&s79+Q!KI{VPqSrxr4b;UnCC|na7GCzNXl%iqjxApFAGPrK7
z>dyip8dnG2@W*|G^%WSzU*Fd}5Y(~cW3NFNr1Qp}sk4?xNugT8tJ%yJT&H^pKgny*
z`Y*ibZ=beO&XjQj}Shsa>1!sKx2>88lJFx2=;Le#fcnHS*)hJp=;H@`awK@ulG
z%ceg!$dw!O6B}U-2L`oZ`R!|NpNBUDTR!x~{303(hF5N{+bkV&=UCAIJV{2tSbE~q
zGAQt1@ZX%Ui*KgUvoQ_U|ZHKjgRYxf?8|
zSfDl?YmT1(CV)Uxr@hUoa_9n1GigRiGK|eY`1ObK+^@^slk)lkfSDND0Mo+HRpUo=
z|9vhKu26FtJ^uyQOl<+c%4MT7EH~r_K2_b#xd1>t3yzN{2QMJJs`2iB8P+-^?$N#L
z!3ZKgbvqv5B>f%0NeaM;0}Uq|Pl%K-<;rK+TN432mSoUir-MZQqdafIc&GN@&X;7J1asqOB~%^Rbo-EPuYSL6
zBNF226i|k&ediZ5O~yU%x1JL!t)SnrSOwTt7xkz^HR8kK-T{Y
z;8p=YTv>xhqIZ)+EPCYC^*FiGT#aXG_YXB|u0O`>Y7(%%x1BrTa5nJ`tPF#JO}R#T
z{tpx0I`7TeQUoK5Dm9D=0hKb`7@w8CsV=(ANM}v@FJOq{SZ^oKYw=iMn)e?H*
z_bCgCr=vQ-kTmy0{5!TEwiY$#fK;E%V5ARHw_0t1t$pjf}w7FQD&JNK*?*czyCFW{VCv9Q!_s(B^p>5Zg!V
zCktdT`zJrs?+hj3ukC|S)re8rF44^$+)mC&O@~;<`x-7U+>qO|3)ouW>^D|4ES-Z-
z9HGib>(hpWDf+O@2g83za_q94kF{2$)=X#o!fnx9XM3A4ej>AT529+$w4#0$>uc)~
z%5VbmSFF)e1YO$y+O`ro1OBAb$kS6;Nyy{@)J$*5X%DxoQi`Om1MMl@{|v0(^>IIV
zYN-vdjEyS0yS+4XlBcaRlB**-w_Gn$!6DD{?fjzaD@$R@63|Q=PN2pNnblT@K#3LJ
zU>a>~**1iV5$`8By9SeEnpo_2W&y)3zcJQaUmW|=VM%+`1gw#~FmM|&Jd}5URk|ro
z{1uX0J@ryd;d1Wj7rnJ+)G(YgFu|uvEI>QReU_b5d;P_LZvTka{)duJi#^|L5$n`~
zuC7wYNK%vH>4-|m$Fw*6p2>O4^4Lz-`J=?XEwt@uUmEOz@!3&n@k^X?aMbcm^
zkbEW&q0+ORjzdM7yq0?KzWjY9$J8S&i*#km)KEWc+4@Rjzfq5DRsb_Q?Q|U6QLvDA
z5+ds;Ie@Nt3r?dD+N3HJxh9H*>qPsy>UAZb-|ypPE51@^JydXtmt-Y9I)NC;(j@pU
zO(4iXAe6$S;Orqh{F9%*;Ig(pJV~~2}zME|rFVX%gDHI?Pi1O
zLp|06#D_w=$>Q=ySIr&loFcm(1mRhM+hieMEg>^M2dYnr957?9t_i_f6dpyj+esG*
zQzIvxxDm+)2Gyx``N!{%4y2gH?u2%=Y^pmfDRrzzZ?HS&^okY7<%UunaN9LB(geZ2
zOcO{S`r|eKnU+@P@Fd9}JX^ya+cir15>jS^CvFz`uH4R1Sk@Lr_@)~rti>O_`TLkz
zRUu9+0d`s|{s%M^eDsO{A|)G~(SIvFI25LoUiiYt>8+NOmr*~_ad9u{k3l{
zD+XTc^^?aZwo_-$0CwktjocYf#XC*e_-p>5kG9^!#d6r6;ty=7zj~?~*Ja}>b`0cJ
zM;|ze{V>hQMag^zHsy!sVSp3o9?w0HKLKbXAomIXbZ}j~(2`a6dXIZ?
z`E-Uo(Ykp)>T9rN4xQ4%n^SRRTIRwn;5*Ifc2}xBfj(x<`5?A3$hi!>GWbjc`3w+G
zqA|(+uU8C#cYk)7&M0lzaz*U~Uh?81eeH4Qx62^3yGhBpX>Evan9h`w$NMgCxaRGr
zs0qZGn_6t9&0GbWWQU#QNMKz}NZ^RYF7XKZBjoR)-IU*BEm;>T#Y->?ZQ}OZE`HU=
z(><-;QQ3gUAxIMk*zV=J0V%4(4c+_4o4I4^6_ImoUnu6%1-@6OE5w}+kkkalI_X=g
zZ#2(mbm{n6Wl^;fK4;*oOA82(Vqq{KSZ}`tnA$c*?hO2O4xmA2$C<Kj
z_Z_-VBZJ;29iFM0zuxEfO{uGoGPg=9nyvQ=p4*rP%>M!gt0s{T)<7^^emK;Bs}b+q
zT`CeY`6E1|w4_udxx(obXvzPrt(ELMQ%$wwr#HibICO7Q_{1U!SU+boQ;UHDSb;tX
zgxLsK>ma>jL+?gN3M^c7y&%|alrAW{r!Y>m>f`r}}xFmF%a
z{IaC0d5V%(Z6WMFTw-AsVT&{doCVss0AufG=K`)CeGpG9x*RV980+KndD@9vy)%M6
zq@lX%wlA6HN15i@z78F~KPQma_O)EC$gLzh^5n1p1qaX+3mc%CL~t_6U(6MtsXCPU
z&ssuMHno5i5v(zT?(muVlU=!!JFhQww}6T~wnS5Ni48WFcD5c1zO?{z$ob9sB~+i~vEa6-oY|P)Z#5YV4Ph
z`I7-PlAJB&H-!X;T)-=2Ip5thHMOX$h1CL649!79{imSz|2U1nPv^-cX9sb${<&|w
z5<|oShwMWCb%5skATqA00wo?89$-Tf<FaW7!oJe4~$hjz#&f$(6jzm
zegan?+8_P@Q!@UlP1&)8xi)t*lYx&GjiWeAiE4?`yEM}60rKW=5!nZ3(S{r5s~Q#8
zB)I(gICoppAyp^O6kvCidMZE&N%Iqb6NZ2qp$+v*igI{|?d>ZTex0|uqE8gE<9GUj
znK|B54x*&pyV1mdDm=ugJNI^Zqz;*f@WSIy&HZ|DamrR))j4qIOKE_gBXBF2(?7KY
z)d3F>HCJmV?dMAji^L8B3nVD-eFbce8E~6*OChj%wBbJyID3lpCf-jE#wgc7X|_S+
zRvZB1keml_rS~5OvfQ(D;h!Z)lpal~g@aMT?4Q$IJ^d@ZTc)_7-dW&lNHoB7is$%m
z<%hq4+f=M1nHkBI(6No+o2l%mjsa#qD-Jx{IwT+XStcWxT)qbu`sQ*0aTEZ@y9-hfCkT)*UTmU1A^
zKn2fD3}ONHpc44pyFe&=Ma6J-FB@~UElgS_hW<HNKLUrkbl5+5PHXX4gBLL
zvRI2;rFmZEdPcl_v9Znq=avlETToGw2p}U1tdfU>|D(+;bv1#gD{~8b?FDNfyX;IN
ze%Rgs2_*9+BpB2o*K17_et5%4;*VYdz2`_$5NGh`(wcnmS44LslO;zC$lt{5E3
zf}ogD%N5qWQaXmlkN;w(XiqqH-i0H_pAa7tU*j;r_|{?JXK
zuiOSlxZCpWW;*rO_fm54JB2FXtW|3yoD?ez0%vS?2a(cqeS@m8`Z9=H%YtWX2ZS1E
zqjdYdpdAp7EA5D+|FB`9QX7;jcPVK)R{_6;37k%`;-!?z--5G<@abl`X;r|}Tl@!r
zZlbMiT^FB!m`J66ff^TJkWx4r+qLBZ_Lx_218^%*%p?COr0o4Kme_@c8rf)+Sixi2
znprsg^M_K%7)VUUyp`R_#4=U(d*mb?_FV@&{VLD?)m*uWB!r2QrC$JxsYhOkb;tfi3fg
zkAsrwE1Q`hE};AWFRp;B=SA|Ioo_xKX>8e9#wwM-#&VG6(One#kNNkv$1j9hYOdnvSGpsVii#}`Ouvi
zBAajOvOs-bRtIh)WB=JpNMnT=sU!`$U1&Z^qbh?ORMbMt8q>DvG|z}+1@)W;cn9y^
z0)gtAWc+6&Ag4t~WH30<5e<8Tv}49aEzAFO8q{|`7{7sS!G^B7MCBHK|
z*K3iJCHjr|_<%&o>AlASPg~b0A3Jcc?%iEB(t*sUx5UaTLOhYakxi*GNA$&)KMO=&
zK4^X9!2h)JnZL64kDQSy_sTAHx>&8mZ<;+7UQ{tW*xMbZb_XLZzZBuvM5>xx+Dc=j
zmxJ&vakN4qypfahj^|GN384Uv#6PwLoLhF|+=+RO*U`;;tPgOi75pIqpAm#;hyRq|
zbww=+ZIWETPxyIfFBe3zsRWh5=Pws&&YFMdIv)Q*{)HxZ84U6$84BUfyT}Dk1w&%w
z64K%7C*^z!FOW|)V8+t|o*O@gHUSLxX}B-X8kOzYX|{c)Y=TBv~hRpa2%vRe9iKbd55Kple5zr+`U&#Np@RZbfGgY)&*51*=dMEPn4<8!uVpBxl8
z@Ce*HCZ;)czm3LLHLhEY0B!yly+pd2hBzmHDbD%>yCC!BpF7HQ>puJlE&#LjnAim_
z$p6jdz!VxWC76PrKi(t93e~(^2tEjw?gTo+^>9=2H5$)ZlhZWOkpL0?18RU<`Mih#
zNw>b<(e|Qk`}xmEfZ{JGKqY6G84n+zr+bF`lf27JkVK0hWe*H?Ie2j~qiZ!%ofrHf4dF{*Z#KO<=(9!hkEsyG5ze
zARCbqdq=%TTl^Jm@g%VLVqhIJl?ECAPga^B?1Ok$X;>Ms{zpQ8#YTSY5DfF|?WYH!
z=b1|^T_1s-*&X|(+!jc0)wEv#;;;Y}WBmtcEYMlgb8?sQe76$7gZu|z;jQ(G0DreW
zvjrv)403mIlJ&?kZ9}m3V;X)2kg2>ArAC98_mdS6Tr3bxq0J|Iz~o|hveLvZ4b>&C
zlPqXc>1b0u{?py+jd@o;DTl&D_ze@G_J54~8Tk#PK>e6Dc!hkCRu=$wg>1oidPIYl
zcEwsFs%F|}u`cL)v-;Nfbc*4}^eI@?^vVI954#2+zSPc;i;xzS%rkNMl
zQcvXgn@Hy|4@F3sRSP`0^(|1(5b4#faS35~&5!*GQ)VRza8pw3Z2;k291JHsC=01T
z;%V1CY1idj0M|F*XT4EbG_B!3y*U8>P~N>-(F6XLc#=9u!&9!i+PM>t;%HdB0wM22GzcvJ?+|sieN~}GZh0j>
zSU%1rUnG60%(7)#VQ4Dw7izn5<3gO0yIf?=oZLq*pZZWvHP7zTaY~V+4Q`GLi-2qm
zDxc~!WfUD?mRtJ6ast8uo2r2O1@xn`BKf>O#M}Oms62-j$yc6R2yC``MDRov$^|3K
z7QTcE<$ZsjUv}ybz1!r;
zUteM?AM|UX>{rQ;4g}zwOe4}$@bpDAFEn;C0%V%U!eQxIJCiS#q{T3@-}!fds8CX3
z>0Q(K*#ZkAuhYXGmGv4v_tb8EdFPc9k?VZkwOSWMg!imbdnd)do+$s3&xz_KM`C)-RT)OIR<
z;4@W}J^%Yrk9n@ir;{<5HtF?7jPRJ(sp1NBp;6u=9pQNFtx$>fX`o&Y2jk~5ZGb@!
z5qxCGNTV${rEwfK(ChX3bGmhWi|3>^G9ujdt-+IF3(fph-+^|%u+Hf}+mWtwiY24o7Ga}k_*4Oe3iA(~YR%A1UJtR4m5b;K|BtUv9BDBF}c`Pj*b~
zsTV$=86?C#P27^;mH_LJ@76%LamQgrA@Nah@F?4q>5E0qTwGGXluls<9S!|!9JcKoB^e3+YC``+E_9^AXtiKb2n&
zqOvyX{%<=TDUlHIyQNLOR!^5;dv`8zxdPyk#JO$#=$K
zWnrw*OPWd7>Dk!a;%VLZ834X@ZFrd;jiX=Brk^8ydMxZA=VfV{g
zEjpnU^YsA>c7mJlf`2{UOyO92J|9D|cdeNyW+E@k*Gc7TE+DGvZ!EA#o5e6uslSRP
zA@!^0PMi>@z>x<;cdIN?PC&NRxRH^%M@J>VIZfHiF)#l7#_i91gZFf(6plHblxVge
zVi#=tOLVy9lb!O2$;T76DlAQjpYMY{DT$0Id>dHb@gnT%DvDfZg1$x59LSJ88pV#H
zNnzi@-M8@Yx(F-O^2DhR
zufXe8no*!^&yu3RP|z20h`L8ts&#Ec$vSbb1>Mmv#Ng?z&Dp&QYk-q`vOZ5)Bqqq|
zss+rVj#0Vl)-(Ie3f|8a5SN^A9fsIdZ1s^tsO58YnB(LK+c*LPrHCH=dBe%$(z;ty
zx=q!g@g=i$QibqxM7Bn_rbv_i4YyZk<76!&MaopYDwm$1+h@FlB>Vz2ni@g5(~=Ps
z%BK2GL)udGW@)&)qC+bevw+Va#A7P~}egQ5&vEx%#z@Mfj+ck6m&B&A$1G9zgg
zPf-Wqd7Nlwpb!dj6=X!w9(S4l0gmRQsaSyAC)1ybBq;M_TvqZ(9-8FZgczyckCNv$
zI*g^TE7R}tl0!eT@C>APcjb}XbrEUUiqhC15W8|nJY#{x#^LP1L*-XAU#mtL$N7BD
z$8m&%UcZ=mGlco!&rgdhifJv{|I=B`bI7u4n%+ySvC4RG(axdodoOw^Zcbn1SZ97M
zL$U3s8F4=Y!kjmXcj+vN^IXGvxcd+0{ZrHbjC|%={DmHS2h-rj0c^^6$
zppA~SV9=83pc^e|&a=Mi!npOOepJqT^JNKf{k5gf%3R;aiRdnljR
zoqdok{r=}KLS~P)egFwB77TKz@6t9~``m6u+%)aIRAC14!>qyh;8!p^uvfY7^KS?0
z5u85?-{l8HsaE3Z5F4WRAoa^$MC{qtoMx4Zv#p)e3S1jy<^^NafgOdPHX)Y-#E=P_
zUEdegiPbiQH@hMSRkyFf%UMfkkOc4ZUr=bBKf*j3?yp|o0tm8oK5
zBZsw%!456C_U)2;Ac<55ajFXqPs}i$q(Ho^fs6zhD8OMIn!Wqhq4blp`_SEE-m7j0
z4SMK+wjW+YTai1!|B5_6?;{8<$UbXtdC`?;mNee7sm<&ms9g_SQ40l};(3ZZ?BuHk
z9YjGVuAMt^F65{r@PUEFx^2IgxLQl6oyc0U>V4<^U6>*}`~uPezV;foGGmnIh}~e5
zkLDckfCF*Vx`b_0?mXkmi2l%c)8Vx41cQu4{T50>$Wzxc3pJM6_6Y6iqF>R1MehCC
zLbBozWcnE1(Lp#ibsgW068SE4m`@rgJ{rRGu3r%g`HX1UXxH<)8a~>rJ}vz)Zbp5_
zWH`-Au@@i1CyAYj*RYVuyDTs%CL%(j7Eat>H+83`_0Qs*`m+#jH|0yKvO2{T(+$Np
zRq`K+2y}yV9R&DKeLWtew){hH1216zVaEMg{KR{5a4lnZH
zlD);zy*(=vB
zuSJi9?w?V7Kj1r>on8BtkvgQn9sD&=NyX-CLXu|gqbG{%6!GlTawNmbZ_@K(@ds;4
z-0ce~YFdCr$4YaFt+X7Xgu-w5p+IFY@N56&&`>HjIbHZMChp!yJ9wQT>^R1^oN{EP
zKCLub4M60Ln@kludFx{m%_Hv04l41G!0mU^JXujl!kng3>(g%r;lZ9fL6iVBj-rQ6
zt^0rFG9RVH@|*}uyP0|Xtt#sG{1vCcB1>__9ejzSiH+P5hyZ=szh4cW_`g=z+U
zaI@i5EX+PCk+#EM_bRUdOr+vsKm-pG1yceD?;+bSY~(K9YK@(J>zP6`hqV#~kCC5f
zCj!-pVhJ5-jL@O}?v#^&qGqe%Tn(U_L_o(W6H9E`mhg0qSX12|Vu+f{+g9y#x
z(h{j@wqftK&6JHM1hP(04?1Ccp`LrmhHqZA|26XKUr+F
zg4?yDm$a%N*0iEDS1{eVoW^(e3yIkY?TSociGP_s=969W%)&4+@?8WaN2aBFGN?s=
zu&m;)tmIm5qKAy@gUDWeXBq4cQ==FMfM&_^m$e_x6
zG<(V1O=SD|@JkBfd9?*|kpJloPf$(}g7;+(ryH#Qrl_Ca4N0Y_5m?tV<9=YoKMhT*
z2{K%IBkwkrnD+g0KPvFu>wc1oX6*7(wT#da(C4<3Hh8%BIw$*v`-seCq;EoMte9xq
zT*9==q?o3gRjOH&*bRqX0Xa!Z!dQO)&HoMM{pw;qpKW#C@2=n1i*(S#AYE{R7;ztt
zPrc*YdGy5S78ycC>E
zQ-F1^b)F2(&a12D8qY_xd$BH~`qui;qGj7%-z_Ax&)iT`+QEczoArGti`$;g$zqva
z>@J^P-ic<+Via&HW*EIF-5hXzu+zMH@#}&$PTZ@rfb9+W#ipsF`0DAzU!8NpmV^J
zA-KpMhg?qs6-WjNvvVP1GBm5!@HBKbINpJ?{)V|`p+=)>bkK#nIk(kV#U6B685K1k
zTkL1(`n=C&^_?}hQ7v~+tCpoO
zLzC+{v4&k`x2`+orEU^HMy*}?*)|`%(e%mOxknJMhbk>A1@U5oxceOBK8NJ=4CJ;N
z2T@v@E?UKF;zrBd8Ho)pl&@=bCoAG-gpBZH5$T}v>o4y47*w=iZ(;0qbY7%yM^4ob
zq($YOu`vaOuw~`RRu+i2NfKzqEsos;rhi9)NM^RzkU7!x;^ccfDcyooW{%j67H0HA
zr&!84vtrTrZ3VIh$1E(9mBd{nQ64aJ_BEdGG`gf)Z0DmM!FJ=ySO#N%Nmdc%dbm_h
zxCot>Hpr%Z6QqbCtKlk##AO(v!`Eoc8KU%F!Tc(Mqr(wn*gdd#sa;aX!9e?3!j@rN
zP-nfiTIg8wK@?KX&OV?y+APs&BPA_G9ptd`)PLT*&X}G>lS+k!vum{*HwOxCq%yaB
z<3Zd7+RmEn3)HG_DJT~F{__I7$w!>_(3`Y}`rkF_ns4-Ka+6an*uca#9l~k`v2@*x
z4U#-pAG*ETdvA-JuUcnNExr1YD;qd%ZBh5$|E!99=WMQ*oVNpSql|9fC;V@JoUI6xv_D@vJc|yF>%^-CT
z>)Z97g|g31Ip;;hB)L+9pC2>dSF59`rT%cgt%}ng&
zR2##OnG$A`?`%04W>e19-ot1d6^l=CUEq`sBpN()^d9wCESPhnGbedNQl(C+w(wZKxt1Wkzt7Seko=AX
zu3v-BQSxR-9*ER-djX)>Zc+_A^n|r3(`j2$t`morTEi=W{*6L=^PX^e
z0zdeS_O)S5SsN-a@S(!9*GF{>@UAg2=W`?Zy?-BLzs8dNaalV2QWgGJNjFpaKB#-m
z1-S&rpVaZsbtRDXm)EeYC>d(cQp4Bx{#8Yq%&^w)s`9)nvt@zsz;3XP8Ch*)=o8c
zIAhN&e_jY>)ppBrs!clJ41y@;<>yDL)gO>ITfi-K01=t`Iw&ApQn?_v*6#p>^olLB
zc*Aj}2Xg12F&q!_LUjTYl*j5?h#q;ZcZg
zA1~*xb9ykyvZ|8=T;?yRrvui1ImQPZ4A?UhyA)#I?5(w7x23O^?qj6Q-Yx9BkiXCW
z$}JAY{U#(jsDKH?$F1FebWnP~CsAahvWzqB1gQ%cb0
zCdP4-&0HTRTEsfuxmj{4gkqYeV<$`$uWyANUDnlaB4^`~J7=0$vU$-rpE>p4BvA`A
zVvL(`PIBj=yKh`H(b;e=%^8G{%2w^WG+bB7iAQ5fi7}zml?B4dm@4r?%JNW`sH`y(cM$RxL%F(AAv%M(*w@L7W5WGv=4<
zXBut$3U0rpBtjuVJ3@q+C+pCP`ZPU?s_Ynk|tbDQ8m85QhuDACO<3+
za%O!4_>>nb4)rC*#oOcKeMPgjy_Ynn>0IMjL34vH$Uy^j3~JNB$D>Z}`a95FotXu`
z7%9=>LpSPv1y!xT*uS+r-t{hCrvF3V#L!*~+%eH}AjG8$7TB5`WX}@e@bN-|&`8d{
zs5!w
zR&l63*#7PoG6)1o>*3-V#KA$C
zkC1Cz@Q~XN?*z=BweB8;eGn5|Yu*RyyMhnq%|`(FLkgc)MwV$t4yx*IcsjOK3O^B&
z?G7cBDQ<^_^6In6X|VC_g)J>MYO`;{+Hdh@koyQ)8Q3db8dT&#|S3UsB8Mb2Ed#VHC<
zrqhLKpWEyD97OL#M`!2fg1nmzqShd%y3TbF&DRqf;1~
z+?w7@O`qnzku86B)%{3r_p(a2WKidpVjMa)T}?H++nvBoCJ1*fQWXNyyAO)$e)jkf
zKS?z~%sI`-MG9yZh?qVkxIaP@t>O+I;VJzP6kMEcJV9F2*qWB{O$zM;UOvXpRllBN
z(ZOuZYVKUOMR!C@Q0S!>4x@w_rJ%-%=P`$~&n=Nx6S(sh*ez{Nf-Ig6w^ACSqJ+}9
zoLz)oE3|jakd9zb_I*?5R5!y-H(7#zrWxVn+os14KFb04{{^r|*GYTe95QGFI!Ycq
zE!4`UWEr8jnxfP&&9!}WdB{d`aAPY>t}V(6NV~-iLp;MQmyMjN+1669uKl=?m$-3)
zbA$kPwblk@YZyv7hrO0^xHCZ^iC9tUu=HHotoZlII0d&3keCuXR_IhWN|)PFrKWHF
zt>6dK8i+z>Z&@9Jp1Z(p1z=prD^IcjXKb`8Qv%&d6}F
zD+d)indg^b2^c9mb+jI7@Z`&V5E-uVQ>Ea-Ef~>Wzgw$rvy-LO?yNUF5kwWZ)d*ea
zc6f6copUzpP4fycy_XKPh<8NY;O@LMJ~y|dUg?Yu*rs%K%wghnEE9BX>UBGM7T7#~
zrW#Mh@vJ`u*{oC34j$HX&Q8MwWL{;ZmV8N-z1(?!PHTA`HMd!QB2NS6nCJ(z4?xG8
z_Gs{>4kg&%dyw@P9dpV*Jbx&<428rSxbwr@@L1oFl;w2W_&8ZHj}~cxP)u9xn{4X!
zh^qA=$;EQ(XL~^ktTBJoP}Z}uIbjt&xYo?t=*9_3ROCNxDt#3W6_;FYrFek4SlZY9
z?QVPS?ord1I>w{n7EiW&bId5`R)OQiCM!t!xi_d2`a9}-bbSfI3-89-XeMt~YJ2?0
z)inksUbno(cvJL@pl=MKl>zOOhycYMH^p~|*3MyW^1+P|!F#jC4CrC4E~r|kEJ(UW
zcB8V|0+T2>K_-HK*US6bFT49{=0DO}$~|!2w1U-3E8Za9>t$W)^+Ot3_3GJ3n@Y3F
z4|S-(_e%+LxgF062Qco>Y)#M4Zy4T?HEOr}(I#*xw=>73LT!0;C~Y#Bq0`JWGx?ca
zV}Z?LT~KV$A>Jp+3uSlc=G@~0&mfP-U&MY^>BI!HW(P1pOsudyZI|6O+zpi~((+@M
zb@XLS_2O5Hy{)ckJC&%iV}NrN`+&_S#;e3?+DlbS?c2#xs~gGF6YQ};p>Fk4qw6yy
z&pO7h!28m1O5M{LjE&`2@8Kjp6&0{cYbICDXZ_}eH*d+2!He7Lsi8dY^(-!qd!Ol#=$d&+jyd!ifRo*y
zcP>>~m-GRtxYZvwo@R4mVFagIthUZ^toSZ)bA{d~ssCh>jD}bsdaPc7G}Rls~2bB
zR27eYJnKCVj~>+1qNU>|=yrj+_0dDWpD9Ld44dUfvn|cps?~>9Elqws8h$^*Q8)k0
zvvz=`w1_ri&9H6c!(VcRm8J<*<)-zkE^W`H#qFEEdKAn&Ixog(ec*!LdqGAG^b7p3
z?U+3jGPyV>Yzmz)*>?KAA3!m7xIR>>LHRdObf`9V7xL1dpM7Q9YxTwNCe!nQL#8(M
zE5?KZ{FEFJeq9Yvd-0QNcU<2PkI7&^UmNAf;kSh
z-eL8@_Mo2Z)LR6;V&Y>dsLQGCa*S8kw(PPlbr6s(-UJA#<_$u_Q}vre#?38;Oz2z%X$``
zj-f&Mn?&y?mvXU4kWIfB!R8uP<|OQ#c6si?6;ihVw#Q^I)W8OMU0R*~s`c-(zOD(J
z^`W*NfthNfL9;vFaUgbK5^UniE-9~8j+9Gl1*PHh^JeQ)i1715->b1L0u&it8OkG-
zdoD%Z#b=Xsw~~#9*XB>KKicpeAX?@%3fE^(?K0Qj~T|EvG%p{H*3~ni+6KjH*X8$#-ywiFK`VJL@@I7H)j^VZNm_xJ%aH
z5KPY2Z)Lu#@1t$EjGdXM-&E&x8xNTa>Eit6K(bf$ZEkBu8+(k~iY#G@5X+AYvdPXV
zHUu>yN^8}rnGe3&dBg&hw6Cf6MgVK3?I67eim~;ZyZA3-VAc_gGcqhA26R}Pf
zO)>Cw2JWoM%?}sPCS<}tZ!G=7XMH9a1dwg&Cd|vla%i$YXgNp|<>;O+Ue4|qY93}D
zL8Rq?Sy{GfZ8Gvte~Es$EVd(0j-6Ya#HzG)Oz*JXJldr0=Lt9dJL(u3P2POfUF
zexuSauA17=zBR4bf-JM_X0@olY_z(8nsSQgKAB_LLO~~H>l7*=bVn#2SDV6Ixw0o^
z5k@Wgxzo2IM81KJDN6HC%CfJ=S@Kqyh^A4udrnnvkePci36mh<^NcN1GcYag!=fo3EzGmkrgwOQD|@o?wv&cXf!qoa)IrwZHg?17X(?1;pcabD
zk%B>7UE7F?BAe;6PPYp6)mZ0bxR|}qF+|ua#eKxf0!2P#2l5VO%&^&gOY0PDU=Iq5
z$oFsj!~HFGeQ6@hwWICp;9-jk>8&8cje+&}cFJ4T)#^**xbkP96=74f1q3ErV=lcH
zu|sv9c=7EL%W9%uWm;fUmF_*uJmZu`VX3Ujs~7DOvY&Mii)3OFmcKri>jVz53d73%
zmS+2z9s;tW)Fphh=XqGIwqyUSNVB%!$^5HGD;z2qX5~w>)$E`@jnKL&*l9E!I<|{toNUa<0qRct;0p7}xOi@_hvO9bK
zH+l0G!2-wq2!Ep*Q_>4EZ$IMo6RmdoFS8#j8yz3MFO}RCaS!;(xhXGL?hnVu^_9;U
z8oCT+bWNOXUkKrY-GzP+8Jo+vy|BaH31UT8wknQ&{w%4xKFeBT{(D6k=BS$^Qo@dg
zQ9+^YMusnzZ?vDjFt$RU>TL+>KGf9Jn-d=1Rlpee`6K~H>dMUJ6P<8=*{Z67gnIYx
z+`0Me$~%FL!e8%$AdW!I8p$l}Ey-CaF_P}+ocfYqyWYtcYe@9SW;DOl1oD#-(goM0
zxFek=x69Tb5u{ZlDhx*3Sy%%k!CjkR^d@!4>I5iW?c7MQcPy4BeAyD1zHYZ6?etg|
zWVL}0^|B&QxZQTL%+GuKlh52w)w*B3R$me2CEAle=BJ&ED=_zJMi(;hMOp%>wlSy)
zDeUbP0m7(K@YJIUzHg!9*Fc-yx8sPU#|>B3YB4uE2-?q_%x#67Zi1cq(!T=tF0lW<#fdHeR_S{B@J)%$>Xo3>HoL+A5cCkC{|BtHg4r?-d
z!bM$l#losI3!nnhK}1@p7DRgQO+k872)$a+1(DvnlprObl!T6`fPfGn^bmp|B?Jg1
zArc7O6WQN=?#;72yZhJoeRJl_yz|a`=IGy=1w=cwy>J4_?N?@f6I~VT)gM>9bE4W?
z(@a
zJ(+-Sb}Y}o<E
zBS>fbx7k>wt#S(*v82mw%DD~hVHZ^}Ln
zoE6>tMvza9iUXz$Xk+@?Wc<%GPh5_2-YH2zHl%}mplv2)yMvC396{UcK`i|RKPvIi
z*IIo@pj;=BM^HH$29*oAUip%LHuIL4vc?!FF{~`}->{`FX986=#{J7YNp=>J}y3-J8(IEAX5iy_O!P>jcqRBYNA_!^9dwIqB7QSA|d&94;
zuCBDW&RDxo+tu0K$T}3RGdjBbyL+w-4lh2<72$!Y&WR1}o0pv}yqyomAEb~ffM3QF
z=vn>i|B4VUMxCqzlPElgoR_b!88WUnE^dy15*#j)u;HwH2Wn3PAC$;ImlujiM@J=b
zGNqrSkZA;)<_c9~G%aYWc;{2y3tnK&c?(*dee~r$xO|~VS)8aWZ1#ozC1YvV0ej9a
zeGxXp+n0=k>#gA)a92+keM7^fZ<9zjbMXEu00%5lWp%mD`#mdg>
zZ~qRIc>)4@ckVpb(9pOI^ZwzIHzynGjxiD8G8JJn1|PtCUSIaSNpNtJ1!i)1bh2z=
zl&!87A#~}C@cCGQEANCZy%V?s{=>zT_mXkFV#QNlg&6e!O)lH_1w!$K*C$M#{}MEq
zvV@tn^MV3S*yN@O=myPBdrwU3myJ`->{uetZa^M>83Bkw6cof;w?OW`ng$TX_h3L-
zB|=~S(d{r)t7Z7y*M^`$jf!*(HbbEG#TH*$iVF{-4yJkKktb4gcYa`mZu=^TbB9rW
zJ{a4}eO(C9uPU62IvfDDae8dhIqv#r$+>1&*h7)6xgW$Ve?3VdbW`0+2lLIK7VwV{
zY1c4lt@66!Cq2Lr=`Q`OSL@x588npda}t5aC_suoY^0xw`0lW?
zVSJw9w3xDI6TMQ2uVr#-!~b15Fz#9&)Yg>B!S&-6Qx#h_A-3ga2dLbB!3b7R_kz12_5Qx&*Sr3ajz
zVnbdwa)#VC2E}<*iaut5BdSZWEv*l?i@s2Z_67E{_5{lBU$;OB7q4*$#^N8z7Wd!G
zl{5>yZ6fvc@8|m!-sU?25TxjLkSme4j>O)HU7_on~attfKfgLS%$GLndX`nJu6f*6S??Hd}*B0Ec?>I9zkte
zw1Cds{{fAu-Pz}P2eHbUnx1O#{2>rG?dR*bz%QcCogJb-52&Fn
zc#ex(K>KWDk-UHT9-CIV=_5POgNcc->if*C3fdI0z?`r)mqeXfn4cF}EVe{XbdIff
zekz`Rf(BUS@OA!6JKKWLOIm7ABOm@46m9}K&nLqkX=yz@?MK#TB0CzlH2ma}intHz
z^x=;wxZj@|Ar)#i?oymQJODM5`el-f$(M@v>(?^UvNVxubE&!I7YlWj71a**<0dQ+
zB?kKPw7l<`UDHBc8oGCwMJ;MS3O%BG$91}QIR3XVyUCNFf%^2FaUddQ7j!TB@(i6p
zdeh<}j4a~XTNe{+eZ!5yty8#*t9cdIAHIwop6@bPBi19d3N?o)iNEE=WGglcrYyD(
z%--5Ed!$z|D{n(+0V77Mm3=Ermk?D}aQo@>LAQmAFdzZo05Mnvg82`;lw^kv7y>#0
zxI`ipGtUR(;q6f%@d0i~3Y
z>QnM{JBg1!~13m4OCXgw6s>2i*SjUkMh*Tv#8yvTbIb=@jAbSHMFZa!l8
zlg76~@%gUdQ0K>`ov}KrIPI#gL2#e-_b8?SQ;(=t>KAkBp0cAG_WfWr=T@oxez&V|
zTMzWK%&tGEBd?DA>NMS8h_?Yf9`FiFg$BF8=x4eTMm0%$
z#Pn5RY}m)5LFj3FfNAfjZ9NjCTyHD(Fa8ZQbw06f7OKG-s0>#r-wtZ$W(IWyT|@5q
zso#T8Wy|bp8-e~M6TDjxX?*&hBcJ~Porj3qBZmgZR?n-_Zk6AeNV-9p$0*T_{$fRJ
zperqy%uOtdcL-yU5>_B-`Pi_0Kjz}%Pf9uHjVqq=YAd+yV96FE{!Re8KbV{?%(*?v
zj<*zcTte&i4Nkr+tl74$d)RFi*?SabU!THgcA$WEhrE6!jC@TV?_IO)X{r4_
zWLbG-=Zsit5wlf@UgY!&reIdZKB0AY7K%L>wt_3^<<@lsUWW~!mvcb;)21Km@@BNX
zcI>;q(qRE#q*I2}ro6o?Y8*S<0h)Ip!o)PuqF1u-h9A5ugl??dMN3q7zSO)l!qpua
zEkSFgJS~hJX$n7o;4zlmL%ck(d8#UJGCwe>#%n
zI?NZ%)_0ThE1ZcJOF!rHiwW$oomf+FDjpo`{qVh1lC#}-^BEJZ@oluRMY6S95lS9Y
z#XKe31C6QpRC=R;e+-ckn;?~mS!p)w2?cO+I>cq;W1g+mKV!QKoLY|y5-eMh2HfFx
zmHVxs*|R!+q0{QI9V|gXp-%wx{(12JM1%r3UUwC@p-M+$Ge`R$K3F-9=jh3{|Eerb
z{oWNi@OCfNGdoYwaEaA{i#8T4Jpa@9jyh+#NeB>afWVWJhImCr8UvHltlMt|zMhb5
zqwVpOiNwOB2X1n@iwvjb<`i>RWWyQ}N72t76v1aLI!<+F#Qrp~=WD^x<1AxH>FKMu
z6#CIWI%0X}9h)9IBjo0P|A`aMq}|0IxElTV0X5Fw*g2$O44PcA@q5|C1DnRl=Zx4{
zv%O@DTUl%Si01!YyZ)l!nsQaOY}w_0rHt42?_G!rCN;fFB6agGF4x(w1w{3J3UTE+
zU_(nxty}<$K6vWLXP5P;^D3>E!AVZ~&rnCX&gT8Gi{BHJGcoQS)9ezQJacqy$Y=8~
zw8S;0f1ANO{+SCv>UZmfs*Viw-bI2YHT9?cL|wSAw2NyE`R$*m-$b#JA39qNAIuWJ@Z7X`TH~d{Aj^vNC8&EKNocDg{RpWC23QDUaDf9*n;2;8d*t
zMl+-mxxTPaFQb%7?ea3h+5NIb2Kn={3sZK5W2}^ugq&r-SIbk-$^zOM`PFA(Rq(6@E|f|^D;E}W$JQ(e;a1Xr0V})vs&xYv+PJ@5
zuC4Y=lAcNa0cm{`%S+$l2YD^KXXDD1&`M!>f|uSs7!g`ybw3TWhe%7OUpk-ksX
zeL3+-QeW%yc*L$F+AqmHvG2yjN|vn3-Jte=G$I&a7f(xLJL@0!CK^Am&J3GYesYn$
z+ax0cCx}D&?j-W{W&5CLcJPTaxDSmq+3#cx1RF7~*
z;6S*cuXIFB%ET&+C!pUVukxjsI(KvPT_-V-Jpqc|z|dG#)nIVv&CE$=Z#g`sjp8R!
z|Bua7?hp-iHa%8fFD>t!F|UI6a|p*ra%yD9s#5r4-3BEe)KL#-vFRuoShj4j8m^IK
zESkIDNpvdWEtp>%jI_DRm#E|jLYyosBa|UbruQ(h^qW+&q0cES3jTSEBbrnsWn`&-
z;^&K19+p~C9rLg={$w#D=8Yw7V?)WqQ!6X>rv|RA&=N>}x~5H28KE04Ji2bO{w5{M
z_8k`;@@hn}`+G*A^X~(fIRvJBA}_o;ikSA<^b8G~Fd4beOv74vkID(XO}+SV;S{%Z
z1N0n^2E!u`mVqO`u~!a*zN}>m2upvVCWeyrE&WG9A}zB!Li>He*TOqw|I}1_1Zjja
z<~$L_f?^((j7P_1VcJr2b`FC@K5
zyPRCpqFCL65P^qVelqv6881ulbm2WexXGvaHnUf4nXd&6qT$o)OiK)Vp8xT**>DSR
z1|whyofVDl#v2v$rS8wYOoGz*SeZ_28S-Y0{4<19wkn_J*H_@~*IirFck=3oo;KaZ
zx3ny;QPx81o&BO>GoCqjQC!fCQZ+*Q>$J9UgUaw$|L4+(z;G;)v5rQic2v1e7x9Rn
z`S@$a$C#~Hzfnc0&KrN-E3fnj!<-6m8ZYb6pX#Ya@rTtEcq!0wTQ90p;+j+9{U=_@
zTQxE))TgCi$#aiTpqs-ooHlI?$4yV=``q}*DUNC7FT^Pgc|l$id?|}0ba1dXuu^&I
z6|-gpZ%f_Z*hOZ~oTBhx=iH#gX=S52sLq?#ke_a4Vtp~oo5cwRqVjQKq@!{=L$^TK
z`0OH(e{5Zn*ai;LFfb_On+dN?@~jB{^O1F6>FlOGDR=Vzk3Rp}6S>v+C!zldQ3Pbd$ypSv-6W1WiaAc4gj9$&!nafq2;F|HuJ
zdp%{pyjz=J`LvMWp^j9PF;)(8h24_#k~wObI2~w^q!czvU^>ycy<1OO*E$e!uoVF)v^JIp5je`7*5ER13H0UB&KhWBDK&W%b)mXW%J%WE4X
z;Bf7W9v(X7aN&}t51AN6Q_?ITo_6cBc9R{FJOau1ji@3rwE=X_k<E%$=G}hEv`NiN{KQLa!sSy+G^aB3*B7dv;f!fhKz}e
zj_fRo4JtBEr7b>*hmL@#;Q4!tM?5gN`7ef;BSbxh-xo{Zbij4iu{X8&I&^LV0ewYF
zp5$a1IQ3{1#>+^0{MWIeFBy+TvoErFS@YjWsw1!B{6Qv{qbSSg`-{ZkU&&3cXb0>D
zO3=0wlp>EI`ZLYbyL7u$%y4FsYL>GOj1#R%!(9f{l|+wBYsF8#zfj5)1x3<0j|MMO
z8&?bJ8*hvDkSM(?V0d%>5z>#aspH}o&vAV(jAiEKQ}dRhN;c9^$+9G)Y$?y;r@%0oLN
zR{y4HwmFQiMt-vu>*Q~`{FcHE-`;;Zja66rnq>;GakScgny1UU3}=G`h>WlR=NO{7*f-Nl^1Ae{hPByv>A1oM>r!vdPH*
z3OXq}M&RnkR*m8>yDd0hom>67nabBfNybvgGvryBeo_7|RN0bDPUj$*UF
zV5){0o(9w%QqZtK#5rsa@l5$hWwR%BNRtjlQX+*~Md&1oJKe{Ic37SASp
z-z0L&Y>$T3Od{7fl?Xdo24Y|rRKJ>IYoXh`@!KX$*`J
z`UMeZKchg7p(mEloIMp>>Nbj)&lPnQFJq7X-X=Ds6z(+7cq2%?ZGl_&BU?xJw7D8q
z8%n9T4bs#6vmRHE56HF6OgJU_XffJ(#N|M&$
zVa3<#$Pv#xhYq6B*ZSfERo|`DbLPaQn~q(C1lz-&EoC0T;*%C#m75|1#}t
z^tO>*{DU{512{-oYSd(nV5h`y_q&iz9-6qo5Cqqxw4iQOc6TDF)zFXdwS;JJGmg*^
zH`>jg{UHPG#1h)ZWh#pA17%c%3z!o=yQmO6LA}u>Zz3*0WU#ICaBhovY6dA&#yAHGZ+Thqk!71I?Wm}wK;clz6sxtLH
zywZ{jT|1eNcdn#NuGQlIUXS3O8Z6u|@^8$?F0eCi_iTU0Di2IZuMuuY9tkD?3=Hz~
zci_4pr+Yhlq^}pToNd0qUn3&x+RD~%`v~%S%nAYQd7N%fUSQ7<{PHQ?YTlH?Q5~NZ
zXGOhYNN0{0p%>Ihc%(5NWt&@p@hTfrtNbwVtmbRA$jfWiWrF?RJ+yxG$`3UXN&&hL
z@lexz5Z9V~lhgjodF$1=MjMD5zC7;7$lKtat?cjSWtx)Iu~R^w^V$Zjzil2k!OHZP
zfbTDTy&+Y)#nqe37}m?<|14{SePI5}r`K1`twn4vB#eDi46-mAvo(017Y?)WrxBiD
z1GH26mBb33#=BCT|B|~Kd6GIxY*HAct@t68X0i*G1KyQH-!K;#!c-}AeOQD9-qqvM$oz8o%ODVnLy3iT
zjR%(v&16DZ?q)kjoUEs098qi&b$}e_g@=n4r}@=WoD$ZE#?p$2Jvqz}k~Olkm$FULc!BB$o_
zYO&g6h;){*SlVT@bno@iBLvt%yf6BVG22fL#ZLZ&YI2LRZ&vJc+SK-=JpA8t(lOem32`AnVeFL8gr-VQT(T*pWsq$((>zPU!HXl>g{7k
zdb4aKI6H*J;%hrVM7sGL%v20BJ{+kPF_`htt2$?~jHD92KT6@WkfEi9J7P(yHRcYd
z?8l}OMnox1;e8%e-Sb7ZiYs68-g*cRvT~CZ`zI7@%{Wn+H>RCu!*1kJO!4C1B<_Z<
zncP~9{gR8DYVuT>_yiAlY*kjJ)}R$+l-5Gq5v2B(`!ec0iFHsP%NzYb&~caMbok-w
zb^|{qUwt`^M2TpVK&gp8Z_a92$KSJZZ)U;nAC^M{GRKu8KT6^}tju3x>*3
z{6UAGP}dk+_t$^Gq)FB9YZKR+di8kRdbU+hV?6>W~vMJwNqV5aR-zI
zS)Nw=aOf0311g`MZU4j2=K5ddvI|A9Qy%SsS2!ST3t>0JlYDoz$<*(xtPnqw-!qe~
z!jUgir-O8UKu_0e^{2LygDGs3z1g)Az?^X;-Pi3pCw>85I#ym9xVb#_vihk>o-JZz
zq{By@>G;c_F`RXYO2nob*FZn>=d=LEBQvIkhr;USZ_}1K92Pf5rY)!Xw$A@zoLbt)
zaPL@hifTt_6R?O22A5tt{fZC!Sx7nUA
z*P}`ByLE32Ugs04%yhOmpnMsFTD?3qR>j@<11|~1N3sJ<#YkWB^K?`;@}HcfUboo+
ziT``|O0y?*Oi8a$lfB6aOIqHHP>v6UW_p7>^411j;p)HF{J^bahuyjV#{^*FusdLb
z+X+5mXq}7oH)4nnKOBX_(Cqx-Ld!qevyq+(+|Sx}>xz&>3Cwe)#Oi;GSxfGd!*P~}
z!F~?}duulIu=*YJ-~&=dd6|)6|9iohK3(Ffelx!lc)@N_`zbVy$3M^VdHxOV;LN)T
z2I>adfhzp{!h$BXFD&)ON~$WxD;lel@dAPDfB!|QEUz+Fmvx6kXBj`Va0g{1%VnYg
zu#LhYe5=klA3_@
z11}KV|LXy^KEilwjrbL8Pp7)yfa{GbV&ACgo+4Vxx710Nzp;I|l)!$$0x4JwMf~PJ
zX4NQLmQ@KCqlWzq!_n-K30)$c;%P~1!Hz0pqH!6q-ex@Ta3zT6c**7_Xt7R3AB8aB-XG(P;Fj}0
zrvje#*};9H`q!%KQakcv8`5$`JwTuSQ^A>67-I5*9YyIS%+u`L
zSU>c+&9xa{ba+z?s?yDt!Wv7zIu_RtXQ#wW(LV1@)d&E{h>v^#K`g2r?&Qp+cio>
zbZkUS?KHAfKRAA4fjN#`>K_rSFVhrk-KMk$i$0kXZzwQf
zqP+FT&la}GC^{&J^bQR=g{h#Lw?#|6n((ro2J{JIEEnkP&o^!`b%$Y{ms{%jWmYej
zTb%75RDed3eJG|ezTf%@?zPFpb^=j7
z5%c2C*>Z-+)Sh&mh>##xLxU3Txrzdxz^~AE$WwtP_a2gs@6`D@Y+ZIe+VjO63*DC%
ztsqEpcBDVKk>BQ7IzqI~te7@h|CqK~Ze9AQ(VA7XO~?Q;CPbeq5*bqk7
zMWe=a2FY#7t`)CJfX^{?P`R_ttUm-EQLCswjTGzkGukUYlC?
z|I`%ko&bbfv+<1eZFzUdiyLVrq!iYwoyvgL7M?Pq5*Sm`=JS4S!b+xpcIPUFNl4IfSniP)%tOH`P-xfS$c&X&J93(XgB9DQSC&Zg%d-VbH@6(u=#hr2B?zIX?H
zH^{+hRIiPY4TYQ<=s~JQ=%)B7GQ4Ynr8Yo`m%U6M(;RLJ2{LM@%pb?nE~*D1
z0l}!JMgK(o(*OBF$;+b2KJ20*%Z8mM3NdKk^o2%AN8h$+0hmj^z~C
zPAgd3hB(!w=IRNRe^(=Ww=>nDc3&Gfbg}w(ovlGegslMyzCPNVA>WM7DqPN`&^?>~
zqdWTKjaT4Uw5jfEs+vr;SZh7-Oc6|3^+!tdVnXz#5ph{{
zNj7oA5mE!wU-uG=sLT1&Ato8ELv^kXlq!#S2Vjie8(FB
z&uu@qc20fqQtUAX)qB@YM&SNBY_-gU9Sa3wFoss|sg;kZdEcVlZ3gAz(VFrGp!C&OrPe
zH#!$E&p%8qh8crR&F+z>GdP)H&_C@zG#7aTxQv9p%83~nu&Mx{B(S^}obvOZ+d1Mb
zM`V#;kompDnj$26H%&bHtDF54d!Nu02PHE2?V^4h3+n4&`i(wC6G>FPN}U>aRpR*g
z4Xqy;SB7*CN_B|l`Zl$n))1^FT|dGN#)g?SHc?vxYlv_Ad6hR)jsbK8l3<(QG`^H>
zcm>fUovc`f-#t@;*Fq2M>!MSrB?0peZZd%t5lZqEL+3S(KSf+Bdzop@J+y~^%&A;*
zzl6)WpeF8}z%9k4PnOhtj$
z1bF2yguA)Ya^d!6$^egk^2$s0{q5#$MQM4F<{OW&YY`j1m
z8HqM5eADs+u@KV=)qGKRsQR}HLw-HD
zAYn%4++olRxL44Ig8ub6EjEXBG)~#PT%GmGBviOJ@yj($ardo$$Woz%f6vU)20^@3
z)^3cn0ob;woi)*1H6b^nwwWh=vY`#Gj^Y9j0h%g)TS%Sq9bv@m$9JHcd>3NG)Q3o=
zXp-*1`bo~FM~~YnZg=V2)cSx8Q>9vtDv*
zc1rY23E#b=$=y(JcTpsI3E0Nf)N&!d_lk0ZDLolK9I)>25#}%oq}?{w%77=Dsp?Z&
zHdk&bHb|82<|!7rLBy}W&#qL4Z$wlXCz~$aBhn(cLN}k$cGl!my01`cpoO5-SKbt)
zMwJFJyOrKc!QHeyclZgufIDaSJqel>`&&Foq~*$56Iz`qa|O3R&)unt=J*a
zw*BJF%&g5;qFpfjlW8gGU&=N5OV8j8X$-%IM%Z(qWkr9^q%uTYOqJ?HwyOz!yHeY5
zPsWRLp+;tNJh;u?e0#dr{Hu-UQu+4ZwrRctQk1as92V_;K|J8P*WG>Yapij78N{*O
z)|({q=dir9^GfTGU4(pX_ve9a3MP-Q8&T`;v%9+Z+2eS{v2wY4nCd61EiGOZWBZ+y
z*V}C4M8b9};j||u{|98fl>?7(ZVR*YMOvhtRRG22!FSrO6Wdf7-KFjb@6
zO}lGivDN7~bgL}3+0#d-FQPSU!;umGRk@@{@**~nXiHkRcia5#KhXInKLapJBljIkL*BxCN;R>%uX~kDVHd6noIdV
zA%7EA_rN8|)jm=*`o&fGucFqGkOLHc^np@j(kf&!NFVX_?INE8t5BZ8y-!pZrq`NU
zU2@;R{-?Gtd#-w-794`X+0KBCN**>8pWqcHJlrejt&ZGJURoGAueRoysm(1GO?$Vy
zmRV;lK__IV3G?>^TKsd(7IQw
z6O?;X~YsoV$1Pgm_cdsF!nen9OVTE+Ac!g%@XhQNy$j&^dJHei!{kYi>Mh5NkS9zH
zQS;tRe;tLPKdXAnxzJLJ)@<_zaJiTDg8g-V<`*+tSyWQ2jVkp9BHNf5I*Zy`%tf=L
zotsB`Lr$vM(_M6)jAj*y;^<5C>O!4~+ie83O?bG4Jr}z9eRaWIQ>%~+G04GDa80fS
zJk&1-1RbX8s+SHmh|JlOtDc$y8My<)$3PLK5J%79rT?A#@_!=f!l+;ZRoS2S9%}4U
zSNs^JLg&_+7e9Ydg}4#A{K-r0XHJIx%o&0BE&M*E%#aPQf}6vuGKF(3+w<+}42_fm
zVH(12F;4_u+dHMk>^2f*OV!DrjJVKOgw97fPXub#tuz-;q9+T^h$~c`5m&N}w+p(J
zVrY+v$edGm@Cgi@N}0FkVVHSBhp6;hk3bPC&M#_}8#jkUcq8L(a_ZQ?
zAK|hr27#(|qivgwkYMyO=l5T`*A`<`!A*G)%?BDM8BT1jmDbT+Em}-&pvsJK5pSml
z(nYDZAhr#d5s)fNLa{7-{yVvruT@^*b<%{v4lHV+?HUU?#ge`yL_CXBp+aO
zFV{oB8skmKoI5*$8!J@LbcGy0t>NGf$EFV-BU}jj75OUY_>J1i6(xC#Thsx649Q>9
zj`{{^R3`F;C^}=(0&f~IDFW!d$Y`Ey$XcFP2~v1FWzncz!i26U`)yuTemzl8uV5qU
z{`E{5r^dSlIo8;K6M#z
zv_6RIrx&DqXto6w>4N`VS|F79F5FE$#V`d!7VCRt+3JOjie0n;G1GkYNy?b6sSBC+
zqAl**k)e!FSe!8U{#V^Cj2eblkhBe((8U8<<3LmQH~Flcxf2nKf1(swt@Us4_?b|I
z!?OTIW@@9nwwg);FB-uW9{ACD9}H9>^S_mO-5{7daz@#CEDI%sE}1qdjdsp=-aURZ
ztVOhG7_pd*qZ>|F^h?pGZMpVH0;Jqo=W*OEM-QWl`P^|KT)G!q+5dhN>}UHLA(5+YF!VZq_o1b?8VQ-W-pwujfYm;viBe$;1z=3
zyhxo`q(uG3*}_Mey>{(C`E~vF`wuZaeMNsT#|g{Silec4zJ#F_Mb0Z~+nE3hONrkg
zeWo5!-1j!;r8vT~=A`pLYD$aqXqW90Avf%LyI-{H=
z5o>(qYlIQqHN1Y$WAMRK2P+Y|)5*h5m1RQ!(Zc2!#>9-7*M%K!u4(7~UKjbZU?*HM+@TFY)8
z2AG8nc6#CFPz8pjGFX1>X?~ZDR#~~Y6Qr}gB2ePJlda}*lBo&4$ERn?
z*MMo}9BsAF6}y*xdvsn$M02prqGK7XvS0MkJ7;aRhx785lvgPHfJ8wpdKe1K`L*+gz~oKVL;RU2~Q-*^wDD-L)>2a1lXBGMd}N8^$LUeGia9bEZ8IUq6qw6ag9vL
z?ih2-Z;QF9k?f_}Xdbf@(loZWm-Be+9Bo`9#
z;?k0{F`<)Ot){QQtXe?dX@OsFM;6YjK3r7B?bxTCFZ~(LcBgk#Ij6}QEgaXZ)QBEO
zz^nFW*l0g<-)MIR$W2dVOJ4+``VWr_*ll1IQ+ekd53SEL8f!Zjv95w83$YcgyCt49
zlx+~80D7UT)#;8hPsck%*UZPND&$L$%)+1t1ke~^-{}JNi+s71KU17){y)bdn33uY
z^NH>6x>uj;nSE*$1TSdn;-GyFy@N8$N~HE0g075hxJ98(`jq9j`#TA}^Q0==ZiWf&
zARRA209ZD{?q`(~L)aGuFv6B0rcbYKGDq`C!Na3H0!Yd~y(&GU#8DES61RXz3-7)Cx!5hP_^XG`RV5eJ!LK2YppA
zK9z2w=4IlWqOcti^>EwI1*J(y?sWu>JeHi{d^4<(YB}KvqwKxnaiG;)$n#yoYk#eB
zYt66JJqYMO+prq)IyF`a`*drpZl3%At^Zo#AENsj{eGN7?}|Dk^0bmoOS&ECP@iRs4G@LDT`TgRBuVDx2jej^4je9&*`o#P1uzb`3
zCr^W|Tt!&n3i0e8j+UNilWzUN|Bq5Vm{apEmPdy$xwtcqyX#O1HOJ_GkT9L7N=r6$
zWXb)DaF5US;x|S{7AwE>+^_ZDT|^w+aS~3`cB8szIxxzf>!>yLgOPWPIfGgpet%j$
zMWB)z94uLV%{TT&wr_=QjKRSj37A9^x;nOlUJ~SiNCcMWDFbG7ytDDFPvknssiocE
zXTcgWRT^O2z%aZ#?Hg&-r`L$JFwsV&e2i)zvKt?uyZxR0=*^>=#m058d%taNc@VbS
z$oQ^sy#5XOJ*(VEu~mg|KmX!Z+PM4b#HJcr|LnF=b4^1xkP-;opmz(34o~F(~Y~FVz@+jZk{-zdz^m8P?9Klj?!9mcSi(n}#tU#484vU{vlvCUu
zTDK2xDWi7;#YU!c&|chlG?8mne&ts@P{1|rgiu&f+|xFN+?6?{TGHjMoRo}MpO2OR
zU`5!?R+#(?
z^|>~9lq^iBr1re3^G82F`}@vyhw?(1lK$3gNU-BSvEj`+JrG}~t`bH6+y
z$nlYdNuxc#cwidE+^WUvUaD|O4@?G9r>R@YZ$GJp%N2SA4^39f7xLSx3n||1+KIO(
z>;le}4MiLu&&Nn>rHGccZRk5(;Dqt4iVOa^1t));?ll*H6~S*)%#O_Zq{&U@MxCF%
zLCvMRjoW+am9phpgXe|tJKl?vQMzZJW(CAGMQbn|N6jr?{9fwgb*H(IU&ibTH?>(t
z{&yg1U{Q|G;Enig-TPOs8mBNCS##<6x)Zxv4ypv1%Y@kU)XjiKGxFt2?t6CxuT--z
znK8XN-Zq-`y|hlUB(=X{8|pYRDHkB`SNmjmC<7}q;#50jrhw$bHa^ZY@v6X4>Zakb
zmaZYb%{6lLBX=y9{{#jHIt|F6=Zxrt+zf+?V8njBRx|i;`IgT1tq&Hnu^6%d6
zb7NHLYiUW4pcALaI?tx2X9K^fc5J!#4}~jB8OFI+1c966vmH<#e**!k>Nk
zpG+}8_kN4&gf2=&2dOwvZo3aR?bQ((@$K#L1q7w)1ahpxCadk!uIHD({Xg%}vCvo;
zwm1iV5sdqKtbeb{)1tA@xMQo;NRO^x%XL$FYUW5pG&x{mgK|An!Fm3F7#gUODuY*?2@Sv$Y{@*cOfi?0ZW~VhHftl>HG#-}~u@RZkANq#6
zzv78xS+9^?kBxpuHDl6|Ly|rzlgF0c5V+ZeIB_aJbw2l4yMWCJ>Qm`8ErKS}Zz(wZ
z>{1z@L<_As-L>af=VpC-p*Y_NK7a6Q$1pa}P{_WV_ggnxL=uV5J#_QUYLKT}50qsr
zV7EZAap9F?N%p>s5aE(AxrN`+?W)fb0eY)dy)?G(xB=&=5D0mH0OwxOVcYO(o;xOW
zzS`46T0{Nm;8Ur8E-6n9_dW`_>h6HEVGkUP0+I@kZE}X^gue6@XUM94y
z6$B`0IQ*Wkn@rM1Vkdg|>XN!$&?%pD5iWD%IKpc#fNYnuwrB25ihBYUw><
zHB9?uf03*YKjmdPH2rLMblOd}o0+&WSSWsj+>JC@E(+v>&B=agAskO82h!?W_=ThJ
ze??rF0?MMbP{+?e>Ha}j6A#-$x|pN{>%4GX6&?f&JQCYK^wp-a?b*BP?*8k=mr{y~
zF!VddlK!}L(0}w&QgMa*2`XvYLv
zfe6?S;YbQ{djK{d8T?DPc_r8Gqx#m3GfSO(7^4f?S+TcVbyv&&?5EID9`TI98VBEV
z=ihZN2RPLPPwpMbXUL}XpJiZr14=>w?ql5DSaQbCO1zi)DXP9LAdh-8;q|#+z)6mB
zvln1nXD7D@2RjKC+GXpD(P5xD?dDS$94#JsYyA1y`~i!mYU+Mo6FErJMBY+zd2R7m
z%7(0m1yaek|E%iWwfci0b4_L3O>K&2<>it2nyC8Ym$*frmPuIBBTV|jl)oQCyqc+P
zK%#u?Z#v+9S{yNycviV!q}J3%mk@d|SjIi2SDr!Mm*>4t*|`cCcs}b4yl<`KB1*|7
zwJ4}%TkYD}=b5xJDjOS#C?#nB=a%`O^
zmk6H1aN7RW%T0R)6YgYrNLJRYISqaAE#+ZDAxDCEMg=^0RR4Qo(YB`=t1APl=UHV>
zeM)2vb&(H4?oZ0J0wQ4yLY=x2daBb1u$Q^;*vq&u%jTL4b|!{awL2#xY_9~iU!y;T
zqa;7)Hs|AEgp?EM9S(HT^^Jg@)5uADL*su-*7n8w
zl#Gk6#5}Vqo$$F!4oNwI8Y%4R>c~IGkJ>K*r1Jt4S-_4j1V3TruJ4WR25YMc)Xyy@
zJ9m`sa~LaIJR7}pf=R5aYT{guQi~?8`IoUN3##e-wb0#96V%Skh6`f3ng*!Uk-
zrsZ=veQO-RiB(lV@@V__@L=*I($s)}mnA|3lPF?&uA$~1+L!HQNRUsNAjL1PqXcJB
z+GVTpL0Mhx18*JWiByZ2Gvs)Pn3HBOqw)66Vh{TB5@z#o9H=lQ#-VDPeJT(ivfl5rZfGD(ivWQA;S2F9K7lI0lG-~
zaLF0ue1J`1yfT13i#jvUN?qe_0@9sVevkqE`-;aJLOV8S%4_buLMck5
zqSS}um#Y$ik*8lwhK0_qaAsP8(H`^v+Kd}kVsf)!@Qpnk2|U&h=`No&=Aolk!`mhL
z{Vc-`I$y-D0IuTzsm~QmjEi^?bMi8)!*u$;?SE5_F^XE6a<-{?$ycf#>7C$bcPGXyvtNd}
z-t$qtgTU2{Je$LKz4e#g`oh4l`#%4#&*D?cyYwIzVIS$f=s)!CNf%c*OY+Mj_!?7F
z!aW=qg4I#KEx~sC`L&JQscSjE0CDH)-uuhpNuc>RgMrIrpTUUz*QKoL;Dg6}Nkw4*
zE0@<*-ERwe96jn@rT;!Gr2F@cVu&=mGhq%v&nizZ(E;=q9$zSv6+r>tbt
zc>ll53J#5FfUR|I4VYlPf=4=&8|Gtisq`Feee4-yZ|cg?sn?I!KAvyzf3;g{5#C~*
zX>@Ktt?I*oOgP2?5-qWc-4|QgQ4b&bKU}>DJXBr$KR%@=PbtzuVJHe^OWDWvlv3Hs
zzAGxqGGxZSwa5q~WM77a?E5+xl_kWGeH&TF&e-?)pNqcV@9%$K&-CiK-Fxome9rr`
zp3gal-C=aIIn4j4dh_(hEKJ!p+FY)JrWx<)cZn@$rE_F;qG3e;EWN~%tdpHu=^Sv$
zS5&<9M%*s%1XzAjabQB@6hD4K;eku{M*$K7Zvyt;Js75a>_>dxnMi%o#`s}wR>`z%
zq~622KT-@{gOLo8ygYHGG^POI@i=IECG6YWVyB>^O2oqNf7eLwsH&QhfB~{4PT|Sg
z63A;x*H~LZ5b3C{WEbmM3`>1W{DTHc7s9fvNQI~%-cU^ssRAoC=f;IbIW_m2rKW*^tPs;+mX=osMeAKqx16(`
zs86nlr*G>)8oW)BIWpFK>;CAghU4S-U
zEg^FuGHI&UCp+kgg&#&VDhbxnNc-bT1&xqMqXqv41!a`HLaSV=fdJXjs^$Y0@d0r%?Cukg~9Y%M6Re$3_
z!)JYtH|2dH8fqn_hu11A+J#!F_723guD+G3cbuu`C5^As@*zvk7f^uR8A|>Xi5&)Y`g%L#
zL$cN{Sonj*i_Amo%Lo&b&y6n(#pNe?Fl4-DrypPb(|KQiP&46vYXMmEljfVO^(a{D
z`eQzep5rq+=TBG+MoqX+#&4>>rMj$9Bk0q_zre5l^S2h@f;uSPlySe(+h*`NW;U3)
z*>0+*tQYm}?EoW4y+OOF$6()_h7ta3K#AR5+l4nHKMIr8o<3T9vi1aCY3tT9##4~B
zaXznawYpPH&Z_yz+*_}_2COTxW@#;4d!qLlikl-tnx%y&JL7k_4H{{5=@h8O%3?8c
zaA^l6uwZ@+D!iUHR+)-yx;kqCmeIU>>-6lMYdKGP3~h5wH;J)hl|D|bmM15KW
zC3mB9K$Qy|1d1tZt1s1j@;%jd_)iyU8Vq5dUB`YYY}*+iN0gAPJ%d1aAenOicLiiB
zS@%pO$%z(P)8gM|I{=*apxqft23~eIw0EE-=_YgG&aHd0uINJ2
z#tPFjBTeeHV|tsLE23agcIqTAcIh|vlZ|mlLamtMx!mjidM6W(om8|74pU`Eesn34
zu-Omw*<)bWkCSvYkHWD2AX5h1Uo3Ectr>nfd0#eXZb6nu4R2V$MMb|%hn1!%5ello
z;%aH%;f?FN+X@8PW!&spqLHa~g`-P_KHllqhS816N2$$S%73+rz@Ao_FQE-!qOh{i@qe8dDNSte-F{YpnO$5U;l+~tbE&MA;z
zYkR~-25Wgbbv$}fHESb@HznFLj*_X(0os<~es^`_FS^8bx$pju(%Ac^-|2&x)}YEk
z`_K-k#oQbVSSfpX|JO~kAipGj)5$hurU-l_=i28(J6$IWrN%5sbL=yYmYb-?or+|$
z$NtYnol@3bGtTXTtyQK5Jc=j5WE&JOmK=jpGefbCPe7Nvp8RmI2prpd&vGj;V(Sm*
zQjQAQNBi?^MeOo_Nwtyuga^0wHZhRf(2RZVVsZIZZl;9jRCn`Sny$PYSQDZeahtOJ
z7!)eC6R25@U`56cD_~qN49y{T@SVKTsP?6Y>c3|pY((#2BLf^81M_m%b!GEDrP+%*
zA`rpYDL_pz2Bm*lFeCDrRnOh52Sf4sb3gB&11t1H&{EHjBJCN(KIW}t7o)G$EnDd<
zs?$pSgYul-vp|kuMil|2I>ezB1489Xf+s+)e)7o0+_P;_DOmM*@-=$<5B{;TW4%ZC
z$@Bd2w1CvYg~xdC_yEr
z=~f97%r{zk>-E??LRG3oTh_t090#mC>1hp&&Ui0yO{(G(uBGQo=>^FZJ>#>8z8X)o
z`FGNUq>*_i-?>lY-+4lbA@p-UW`OUz3EbnfT$#k$)eNx7Ku332>ztEzD(Z>a-AHZL
zb_O})loy5H-ptiy_Tuf!Rt|N_IPwXhaXjipE=PIex3uPq2tSM9Xil||FRoA$q?pod
z!VT62|0;r96J$4wYbvSeisd^#_?)Y=a2(v9ue}@jPQak^zb@7}%iy!u7Foct5k~eN
z%Hrio>Ot3e%+Km)v_nObO*oH<=olkHOg3GtYz3I8R9E
z9p$yWd7G<>M;|3y^3bxcDC3QGo-pHo2)zP#m4nR%z^cvXxV;n;nU@%h7^X+Oay5h0eevr1!1hgCFNwpPlTY8h(uBXeqGnaqviK2~5-z
z;TTw0CH09q-TMCU)N}yS|EBW2nyc~I(s*T@hihm9XN>X?)0Im~04}b6?|kBxTW)^r
z>npAFd?J$=Bj7$(A(|$b;^ZL#T!xC0#F8@?KbqvTl;1QOS_$(9wFO_goCnBib%nEF_5u{r-8C&Sx@@jdOvD3Wy_5|qSY`oqD4qbG!1N^p#JPa?9ZxiEPdxAXP<|SWirkoCgj(Wc8#DA
zAQGEPILNjYFYW^k6%T+`CH(#aNig-C*{3(!yL1zvvTScHkd$cDnl+7aYxmu6zni#q
zXwMyUC7%ldYN&lLu$;#@iaADrxfvU1=Moc8O$X>CvKThH@>@DKKI(AoE2--T@zw{QDQu@g^i1ZADRt2+SYx
z9tA_10I&e-VCbWr$=P7&%Q3)#2Uod3{PtOu2F@_qm7;4#&Z>IGMYK*v8K06)_FH{B
zF~2Mgstr%X>HK3dIk3vyQNGnD7S6MskevnkNg|n-;xWr>gCV#4-jZ``Vst$OUYY=#XA39)CIKV^OrA^
z*OI3C)?y>dtJRM>TLZRvPtF}@G;y|MJvZ_8_;Pt9uMA_zn7Ml0
z*N$i@Sk>JWdD_MA;Fw96b?T|yEO=G^_lBE;jdL`lIl;A)71g7=p@KuZQ_=VlW)L0Q
zly>%s*k0*<@kSD9Q(DC5fJEZ1tm9l;Tacs^#iZqp@CReB>oj~|-4ol-kM5JmVxDE&
zq}TP!)G}6neu}@E!E<_b{k8Zkrg?QTFn-detc)+Kx95VnAg_>k6oS5>tBE1ZmKdHP
zb?!$U^#_)UTkYmcb*#-&Oh0)
zjd3WND75FGo9>N}84}rH$*x#%?PLs(lP;&EWvzR94yUbC=KC*1mx;JPR4bmF|Ik&@
zTd~AiuZ2L2yib?XsQVhtgTp<5zvfQ!4>z3|C4)QAAj;#xCUMR~#TJ12gyZ2QhlX59
zIRd*A=Giv*9gl?2@})jU1)Y>=4Y3ahlTKq0V`|5f8y0c{?}TM~OowqxoMT)|qCeCk
zcy>bG7#!LNi=WNZ9TZ%vmhveVQjHF5Xa3_FaL{nv?slBH2Y;(omfvKpVGB<<5J
zY5Je2)Q6b8v5*ci@&qNK}z6?-}mjN!|+GG$nAzE$~PRIyOKih_xQhS#RKhd>LhO7_YHl;
zGxxE~=+B7(q)3nN%g#1WJ5tX}?o!%?U#=w6!&+>5C+g06DJ{+en^T$-=K@^O*{HhX
zmTXsWa@)u6wsb9i*pTV5%+}D|UjJRczTrh@oWESIB&2H}_tTWziE*UAb>s*_JnFLmd0dQx$^^zq$JdBu*ofOUmP?Mz7?H^7J9>(r|`?$
zA3_Gg-I`c3N>EF`&ZJ+!n4pv$Hh$@8y{69`PZ=!ZtK997Nj1xn*D=3jLny5{zWn3(
zvf)<<(d|2bhZ26Z<#mzcnvrAo3h)jsN*WSS-zv_(o0ig#UdsP6F1Ddl|Ws5
zR~Fce3|*?zj{T9n%eLeilZ_sB^R_WBomUidwJrQC@1tE%m~x6h5n8S7z)NW;UgE5r
zY;H>BYVY_#?50W!>Dz9su7x+y2y{%)6wrb5Kwz+TB__)$A05~AV0G7%|J*oP@P}}l
z$@{CaD+8;3hbSH~(luBrUR2OJx^!2QSD~DO72|6ORQ`gMKcoDKzV7KpOGJQL5RfHeO)RWBk^YI63PrtV6g~is|Tj-Cr$(&;VNIj}fRh>eV;$_+!18x1b~_
zF8+uRb{^eOp0jQ|_i3q(s@?2Uv`{gaBS2a`*{5FjGYLP}A1rmt$h~LTS}yYc~Z|#<}jkpa_%-V%=z}&OsT@J
zh?ATYw+3PzLl)!e8u&MM@9t}^gj!9ba8i<`6
zmZ6#=4e==z$)626#0z^CXUXr=?X0SH$+I@=-F2Le*HX>+QP()OWudG?TG>{8E(;>Uh%5BFpXjbGs{5yXO_v%9V5HOLNJ)^9b92ZqBq2+znXXUUh0w2*Mn~k!S1~*Gm4mXA&k*;TwehBM%a3Az^^fd?FYiVF#DN8~`L)ZM<#WJI4Wb;(>gz8L?1RVnlZXKEWYNc-Lt0a0%k=IP4YhB55vVW
z<~??b)_3tmDcDvAo02q8(tq1=>O2}{-LD#n;M)Ju8+8ork6bjW)-?+{j2
z-nXi$OT^XcZ_(mO*xz8kjrZ?}GGcL3hfj9CX)N|E(PZaMp+EGI`2n=yqs8s?EIVfQ
z?t;bQajEcbgNoHi7oHdnRbt-HFjfv?-kq&@6EXi?HnH-!xm(+th_za@D?&rDXCZ5#
zt;a!}OIg*NlEkADU!33IbhTD>04H@flhl3)wx|I7#Q#Jgw?^zef8*56|H^9xnj!U+
z)S-e9Hwx?6cKj*0ThHlt>l@2l3;pWc1ZHqM*FD$FuUM^X1aFKN?VZKd_{7Ee=iaAo
z^)$$Pn2W_~H7|Mgf_62qA7>7GW9US<8!KUTL#v!juoA)vcnBKY
z2s6rO*yv{;Ngo{F9yT6tEPq}<_$pJJ;jDIX_2#cZ%Sf~1g>?d+akqSm_2Z5D%LsfP
z8*tap>G@48f4C=s!zkx5ThuN*HMiu$57_@6+aE1;D|0Qhfrd1A#DbI1ame{G*u>te
zmbW_Cw2(0`FcfT
zsWZ!SyZjg6DqA~8XmUOwM1Yg&s+W=3Xkxf6XzfA9Wy7}xf2o9Z0bhtC=lisFdHb8m
z)kf;cFg9VFSv_Wbu`8NdW^4CAHY{3|$aJEsOLfPD(*&QXb)uR|K^u(FQo(*Y!eTMS
zyKh&cW#wcg;5%2!mPOTdJ|SS=(P)
z!0*RQ~r3ZEn!ZiJwbKnA$#htWS)2_?);yoi+Hqo-X5$
zR#Do>o$tQDL)0Fw^r=->>^WuZ;O^+wp#;GA$T6ANXP_PXVaSX_4W6itoB}IfzCa4}
zG?=&=y?g07cd8{%LU{B;BBz1o=5z1wzn*T~&}c8L%hDEe9pg9HdFQ76wY2lb5P56n
z`;10Db3~&gRVD)GMsRBGohSY(eQq4t6z4QP?hUY#v)-5c*l)QPsg;m#AL{vIyY#w#
zfE;z(VtaDXznU(oQ4ML+XNW=WY#EFQWcRTM5fbpnjt%`j?v0_Y@8HcA46l4peN9eAS)p7#O8PBwL#YQ?^Lfw
ze#XIy)Rc`#eciA-Zo>(=CG!cn>%$>ugoO(?O`7i3=C6kk1FCUuHkT_m$7Cos2l0GR
zn4|lpFg5)YVUx>sgw}IbIY#1UtdweF6#h{1z=;5@ks+?*%MN0wFaO8wzZeLeI}ZXW
z-p0I+!TV7)QL7tqu7Y?8QpFzy(XI4sunn!wuh8E>0`4bA?R4tA*cDOAdZa5nUGr=y
ze~iG~*ngz8Fm)%4uTtI9-a>kJQV55oZh6M~0nJgFyjb2jC@aHAT{cP?@!TGJsI1e^
zp`wp3cC1G3c9XhGJNnZ2Hn7gxW3kX)T6!v?6M|zA$CVqBh
zg}LI#VVJyMgK4RhL}T7YUc`8W-XV{%`Hc@(Hs4@>9&xGup~yYrGicB4u}BCXo($1I
zBj!g@Oay9f!n!y?=L1j(g#Yw~N|X6KRuot7I+|~VRGYiYFAL~ux4?)^blB%$tr$eG_(
zG_V1F98f2aA2;d?ViUh1pgUn+0cOvSZF_sWHL1_(IZ%i*mtDHXw*`iFw$IRzl{
zd6`0FF6ZUU>#41LsL_v{dPzODOqbZPZh~XO%I*HTr>vYb;J3{nD|^<&)j-XyCUchR
zo>I88HQxuPNqXS65m{?(lEYX&wqlT&c(SfgHJp#~GsulvY;CTGz6Pw0^j{rq#JYQr
zCWjx29<7}8isD7GW9f-uGpCHVhHHo>uS9lEs|k`EwoO~5sZnFA*RvxRvLvZ)dAG!<
zj)phJWIYFf;DyInp4*BSl34q-aa^eq*EsK8`Tf2*8eNPGLWo7yKx}g(3zeUr-$@@D
z9dlMtC}g4Zaa4YkI;!Akeu=aLRKmFBA|k!LLl5J*-Mb1rtPloq&(M=m=F8RQpQU=#
zsRlRL895-l&qH|E?PCD;DRO`YZtD7_7lxVpkp;ap)xi51NMIP_QC(2Og
z)?`E=$3o=))kgEZODQZ~Nq04%5N(Cm(52Fi^h07fEPy9!JIXHCfmdUz%hCnOx
z)YM#-O5qc&d`zIb9e*WRuHyXsZp#Mm$wF1TGtXUmy$p<2+6PlYZ>@fBEAolT+X?eZ9fCaPCIWG%c6NLKBJ)YBU
zCMk6~t}Kfnp5Jy`ZKbRa1R7$vgp^aTdDn28cuGXp)7Fm2Y;YK?vg$Ltr;nwuF;O3~
zns3eYwKBRopsGpm*j!gvMbtV|R-aCP*;Nn9mSY`pC9bh4ZxHFy6y`LEp4|{z;vq&`IW(D~@xR}(wnz&gdpN^xJJ&cIt7vi^W
zdl_i7xjnOy|Gnmvcd75fKV7@Kvne_Wx0ORsY6L@b&c?-
za(Pstf6KeoX=+rHjUxs-b=>dR%s?w6a(60|GHa55#n>)!e$2&f$+D>0H$QYe*45yp
z$=Lge2@KFm#pGpYg=$be{Ljh0o|aZ9E8~8Um2pl2E`aIfJzp`dGzky(&McjlME;6%
z+zsjp^o|-~v3D07TfDMabDNp!IN4hu%+rE%^0?-)#>G7R`p21cw>wPU8K;A^K7UkE
zyp)^>{(O3qgS`986CR4Ox^~>YPRP+p6Z~USW*-M*qqTu8rPNQY$!)Q&LWYtSUB)C6
z)-?E0m|8!aw8P9MLWryCf4@qHO&zGc*qHYZ)$yUdl>?oiB6&V)pp1>n;j7kdQapuWvI|zUs@L
z$NMy&YsC8;cMTb9a=pojmp`I5PR?oE%W5|=>Xu8rFSBwHb6%v~B7Zd8l;D)$7oHvY
zCL3;!tN6LS!mK(Z6m=`G$5J5XR$z%CIKTOZU&1CTePR%gZ%^ZK5VZnve-Re@#HICSkmf|{Y1TkzzSEqb_H*0+<
zbHHvI9i3>dVGbBCBruD>f5y9NSoM}miXlm-W%516kUcCiqJb-5SF(xetgN{rg5(5s
zlQdvAWp$-;ee@+#wMVxMK}Y#9*jw2~_9Tsq%Z(b*sp8~7rb0Rhl;YonRAvlF=)t_$
z3_PmJjeRs2_&!Yp-O)7X!RBX3QJo8;?ubTjglL(wdlsxeJQ3p|%w1P!W@9h|>h=Gv1#o-y%9QfdHN^V9!!vc>r=by%>x6Cf9St)^HPMOUNh}r{nde?)
zXrfywbZvw=Y(caxTeH^@jeP0*sxqHzID9adheV0HX)Rg5Z3KMOuGv{-c;cnIwKunL
z#kqTlYT3AhkgMb#2)SxfAqV0jnDRw$MG;lPnFX7jgnGE#ZSwHfmvSE>C~#4rPNO&k
zajYV^*cmJ@KfAF>M5fr{8~2uc%-3InrLj!{M5Ct9EcROj9rMaKp{o3^cbW8>%{4=^f`;;l8=8n?mPxcv02k0);hO<5!Zl!!r9!`>;m2
z?&Rj~N;4g+!OELO^Zn=g9Dcb~p!8PgznG2D9^XBEZH&&{9W2IZt?o9Knr~lQc
zXpKV?*l^`>ay%B(bA^;HddIQ)*Am^@$2h(pWOkEf^KZhi#`?U?PfOmn6s-nxxr*ky
z0abHRS9{DGS7s5+Zk0Lj26Op}Yz7%)W0`sKv-|ok5Ox!{hGPlnWa|e#Ads@Q>u6q$
zkqyKY4dP|z-(w5+FFt>#gm}TZXN>$<}=%
zyCDO@1EpMPaKz`{Qm$*Uedcn_Zn5XeSeL?66EkJJ*U5wZ0MI@-+y@>tWsr<`t6AGz
z+nq{#Fx3L{16iJOTV@`xjL<6UUsag_BTVVxt>2R4A7&!KLU0|G#r{8iqwhPe$QGslIa6^D9n
zCrB|Gb@=KI+;Z{$ikkiKpo{d+*k&B~Yx;(pZjpMIW6xTOWgmuJ^u4pxFM4O~_b|d>m+zz`OzCN>q!G4x@|D$x
z#Bd3lC#{vpM?&XTm
zh?wpJNW`2#*b1|9TU|c-ctp>jRaOS^O*Y?ZyC&GZFDrf6pmMnAt7egcIXTI1HDD@^
z7)`J+7m#q@eVi)2pa48u{ylRi1(`dTS0_5xB2f4FgEfU}wQ`xy4<|52uB)|i?mBg%
zTS$y$HbFS6Vy?Diyo`0EcN*!Ro>gjdn`s7kW#u%gu`uXh{;unx4byAoS3Z-pMp+8)u{^9aPwYUIGcruuY1(~L-w2qf2Ds4HB
znn*APdTe~V0v2bLS~}>vzbLI-OSAl(n7HAZ!4Q+KK>g9M1R~W@Qaj_zfkbIq3nP#e
zQ^URkRto5-$OJmF*~Iq^iN(=`D?~IJUDvUdjT7i%R?9KTr@o))DNni-DZ4%y^i`Af
z)k}T(XERp*aV{4R-0_?nz%$|@g4qgiRV^l`qzrqXA=c9Ign81Lcg49cotd`3vbD=<
zgN?Rveqq&9Hv1t<@Z%vxXukC=eXM7JVWURc@f;in32H_-pWw4p@qXep#ULDkC*
zGBGw_iQHVP;qyT$4nGyOLkTu8VHY0&Cq@Mpm-A9}Q)UR!*F%tEi}G=s42k_h2R3
z#$C_Qbs(S>3{&XTuf^GdY~Oqz)Bnv5*}j0-b`yaqLb`(l&wmw|4ZHd@YTUeCE^C*nwh!T
zay!kzB#&1IID5t!9F_?6;F1&{*=%~@Z7zEKTaV&#;hv@7f08z>g?sEZ6i{FMBk69}
z$+84#fvoGqU#!%*+>p=eckhCSE*OAl0R}s!i75Idv>_{=YCPE=Dy7{gNnv)}_s{4+
z;Wqnv56D>R!p}^|lcd=gJ%s=hz_pl?D8*!Om)%!@EAW?`SVx5%_j8{1y5fGOkZ1-4
z?S;;r&?pJluN@6b|27uWSn=-aoc|du_8UQDerqNfHlXmWSHr*Ls{@}cUg$HSY>
zP8pcM%?t=P(qa+6-}lSE$ATo|JAD&gkmmzIp;rflNeyL40AVm~^`FV6OWi}=(hd?1
zp}W$Y$Axpp#)OMz(@m}VbZXYabna+RsKWEFJPWNqFT3k|5GGaiLbILD`x*?UTfy&A
z8}}hDH^p=28nRY%WgIJo30-V+FE8CJkp^~`XLp|&1tGJ#RjpmMY*HdTDWMXIr5hKmQEdNO*ECOqsf<0g5YjcgysZ|k`}9g
zwmMYR8wnK61d?mG5cC6F@;A|%cTM|R$Y$UNhzF=QeOfmS{mfprp?%woN`X4i&y)_#
zaYIzShm6OBA2=Zmyn2!Rm-F*}p63B(su!?bbw8WC>e`c8H53g(61X_-!xK800oQmS
zk!b(}C+)(&XL?{3SE6eJYe|&E+_hy_Gr+U+JsX?ndnlU`Go_N~0;Ps)A;NCkXa0%|
zA5^X}F}bfGdV?sIB@n{^
zbvhJ+9qPvZhr9nRp14|rS}PRJTUrq=A6WsgJs0#@Iom%rpjCrGWTz~=
z6%;4HroklfqJ_l4SAUizA2sXhkqa;~r-~%wv#~?5NdJU^!P9^OOa1o=W*h-O(^T-J
zYcc*9HHhfVFD54cTzrk6FEiuiEJ|tKGYzv(t@>i^o~#wuPGGbBGFk>&EMwPy8kj9^
zx4t(v3)r;;R^A>$s4O=S5|`_oa}Pib7r1)s!-5n|8-H>=n(V*u179gAIOA-uY+aT+
z*A@A{LSFC>=&ugLzKp|IKIgx>1SFFm`qdVb*qI#&l6M^{W%Ir#m&JHa{H#Drs=;L-
zy&ekm`ZP2|Q+p{y01gJRKv||}MGn8IKc0aJMvgTtbK-SRiA_3gm3s<(KHcnl*#ro7
zyf&eUuN8}Zd+?D59y-*mwP`zZ&0V6lxcu6C@Xhy*m6!6cO_ox`316ZDdhympC1
z%=!pWYhM{4l8Fbh=v?SLV{65ZVB0$CDfiy7LKu3TTa19x%7#lV1|3Z?$p0(E4>^DW
z$bQfHnS~La`WE7myfIo+(TrRgSlevR5kSc-R&*X*tDRWwQc!r(Gs0(PZo2GE8^yY~
z2*ted9#Y`XdqXX`-z1zKQ=>VDucYQft-u(KG=yqb>2Q!Pxm#$jsJzmDw(!oTcZ%#;
zGauWkm~2cE{b70ci1H(gGiM-|9bA4Z{v5uRYP($}lRpD%v5Pz)Z$Ok2
z2d4crw?XF?kffIYmhFL8`d>?1rW$BLpz!i5<58>W5ZZn|Be}CHL6{e?OLkFGj+2X$
z(%zd5`zi!jWDY>J_X$J&uH~L?@pal{-bWzPxN}cJ;vMcW^IUqF+@Zz-zN(Y?9
zK=l!Hp~2Wc#We|5J)QcpOCA7&a-o=uh4VF4XMpmfKSLup_2>f*7tF4>g4R4QNn
zqeb};?V#YOqrn&G`iTsiy$>w)fXTtw8kXL=G<>DYDxiy0DP;Vrsgqa4e0G48Z1|5?
zG9=(@w)+sO+C)1#RP)*NGMZ4Q(ub!8WCF_DeKG6lca33QC`kLl548SQTxK+41RFkw
z?J74_o9XWDz$ldiXa1|$a5d};1m~=neI`8gbak})knP@4>9o>>NKC;UC6*L_I~EAH5+4Ms>}4*V_r-^(PB#E_H{=*MGQIR--jGH=U8dA7Ro;@
z%f#r}@1+YXIQ5T|e09RUQuG=xeW|17w(~80xXj%$>MkKglU-u)t1_(MDD>1`WDbUA
zdDqzq$<%`Mi)0r-!rpzolLE)KcgVlY&>-%A0_;1+N(bRJ_4h
zK=fdH0qO^4{nozsC4a*Q8f!^FTKdx9zOw)e1_L(=V$H|s%>%mr_s&r+Q;~h{U-Yf}
zpI5;s|Kc28J78dxpdSXBnA&f4?c0IGB_n#fObVo~$g6^3)1D9ddpq9^A&-S_r2-gU
zVDt<=;FsneY0iK&%cZ!#4+9vCVgPB@m48P-6L66YP@Dm=`x@si?>@)kuU=!MKu)Jf
zAb5P%gYN)ZSK}t9g|MKGLw*T-vvcmR3Q7h}qI@%S>+7C0fC|?AVY3Yc%$2tXh|Kym
z|7G70iNqX3dBuQ_8b&H|evSej1h`rrG5~eI|D?Q$XYOf6&yNRfT<75$j)cG?2u3S(
ztKy(H?>967a6vVZ*Er~xVX5N(Li^G#6eUDKBjyc|(1BSWI51G}*EOLr#(`eB&%E8E
zXO^rB5bOkXcJDTOAf_IC4P0JjH{9tzY5*3YBaCWyiVq}Y3Z!H9?yhX%4&)XM)b`J-
zfV@o^M#jW_4;zN2)Ku;cLv7u={hB^U6<~*-)8hb>@q(mq0QpJ4v#Ak=1Eh3XOL59Z
z0EX<{j?X4IadXZcm=@h|LX3MhgI5gbY&#M7^bm!x48O6yL$6d{(?68M{V&~ouVgtv
z_UH)g1z`Nt7obvnF(wc8O;iad$JD_X>VuwbZtfiLlW$QDK=PstFdA?$T~5n69CW}m
z(bD2Dh}m;pd>
zj*$?xKcKdHp!AXh1P1YF@Q*Abgai3A?3`a-VFn83uvaHA2Nqs{drOQI&3$33`XC6D
zGN{^>w*=4;X;wRUD`Ub4Fg73XyhR_NJz&ZApg+%Km>3CRfC-r?H$igB0S#3B*q_%s
zI*Qd@Uz+!v<6r4_tL35w-ZR3OgkRIQ=n@XJL(b3awH0Q6xuOeOHIPI3pYonmC1p8&iCUcCG?7$y-?9oKh;F^D4{JLdsU<)Wc?RKPor
zL5mL*w)^%ue6cRh4}-f8bsR9*0=srFx{|BSfCmpD4p%mVZY}-+wrvvFEo1I3d`OQNi7mqGtcE-+?4hy}|AVX#;6
zY>Y^NhBy`Y5wCzBN2KKKcTfj!pONeCG6A!L;B`M>Bz%D!DRK@E?Gqf|v;(RAIDqYL
zC&2ZlHKBb7dx@>qVAdgN?T*;H|5)J!U#uB#j)1K^8nlNVn?dZ++cP{IO8da<
zZIPRw76J+%d@=km{9-_$!aMw9=+$@+k4zv7NWcdxD}dP}fR?r=9NbW=U&DnIs(~~d
zs;UL7yGLf&SHoUnwt}3M0JajLQvbqOP0T^BoB;y3M(O)Fgm`c&y+ivJZi7uem@BP7Ms$DoE$tn>RTaFjnQO
zoTTT2_OK~1$R8oSQi@s6-{;w58fRB=7
zA4OB4TyFnc7Iwgi_QV0U%tC0B+O^&vp_cFTiq&#JA8V`A9*TEI0}`tIZ`U1FWMJ?1
zG*c+&Ml(SSvJg(flmH(E7_E!20&!poGr?krJ?-qpbQ8`v*w$s@#*ID&>%{?-Fueji
z>V|l9_kVaKFl+*07m|hzPLe%mGICU}7PLDkms>Qjnd!pIoaEWsc
zKvNb6#&5$6d=|a)KtU5|4RCpJr`@gY11RtTSh|P{0!YBU8r
zG7ssK?Hk}Ly&ee8R=5}`tp}*8h?A6Ldz(bTVAjGKX!NF}Vb_6Inv=T?IYZ#e
zVJDu%)>2*vVKDrhE^Wz&ylS8T_VEhfIhzdNIjHg$-iL~=pKt0*X_o>v9@W4mndMTD
z43W8d^N_p%01Ycq=uWi-kU*$O{gh^G4UJE8bq`$#9mkx?Sz4GjD5&dx4EPtW)TOjr0mSHts37@jl{*=|0i{#2E&;at)_qobCW%f-5Hm1RZr6
zM1~s8q_X}tPyK5QC&UqFV1`(L%ag#bh`3WNr@F5zUaF{SB|3d!^TFawQuk6+Facnd
zbN&NB%>UmmPqQ(7xDf7!9L!C)P`XxfL0v@Eq2DinEjArL&V8O`UCOP$oGlmm-Ix=
zVYu1I4>AiI9V`n2s12C!;u^lS&#ckLc9bZ)jEgMv;}()b%aZLuQm*yx_+hUV;J;eg
z0tE!PV6boIM(g~>e4YMK@`asj+%kn`t>xKZU!${tz~Ls4@rppR#cki
zNIm(zX?(%>ur#OXWlmX5u*3F49mrSze{dwfCFT0$My2hy(QDLcN1hdjidMbH=C&6G+a;i8A&Dkd{%Gjv`@pav2w^7r|803PC@NA67MKn
z-FIbse|QI_u74lOw;Nuba8W}`bIMlC$-`P61ECQ64TRzY2Dz`|y#fRpIk7P;SRom`
z53Q63GO8PZ)sKxvreQ57!fa_RZu($P#sNJ*<>MUYQ#Xfn|KpJh7jRg`xT|%4O8H3B
z<=RY)^XCC6I@xCq%O`@M)Iv>;jS;6@xIs>WoE{hV)uVnRkRFP69Z{@oAHl5tK+Ek^h;!}=?sN8c
zx@Nx9a48*Sp^a>6n$|nf2oJ=liEnbk9;!k80U8Gc4t@K9!^O-cE)B|`5%ZDi$=pj{
zAE<#`9PGZrf11yY7Aru>%WW}jTCcm4AP4VNi$GZ|dE^qhr!)6BUVyl*m{9YTD`w6DoF(V7fv|B{ZWy0r()j
zO%UR&6x&xrEF+_nxxDOG>slsIY5(39&Uf2-ng(qc2K4+WQSFWbScwA>F=hGGO=@?w
z-rjD#6zG>1b1t)@yNapO*JEw~sZE9Q8zO@Pjstdz3epE*(X>uep2Y6=du$x%173!R
zOPSQ76v{I+*`36I0W3KUF!(b8NINYcXz&8#;KzMw(3wLyb3!`8m|sm{amwv3&^ZfK
zXs~tCpvWkA!yB_chjBs=?nS+s(ac
zH;ht(L>aiKAO;8r3nPa?BBumE=h40z;YXKAGpgave`xi6FvT1G3JEBV-D|lAoTP`r
z%m-kYxlCR6HSaHrA@^p>0L5xGU=d*}kB>RRJ_FB*iE%Xr(li!_MnXa*wr9MZ78ZH}
z9>ysuY(D^_%@0Q5s}JOsTAYOBRtm^%C&tNW3apm_&X$O*9$2GrqHf6CXZZVs=9EPG
zij~542$fLb%8<7#J%OOM8RhxQ6j+NC`Q~0)6dgB;&Jkl3hi7`=WW=@8
z!B(roA5Xp$#j{?!^zPN8nPhc3CEG)(4_+GNxqbWIRg@c)OKAu%5*S2X&?}a-pKME+
zCoh-Iav+ts0`C6yPj-#7SM`+DG8$07AC;{ssui`dvLubDXnHbv3f9e#WlQ^~)#FNi
zba21!9)D^9|*+aY*<7S(5R6{PaF
znpnZX1VQ3gBtu6pB;AIde%|ANj6lZq$N3CxKcW6~qOU4{br|l&)1H>z#j~L~2}Our
zdMKAn+?JY6N`56Gy{iD%$bl-G#qq%p!Dwrs783xmPJgrpotGo;@A~}~fEvz!ED|;P
ztqoB+(yc!yR~Qnz`xW)uW79U6`aGprQirMzTd;swm%6PU%yDnA?Dr+;t+tnVxrQB{
zVtcn|JU?35V#Vb~H13nyCyN}Fd|*}oz4AuD)Kax{x_F#<>+>HJL$4@@gsu$qd%i;O
zS?)NOCGS`@-Y2z87U4nv{={DZ+!4wwb8!yN4%_1nueC_r==uYpHC%tQHd0rL96t~_
zx`h~6tp^0yUOf+*k5v>o!=I6|ARj(N_b`Uu(pI}e1x-arL_qLuryT6^^WG4@!$~l|P9!<6(CKcpFe%6j$0~tl`&{+5fQc!DgK~BO*n0
z{yI)VEjW;8qgA!o-2gzJ7ebSve=(2q?O<`HJ?=U^csnFfhp1qas|X2*eKHyIqD5(u
z@4g4V&6~)c;FUga1K8u|65vFg%9kA-qW3G~MiKkyU3z9|
z9x>vYxS{H)DP_)bGNfF*ex7^7Hl@#jjRPk55$qk{-j$Y)R9Tb{HveP;xdzV-kdB`m
zQo_N1O?y0E>ACE8fA{ALdsvAC=n1_-dR8T0y-^YZJnYqT^E}qxv=HZD&SM$auIJghQP=B}Syc`hP1Fl#PS6oq>hJW6cyAD^E=^)Z~C
zJLFYrE>HWXs&HzmIJmqJ1vy#Q;o9PkZN`&hPm6KiYz?K%d;LTD!=8%}lG?20G)rh<
z^r3u8v@l!VZPVaz?hVSGc96fo+V`UXQ4ym%n^cUr7JJkB?tR&yag`+lsR0MPEdz{A
zUp1b__CA1D!)2V>qRu{x!)sMN5BQZy%0V?3T)48K8`ZjP6l=5fbch{x5%5g#|7-8c
zznaRj^|gIUx2V)B?V?Z=tGo~ufs{cZGQ<(RfQc5Z6f#;WhyybMGFm*PN*Uw^851bm
zfvS?BfD#Nti1Gxk7-&HSgb>gWWG;h32SW1p3Egk4_tyId-dgRi-gC}Adw=`;_TD!n
zw~l#w7RdVWHZvZQE5jS(eRNv&JkMj??_~60ux~kcD>y(Z8Ls5$Pb|V(QSOuAgeh*X
ze%tr3MAX~WYao}MwSZ;k$F2S2GIx_{ccMB}cKm=E7r0X7r|2NTG0!>^YRFLwGmdn2
zdIQaMjwyKEa#5Nm_Zy}ugTS;pSmF*#tU0jc8X%cdsN9buzioWALx=f%eDK9tmQ9Vr
z6reJOF8(-%D1P)xG=MOhyAejRUQy28d1LTW=5!y0#h
z%`xzqkC7Jtdne6^{4811GISf!t?l{F<>h@mEe`10U=c%nCeDSNiKreQM+Yqm25EV7
zJUo0qnP#GVq!o&wZ;~6iMMdNCeN|Z<=jM|gxa~xTuN^hlo-8+d7uHjU78?8P((%~>
zas34^a8%gcb%*18yiy#1*+z%J<)))G1}Q0WKQ|{upXF_365yd8@DTI^@PGE2;_B+1
zR0x@sh0-S>>Z{LFXB?*DcETD?GORhI$hQp4jepp2Ve&JG>@x5M{U{jeN!pOLceE7s
z>=#ghLV$zUsNaQipTKXM6yZ@3xzA&M?zo`0YzDr7_%YeHj>IoD2(zmfE9jz`OEzwV*!m~XxUn1*)_7lh@+RR
zmNJ7_u|~ss-XiZU2UVcIJRbh>J0M*T&uTQbGvDr7QBbABt!0SwrT|FdBs9-{^lW$>zm*(vZXwk3qPPIeiPRJSLD<`fvBD)ZL}~J?S`{Mp+swuMM
z>WNLJX**Bbf1ct*6MttRdv->h0yo4sNX(vrn6;2GOzNf<$=R&8@A3P2iA6;-73GzA
zh@{$!{(ipIqb<%A(Eo%G=E`0_-VE`3cDa~8(6@Oi?wFO1L7Jo`F5jLD
z&Owxp=|6=tdVw{jxG`q`D3j>!OK%77jP5KiEtV3JR-Dn}A5KN~P9S6MofUwV#E%@)D<&KD}(SbQL71hk<$T6>JT}x+0A!I-VFdX+Z
z%#qB^Ak9LHkGi@R3cj6))@IDFn#$;gupLX?BwgZ>#(;}SC8y)pTqQDrcP1yodJ1(R
ztyiA}&rg7GJ;jX(#a?Z+9$G_vy>qR2t(>1C`Jl6Os?h(2yz{A*aTKSpX9DC7%U%YT
zTX_W(C0%Am#MNrEdZ?83xnKBggBDk-ixp6|v2#z)<3?;oZhck9g$Q(*^Exmx$>Dy9
zIY(hbsJ(`fwzgiN8~TNx{Jq&n_;PI~J2$)zH*#j=YJv-Uyexn~=r56e?*zC$!2>N2
zTz73-bEv#pFxUKGEYGIF+3|o_$j2u+Q}>i}J0;T&K;8*C0I2@M;6x6te5)0SByprI
z5mCWB(bwH2ZiG-@SH^X*L(YK~y<%6@9R)4&F+s)jZ;+fo!cHOK$h?H8?K!xlSRSSv
zY20wmJu%r#K6jd-&5;b}lU24+X%1rBf5~fU6r5mGmK;64Y
zx+OumnLW={xvV_i0G4a$K{8
zVp(XHnE`jlM&E#ws@EolRV|n6oH3?qI%@re(2VFH16QJO@$MdVWpQPC+Nv>wzJ^m?
z*}Ytjayc-nL6yLFTp(_6{I8%#qFcVZbP_@#GiQtiX4Ie-Pb=Fef_M}1oK^C*Hi^z-
zgF55;NOvTD;K19+zA>P0(JEMUos8N1k8~c(;;Y|1^AR$ekF{MMa*{YSBCu>RVV^5|is(W#P+?zW
zItZ-%1Tm)JR=9}Ae?S$yhm>wcS@bMl^2i#HEm1rW@7__VV-QszbG$bl_;MYT|JcJY
zbdPkn#|U1)RwQfh5w?b7(%rS*ep_bgg%#~R;p^rylwXs1?X~{um*|uXNV|mCzd{(~$yH(n?-q$v`I%Zky7k&;?ff;azA8o;=F)lbaU#4+XNVV0AIsZNG
z*7I6C+xLyIa{KQWm0@$|Ta)Dx+Dli1a`_YhTOA?-w3jeUR?7^A1IA80sL6j&yn9E)
z(%^?NBe5nR`BqSqokTau_5!l9#z4-4NsR>+s#^%Gqkkes8Qv{;v&5}u{pq{0fjjvw
z2Fv;81&g?NL2J%)l@Q_b*&o3`!y8~=o-CFa(Yip{T_@i^>^)b0er0Lf)1Q+AF?#sG!-kA@?
z{32NMX`VVduY(Tr4?D!E-XJ2LQGwGZtg{~qm<4wvD}^vGI4
z&@#AS-N4N@Y9icfVujp-qj|lSAyic_uS)eRjE%lT3uv28tUCQ-GLt>1TFzDZgGxzX
zLU)iU2K;#;{Cx^C&%vWOWDB~R$o6y3D182$cdq(@)xCI03b-kYQ62IHg*S-bb~BZN
z5A5E2{`9y(z&ZAievnsRPTY^OZ3cawUB(7$v5L)-@@GCmEv
z?a?|vK3Asg_(hg$Qca+|Id$^fjgR9eURCLI52rc$m1$-nYK!kDL)
znJ7w$JJxf`%Od_-YtWL^J)y@a%WSJbQWa`9_fM(9A`Jm#&JdURgQPpx!wp?~x*>8K
zC7=F1-L$K-YH9a~L5p7cxMh8#fJqhe1ETK((_*%p(Yl;to_02r4p}QiR(gC-;oZGV
zMn-9%Ud02(v##TDUFS`ryn#FCVIArqF`gA#hq}Q`S-i8N2T@1AhY3-+-k>F~4Fom0
zsZp`_tev*8(E|zbLg^1qT~@$7smX&lag19_6Q5D1
zgGW(oh)v%F#QLIM-;OFKgf-}fQztC*PlZOqV);I0<1{_buJhL^Yg3|+4_)$I=s7k4
zk}w@8*)Ybb$qOH<@Tda=@P%u>&hhkCko~nb4ZfCufI`-_pLw*PEmRE>BIqL;P{Ich
zD2PkJTzBXjC_SyY)z0M+OXjA70=EV_Oi3O+3|rGNxlgM`|1Dra6l8?3RrLej=3h4#MbgD7$E;||JI`T~-ipM72jV$O
zs)&Wc)+2);17$^JF~R?$LY7B#?U9!1Zlc*3z-udpZiE9#|uWndP<~$tud4M(Vo$zTI-yFb-+~a-;H0x=k>Kn9}`GSCY%)4*y?_ZM^=H_OBtBZFg
zUD|sxFbEx$`D&1@U>!2*o~v{0C}GZLHc0fI{i^-0ob3lw=l3GAWw
zlNr*ohriW&{dV@+Rzv1&Rmbw-15Q(A0+fg!A(a-|d;JqO
zV7!q!CgfG$W{VR8&CfUbmxO5q?Pf{MesC`97;-%L42z!bI}qcZ^;u=KCrevM;5__VMB{yF0Kp%MV~=kl6K03t-q}uct?{kl3s#spvutV
zPW`ORi0jA10*F{CM^Q?u^xlha>Yw{xB8zcgFoE%0fUPs2CLTo-v82b8t$O5R>DGmq
z%RWmrjEyCw90gQk3}2qC61OrI{BsVsFoNnQz;j9M%ZH`Mz=UkwyeQQV3JVK!vx2S1
zpR76#VH?2%ofIuZ$rc_%jHYq`n;#Hoh&n*Fu>AJExp%B|nI6}0GY{&0A0rezUFgqExwTA6!-W=_
ziHRPq#RZHsqo?&kh`;By}vUV^PmJVDlkOw3R#F0U>FGWs(Sw~Yc=Ty>U)
zvfK$Z4s%BIBCA*%*9-)0oqN#MIV&ph`o91!EQdlO3yx;U#=OX6C^WENgWl9
zc$;a4;v?=v*z;t2k=7mt1*1QKq!e9-Dyag}PV*Zm*t3M2yt!D#8~~%qxS{`B*aY6)
zblx?1;mwt?oD}PHJ~T)QWGA5_0XduRUo;OtZ!0o{4hhS02B$hHGV%JGve)I?vBNLu
zlpP^_|5I9$l*T%`ZMpda$dxo)Ie{M~U1@?Zs6FJ+SghB(e
z?^=0EWtbl{*!BA~PzL^EdtlF!gQ4&P$9&lph*|#zN!EcCm(pfu`v8R}D0;SWbf<_$
zu?u^qL*a7PbO_UrFj$8|qSQngK?th=x3-?NsjgtvKw1sTU&pI}2}~c!u``Sd>a3|!
zT2v?qvUOGpZw^=TfgvR133x`NMptx!Zc~@&%avV#0>e7&BFq|_^1qCa+{ywDv)$YU
zgoAnf0l{MnVDQ8&3x4pO_{zIo}pD}m{-gE*8(WtF@D|Mf%I!hLq
z^A?LbIyoU*DM^&-!Kfa{Qkrfha#9ki&$D&mS$m3OtQ6x`t6LZKzu)P77cehSkSW!U6|>d7K#{y>48Wm*Fb
zH=)OVg2!@kR<6vO7Ik{SFyT`NLWmwk1QEFUJjfWf38r)KrlPp|_(8>6B5pgC0tQZZ
z_^xNAvQ)uRkiuVm*1~h57ckAhaHu;%xvDHeU4=`JSnKr17`CmdKM?oy=qNmc=_64L
z%7pj7?xfXSW{&#tVXxvDU-%2;qKXeB-V
znBqSt(^Am;~?S(2MmAYbueeF;{tOp$5b5rGqR6!9m3ZCC3vMAhm$|z8f$8_<+DX|
zV}Hr_F-*IR0_HP;4xK&%ksuT!csz|_9aKCk-!F2p&S^@0Gb1mfHCHX1dKisr`Y{0P
zRh-3>8No}0$IPJ5`OT~9cgGcIcS|^c)WYLS?a==|sdDvS8Xj2K@TA8%ghQ4ZGc%j?
zWIcBuBjd8|&>f%&`dEtx9t1ibDc??K2ye(TVaBF7y;%F_NOSPE3!^X5@;+$HD50*w
zr7o3!yw^x0RZTcFPbGkLw$Oh$mia1RIDQUJ`MbdF*m_cB>9(|tUnp-AN2q+HlzS*
zbbTCP^I6==B+4as_x%3-iTyuIGUYp`Ik+Gi>RDIR8DQA@24pmCx+GTPnkTlidq@_c7$St^
zojOQsmmPmX8=E5=`fmUzt8nFI%fwl4C&e|qZOfV`Mb>=TE8K{qP~uYOc2AGv`Kyaz
z{szB+fby(=;K+P5xAqHahNd(n^4DtWBfm-Es@zCD^lCA}geibC+lj
zOL4RMvE|~qJ)|Els6G6~mYE}SA?&k!H`LQ8n9>uMmWH779wK_zzM2~(Qt_xbQr~vu
z?LhiGGrB;3T3zi2Z|e_^-3{JJc@n9{0t+h9pMAZ+v7HD#8^fU3qy%ZkEjHRI+a2xX
z>j?07X58`4lI8ec{dlFWwDeGjxNqp(j5_yR2QRWdVDjy39V>;<~mp^`+>^(eb)8eqCE#UE6#etCLfncgoJM@%Lh$LBoMLg^?B&=(K
Date: Sun, 2 Apr 2023 01:18:02 +0530
Subject: [PATCH 078/272] Added v1.27 Release blog article

---
 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index da60ef0330d..f1de059db9b 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -3,8 +3,9 @@ layout: blog
 title: "Kubernetes v1.27: Chill Vibes"
 date: 2023-04-11
 slug: kubernetes-v1-27-release
+---
 
-**Authors**: [Kubernetes 1.26 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.27/release-team.md)
+**Authors**: [Kubernetes v1.27 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.27/release-team.md)
 
 Announcing the release of Kubernetes v1.27, the first release of 2023!
 

From fc071f236b2f4c29a7bf554d1d34975581c697a6 Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Sun, 2 Apr 2023 01:21:46 +0530
Subject: [PATCH 079/272] made some corrections

---
 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index f1de059db9b..5a8874f9dea 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -28,7 +28,7 @@ Special thinks to [Britnee Laverack](https://www.instagram.com/artsyfie/) for cr
 
 # What's New (Major Themes)
 
-### Freeze `k8s.gcr.io` image registry
+## Freeze `k8s.gcr.io` image registry
 
 Replacing the old image registry, [k8s.gcr.io](https://cloud.google.com/container-registry/) with [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io) which has been generally available for several months. The Kubernetes project created and runs the `registry.k8s.io` image registry, which is fully controlled by the community.
 This mean that all subsequent image releases would not be available on the old registry. Freezing  the `k8s.gcr.io` image registry by not pushing any new digests or tags after this release.
@@ -155,13 +155,10 @@ This release saw several removals:
 * [Removal of `IdentifyPodOS` feature gate](https://github.com/kubernetes/kubernetes/pull/111229)
 * [Removal of `DaemonSetUpdateSurge` feature gate](https://github.com/kubernetes/kubernetes/pull/111194)
 
-
-
 ## Release notes
 
 The complete details of the Kubernetes v1.27 release are available in our [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md).
 
-
 ## Availability
 
 Kubernetes v1.27 is available for download on [GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.27.0). To get started with Kubernetes, you can run local Kubernetes clusters using [minikube](https://minikube.sigs.k8s.io/docs/), [kind](https://kind.sigs.k8s.io/), etc. You can also easily install v1.27 using [kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).

From 1378908574282f8d5ba8812165864ef725c6cd54 Mon Sep 17 00:00:00 2001
From: Alex Wang 
Date: Wed, 15 Mar 2023 10:51:59 +0800
Subject: [PATCH 080/272] =?UTF-8?q?doc:=20forbid=20to=20set=20matchLabelKe?=
 =?UTF-8?q?ys=20when=20labelSelector=20isn=E2=80=99t=20set=20in=20topology?=
 =?UTF-8?q?SpreadConstraints?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Alex Wang 
---
 .../topology-spread-constraints.md            | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md
index 6e47447100c..a7691706462 100644
--- a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md
+++ b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md
@@ -129,17 +129,30 @@ your cluster. Those fields are:
   for more details.
 
 - **matchLabelKeys** is a list of pod label keys to select the pods over which
-  spreading will be calculated. The keys are used to lookup values from the pod labels, those key-value labels are ANDed with `labelSelector` to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the pod labels will be ignored. A null or empty list means only match against the `labelSelector`.
+  spreading will be calculated. The keys are used to lookup values from the pod labels,
+  those key-value labels are ANDed with `labelSelector` to select the group of existing
+  pods over which spreading will be calculated for the incoming pod. The same key is
+  forbidden to exist in both `matchLabelKeys` and `labelSelector`. `matchLabelKeys` cannot
+  be set when `labelSelector` isn't set. Keys that don't exist in the pod labels will be
+  ignored. A null or empty list means only match against the `labelSelector`.
 
-  With `matchLabelKeys`, users don't need to update the `pod.spec` between different revisions. The controller/operator just needs to set different values to the same `label` key for different revisions. The scheduler will assume the values automatically based on `matchLabelKeys`. For example, if users use Deployment, they can use the label keyed with `pod-template-hash`, which is added automatically by the Deployment controller, to distinguish between different revisions in a single Deployment.
+  With `matchLabelKeys`, you don't need to update the `pod.spec` between different revisions.
+  The controller/operator just needs to set different values to the same label key for different
+  revisions. The scheduler will assume the values automatically based on `matchLabelKeys`. For
+  example, if you are configuring a Deployment, you can use the label keyed with
+  [pod-template-hash](/docs/concepts/workloads/controllers/deployment/#pod-template-hash-label), which
+  is added automatically by the Deployment controller, to distinguish between different revisions
+  in a single Deployment.
 
   ```yaml
       topologySpreadConstraints:
           - maxSkew: 1
             topologyKey: kubernetes.io/hostname
             whenUnsatisfiable: DoNotSchedule
+            labelSelector:
+              matchLabels:
+                app: foo
             matchLabelKeys:
-              - app
               - pod-template-hash
   ```
 

From 7b39e9a9ec5bbb6aa89fb50c25aec3f394366393 Mon Sep 17 00:00:00 2001
From: Philippe Martin 
Date: Mon, 3 Apr 2023 08:22:54 +0200
Subject: [PATCH 081/272] API Ref multi-pages v1.27

---
 api-ref-assets/api/swagger.json               | 7514 ++++++++++++-----
 api-ref-assets/config/fields.yaml             |    5 +
 api-ref-assets/config/toc.yaml                |   19 +-
 .../certificate-signing-request-v1.md         |   10 +
 .../cluster-trust-bundle-v1alpha1.md          |  506 ++
 .../self-subject-review-v1beta1.md            |  142 +
 .../service-account-v1.md                     |   15 +
 .../cluster-role-binding-v1.md                |   10 +
 .../cluster-role-v1.md                        |   10 +
 .../role-binding-v1.md                        |   15 +
 .../authorization-resources/role-v1.md        |   15 +
 .../self-subject-review-v1alpha1.md           |    2 +-
 .../cluster-resources/api-service-v1.md       |   10 +
 .../cluster-cidr-v1alpha1.md                  |   22 +-
 .../cluster-resources/component-status-v1.md  |    5 +
 .../cluster-resources/event-v1.md             |   15 +
 .../cluster-resources/flow-schema-v1beta3.md  |   10 +
 .../cluster-resources/lease-v1.md             |   21 +-
 .../cluster-resources/namespace-v1.md         |    7 +-
 .../cluster-resources/node-v1.md              |   16 +-
 .../priority-level-configuration-v1beta3.md   |   10 +
 .../cluster-resources/runtime-class-v1.md     |   24 +-
 .../node-selector-requirement.md              |    4 +-
 .../common-definitions/object-meta.md         |   14 +-
 .../common-definitions/status.md              |    2 +-
 .../common-parameters/common-parameters.md    |   24 +-
 .../config-map-v1.md                          |   15 +
 .../csi-driver-v1.md                          |   40 +-
 .../csi-node-v1.md                            |   16 +-
 .../csi-storage-capacity-v1.md                |   27 +-
 .../persistent-volume-claim-v1.md             |   25 +-
 .../persistent-volume-v1.md                   |   41 +-
 .../config-and-storage-resources/secret-v1.md |   15 +
 .../storage-class-v1.md                       |   26 +-
 .../volume-attachment-v1.md                   |   40 +-
 .../config-and-storage-resources/volume.md    |   21 +-
 .../custom-resource-definition-v1.md          |   18 +-
 .../mutating-webhook-configuration-v1.md      |   48 +
 .../validating-admission-policy-v1alpha1.md   |  376 +-
 .../validating-webhook-configuration-v1.md    |   48 +
 .../policy-resources/ip-address-v1alpha1.md   |  509 ++
 .../policy-resources/limit-range-v1.md        |   15 +
 .../policy-resources/network-policy-v1.md     |   81 +-
 .../pod-disruption-budget-v1.md               |   17 +-
 .../policy-resources/resource-quota-v1.md     |   19 +-
 .../service-resources/endpoint-slice-v1.md    |   36 +-
 .../service-resources/endpoints-v1.md         |   30 +-
 .../service-resources/ingress-class-v1.md     |   28 +-
 .../service-resources/ingress-v1.md           |   77 +-
 .../service-resources/service-v1.md           |   25 +-
 .../controller-revision-v1.md                 |   15 +
 .../workload-resources/cron-job-v1.md         |   21 +-
 .../workload-resources/daemon-set-v1.md       |   19 +-
 .../workload-resources/deployment-v1.md       |   19 +-
 .../horizontal-pod-autoscaler-v1.md           |   41 +-
 .../horizontal-pod-autoscaler-v2.md           |   55 +-
 .../workload-resources/job-v1.md              |   43 +-
 ....md => pod-scheduling-context-v1alpha2.md} |  159 +-
 .../workload-resources/pod-template-v1.md     |   15 +
 .../workload-resources/pod-v1.md              |  667 +-
 .../workload-resources/priority-class-v1.md   |   14 +-
 .../workload-resources/replica-set-v1.md      |   15 +
 .../replication-controller-v1.md              |   17 +-
 ...md => resource-claim-template-v1alpha2.md} |   79 +-
 ...v1alpha1.md => resource-claim-v1alpha2.md} |  126 +-
 ...v1alpha1.md => resource-class-v1alpha2.md} |   66 +-
 .../workload-resources/stateful-set-v1.md     |   23 +-
 67 files changed, 8340 insertions(+), 3094 deletions(-)
 create mode 100644 content/en/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1alpha1.md
 create mode 100644 content/en/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md
 create mode 100644 content/en/docs/reference/kubernetes-api/policy-resources/ip-address-v1alpha1.md
 rename content/en/docs/reference/kubernetes-api/workload-resources/{pod-scheduling-v1alpha1.md => pod-scheduling-context-v1alpha2.md} (69%)
 rename content/en/docs/reference/kubernetes-api/workload-resources/{resource-claim-template-v1alpha1.md => resource-claim-template-v1alpha2.md} (84%)
 rename content/en/docs/reference/kubernetes-api/workload-resources/{resource-claim-v1alpha1.md => resource-claim-v1alpha2.md} (80%)
 rename content/en/docs/reference/kubernetes-api/workload-resources/{resource-class-v1alpha1.md => resource-class-v1alpha2.md} (87%)

diff --git a/api-ref-assets/api/swagger.json b/api-ref-assets/api/swagger.json
index 410add77696..12903fd69f2 100644
--- a/api-ref-assets/api/swagger.json
+++ b/api-ref-assets/api/swagger.json
@@ -1,5 +1,23 @@
 {
   "definitions": {
+    "io.k8s.api.admissionregistration.v1.MatchCondition": {
+      "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.",
+      "properties": {
+        "expression": {
+          "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.",
+          "type": "string"
+        },
+        "name": {
+          "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name",
+        "expression"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.admissionregistration.v1.MutatingWebhook": {
       "description": "MutatingWebhook describes an admission webhook and the resources and operations it applies to.",
       "properties": {
@@ -18,6 +36,19 @@
           "description": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.",
           "type": "string"
         },
+        "matchConditions": {
+          "description": "MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the error is ignored and the webhook is skipped\n\nThis is an alpha feature and managed by the AdmissionWebhookMatchConditions feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "name"
+          ],
+          "x-kubernetes-list-type": "map",
+          "x-kubernetes-patch-merge-key": "name",
+          "x-kubernetes-patch-strategy": "merge"
+        },
         "matchPolicy": {
           "description": "matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"",
           "type": "string"
@@ -219,6 +250,19 @@
           "description": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.",
           "type": "string"
         },
+        "matchConditions": {
+          "description": "MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the error is ignored and the webhook is skipped\n\nThis is an alpha feature and managed by the AdmissionWebhookMatchConditions feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "name"
+          ],
+          "x-kubernetes-list-type": "map",
+          "x-kubernetes-patch-merge-key": "name",
+          "x-kubernetes-patch-strategy": "merge"
+        },
         "matchPolicy": {
           "description": "matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"",
           "type": "string"
@@ -348,6 +392,59 @@
       },
       "type": "object"
     },
+    "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation": {
+      "description": "AuditAnnotation describes how to produce an audit annotation for an API request.",
+      "properties": {
+        "key": {
+          "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.",
+          "type": "string"
+        },
+        "valueExpression": {
+          "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "key",
+        "valueExpression"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning": {
+      "description": "ExpressionWarning is a warning information that targets a specific expression.",
+      "properties": {
+        "fieldRef": {
+          "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"",
+          "type": "string"
+        },
+        "warning": {
+          "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "fieldRef",
+        "warning"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.admissionregistration.v1alpha1.MatchCondition": {
+      "properties": {
+        "expression": {
+          "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.",
+          "type": "string"
+        },
+        "name": {
+          "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name",
+        "expression"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.admissionregistration.v1alpha1.MatchResources": {
       "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)",
       "properties": {
@@ -464,6 +561,20 @@
       "type": "object",
       "x-kubernetes-map-type": "atomic"
     },
+    "io.k8s.api.admissionregistration.v1alpha1.TypeChecking": {
+      "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy",
+      "properties": {
+        "expressionWarnings": {
+          "description": "The type checking warnings for each expression.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy": {
       "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.",
       "properties": {
@@ -482,6 +593,10 @@
         "spec": {
           "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec",
           "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy."
+        },
+        "status": {
+          "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus",
+          "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only."
         }
       },
       "type": "object",
@@ -568,6 +683,14 @@
         "policyName": {
           "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.",
           "type": "string"
+        },
+        "validationActions": {
+          "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "set"
         }
       },
       "type": "object"
@@ -607,10 +730,31 @@
     "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec": {
       "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.",
       "properties": {
+        "auditAnnotations": {
+          "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        },
         "failurePolicy": {
-          "description": "FailurePolicy defines how to handle failures for the admission policy. Failures can occur from invalid or mis-configured policy definitions or bindings. A policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource. Allowed values are Ignore or Fail. Defaults to Fail.",
+          "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.",
           "type": "string"
         },
+        "matchConditions": {
+          "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n  3. If any matchCondition evaluates to an error (but none are FALSE):\n     - If failurePolicy=Fail, reject the request\n     - If failurePolicy=Ignore, the policy is skipped",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "name"
+          ],
+          "x-kubernetes-list-type": "map",
+          "x-kubernetes-patch-merge-key": "name",
+          "x-kubernetes-patch-strategy": "merge"
+        },
         "matchConstraints": {
           "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources",
           "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required."
@@ -620,7 +764,7 @@
           "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null."
         },
         "validations": {
-          "description": "Validations contain CEL expressions which is used to apply the validation. A minimum of one validation is required for a policy definition. Required.",
+          "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation"
           },
@@ -628,22 +772,49 @@
           "x-kubernetes-list-type": "atomic"
         }
       },
-      "required": [
-        "validations"
-      ],
+      "type": "object"
+    },
+    "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus": {
+      "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.",
+      "properties": {
+        "conditions": {
+          "description": "The conditions represent the latest available observations of a policy's current state.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map"
+        },
+        "observedGeneration": {
+          "description": "The generation observed by the controller.",
+          "format": "int64",
+          "type": "integer"
+        },
+        "typeChecking": {
+          "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking",
+          "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking."
+        }
+      },
       "type": "object"
     },
     "io.k8s.api.admissionregistration.v1alpha1.Validation": {
       "description": "Validation specifies the CEL expression which is used to apply the validation.",
       "properties": {
         "expression": {
-          "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the Admission request/response, organized into CEL variables as well as some other useful variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.",
+          "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n  request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n  - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n  - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.\nRequired.",
           "type": "string"
         },
         "message": {
           "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".",
           "type": "string"
         },
+        "messageExpression": {
+          "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"",
+          "type": "string"
+        },
         "reason": {
           "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.",
           "type": "string"
@@ -1009,7 +1180,7 @@
         },
         "template": {
           "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec",
-          "description": "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template"
+          "description": "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template"
         },
         "updateStrategy": {
           "$ref": "#/definitions/io.k8s.api.apps.v1.DaemonSetUpdateStrategy",
@@ -1096,7 +1267,7 @@
           "description": "Rolling update config params. Present only if type = \"RollingUpdate\"."
         },
         "type": {
-          "description": "Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate.\n\n",
+          "description": "Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate.",
           "type": "string"
         }
       },
@@ -1242,7 +1413,7 @@
         },
         "template": {
           "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec",
-          "description": "Template describes the pods that will be created."
+          "description": "Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\"."
         }
       },
       "required": [
@@ -1309,7 +1480,7 @@
           "description": "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate."
         },
         "type": {
-          "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.\n\n",
+          "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.",
           "type": "string"
         }
       },
@@ -1659,14 +1830,14 @@
         },
         "ordinals": {
           "$ref": "#/definitions/io.k8s.api.apps.v1.StatefulSetOrdinals",
-          "description": "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal feature gate to be enabled, which is alpha."
+          "description": "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal feature gate to be enabled, which is beta."
         },
         "persistentVolumeClaimRetentionPolicy": {
           "$ref": "#/definitions/io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy",
           "description": "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled, which is alpha.  +optional"
         },
         "podManagementPolicy": {
-          "description": "podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.\n\n",
+          "description": "podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.",
           "type": "string"
         },
         "replicas": {
@@ -1689,7 +1860,7 @@
         },
         "template": {
           "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec",
-          "description": "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format -. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\"."
+          "description": "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format -. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\"."
         },
         "updateStrategy": {
           "$ref": "#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy",
@@ -1779,7 +1950,7 @@
           "description": "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType."
         },
         "type": {
-          "description": "Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.\n\n",
+          "description": "Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.",
           "type": "string"
         }
       },
@@ -1996,7 +2167,7 @@
       "type": "object"
     },
     "io.k8s.api.authentication.v1alpha1.SelfSubjectReview": {
-      "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.",
+      "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
       "properties": {
         "apiVersion": {
           "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
@@ -2034,6 +2205,45 @@
       },
       "type": "object"
     },
+    "io.k8s.api.authentication.v1beta1.SelfSubjectReview": {
+      "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+        },
+        "status": {
+          "$ref": "#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReviewStatus",
+          "description": "Status is filled in by the server with the user attributes."
+        }
+      },
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "authentication.k8s.io",
+          "kind": "SelfSubjectReview",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.authentication.v1beta1.SelfSubjectReviewStatus": {
+      "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
+      "properties": {
+        "userInfo": {
+          "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo",
+          "description": "User attributes of the user making this request."
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.authorization.v1.LocalSubjectAccessReview": {
       "description": "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.",
       "properties": {
@@ -2411,15 +2621,15 @@
       "description": "CrossVersionObjectReference contains enough information to let you identify the referred resource.",
       "properties": {
         "apiVersion": {
-          "description": "API version of the referent",
+          "description": "apiVersion is the API version of the referent",
           "type": "string"
         },
         "kind": {
-          "description": "Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "description": "kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
           "type": "string"
         },
         "name": {
-          "description": "Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+          "description": "name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
           "type": "string"
         }
       },
@@ -2447,11 +2657,11 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec",
-          "description": "behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status."
+          "description": "spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status."
         },
         "status": {
           "$ref": "#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus",
-          "description": "current information about the autoscaler."
+          "description": "status is the current information about the autoscaler."
         }
       },
       "type": "object",
@@ -2471,7 +2681,7 @@
           "type": "string"
         },
         "items": {
-          "description": "list of horizontal pod autoscaler objects.",
+          "description": "items is the list of horizontal pod autoscaler objects.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"
           },
@@ -2502,7 +2712,7 @@
       "description": "specification of a horizontal pod autoscaler.",
       "properties": {
         "maxReplicas": {
-          "description": "upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.",
+          "description": "maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.",
           "format": "int32",
           "type": "integer"
         },
@@ -2516,7 +2726,7 @@
           "description": "reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource."
         },
         "targetCPUUtilizationPercentage": {
-          "description": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.",
+          "description": "targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.",
           "format": "int32",
           "type": "integer"
         }
@@ -2531,26 +2741,26 @@
       "description": "current status of a horizontal pod autoscaler",
       "properties": {
         "currentCPUUtilizationPercentage": {
-          "description": "current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.",
+          "description": "currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.",
           "format": "int32",
           "type": "integer"
         },
         "currentReplicas": {
-          "description": "current number of replicas of pods managed by this autoscaler.",
+          "description": "currentReplicas is the current number of replicas of pods managed by this autoscaler.",
           "format": "int32",
           "type": "integer"
         },
         "desiredReplicas": {
-          "description": "desired number of replicas of pods managed by this autoscaler.",
+          "description": "desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.",
           "format": "int32",
           "type": "integer"
         },
         "lastScaleTime": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
-          "description": "last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed."
+          "description": "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed."
         },
         "observedGeneration": {
-          "description": "most recent generation observed by this autoscaler.",
+          "description": "observedGeneration is the most recent generation observed by this autoscaler.",
           "format": "int64",
           "type": "integer"
         }
@@ -2578,11 +2788,11 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec",
-          "description": "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status."
+          "description": "spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status."
         },
         "status": {
           "$ref": "#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus",
-          "description": "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only."
+          "description": "status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only."
         }
       },
       "type": "object",
@@ -2598,7 +2808,7 @@
       "description": "ScaleSpec describes the attributes of a scale subresource.",
       "properties": {
         "replicas": {
-          "description": "desired number of instances for the scaled object.",
+          "description": "replicas is the desired number of instances for the scaled object.",
           "format": "int32",
           "type": "integer"
         }
@@ -2609,12 +2819,12 @@
       "description": "ScaleStatus represents the current status of a scale subresource.",
       "properties": {
         "replicas": {
-          "description": "actual number of observed instances of the scaled object.",
+          "description": "replicas is the actual number of observed instances of the scaled object.",
           "format": "int32",
           "type": "integer"
         },
         "selector": {
-          "description": "label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors",
+          "description": "selector is the label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",
           "type": "string"
         }
       },
@@ -2650,7 +2860,7 @@
       "description": "ContainerResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing a single container in each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
       "properties": {
         "container": {
-          "description": "Container is the name of the container in the pods of the scaling target",
+          "description": "container is the name of the container in the pods of the scaling target",
           "type": "string"
         },
         "current": {
@@ -2658,7 +2868,7 @@
           "description": "current contains the current value for the given metric"
         },
         "name": {
-          "description": "Name is the name of the resource in question.",
+          "description": "name is the name of the resource in question.",
           "type": "string"
         }
       },
@@ -2673,15 +2883,15 @@
       "description": "CrossVersionObjectReference contains enough information to let you identify the referred resource.",
       "properties": {
         "apiVersion": {
-          "description": "API version of the referent",
+          "description": "apiVersion is the API version of the referent",
           "type": "string"
         },
         "kind": {
-          "description": "Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "description": "kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
           "type": "string"
         },
         "name": {
-          "description": "Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+          "description": "name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
           "type": "string"
         }
       },
@@ -2731,16 +2941,16 @@
       "description": "HPAScalingPolicy is a single policy which must hold true for a specified past interval.",
       "properties": {
         "periodSeconds": {
-          "description": "PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).",
+          "description": "periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).",
           "format": "int32",
           "type": "integer"
         },
         "type": {
-          "description": "Type is used to specify the scaling policy.",
+          "description": "type is used to specify the scaling policy.",
           "type": "string"
         },
         "value": {
-          "description": "Value contains the amount of change which is permitted by the policy. It must be greater than zero",
+          "description": "value contains the amount of change which is permitted by the policy. It must be greater than zero",
           "format": "int32",
           "type": "integer"
         }
@@ -2768,7 +2978,7 @@
           "type": "string"
         },
         "stabilizationWindowSeconds": {
-          "description": "StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).",
+          "description": "stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).",
           "format": "int32",
           "type": "integer"
         }
@@ -3208,7 +3418,7 @@
           "description": "current contains the current value for the given metric"
         },
         "name": {
-          "description": "Name is the name of the resource in question.",
+          "description": "name is the name of the resource in question.",
           "type": "string"
         }
       },
@@ -3290,7 +3500,7 @@
       "description": "CronJobSpec describes how the job execution will look like and when it will actually run.",
       "properties": {
         "concurrencyPolicy": {
-          "description": "Specifies how to treat concurrent executions of a Job. Valid values are: - \"Allow\" (default): allows CronJobs to run concurrently; - \"Forbid\": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - \"Replace\": cancels currently running job and replaces it with a new one\n\n",
+          "description": "Specifies how to treat concurrent executions of a Job. Valid values are:\n\n- \"Allow\" (default): allows CronJobs to run concurrently; - \"Forbid\": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - \"Replace\": cancels currently running job and replaces it with a new one",
           "type": "string"
         },
         "failedJobsHistoryLimit": {
@@ -3321,7 +3531,7 @@
           "type": "boolean"
         },
         "timeZone": {
-          "description": "The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones This is beta field and must be enabled via the `CronJobTimeZone` feature gate.",
+          "description": "The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones",
           "type": "string"
         }
       },
@@ -3469,11 +3679,11 @@
           "type": "integer"
         },
         "completionMode": {
-          "description": "CompletionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.\n\n`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.\n\n`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, the Pod hostname takes the form `$(job-name)-$(index)`.\n\nMore completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, which is possible during upgrades due to version skew, the controller skips updates for the Job.",
+          "description": "completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.\n\n`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.\n\n`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, the Pod hostname takes the form `$(job-name)-$(index)`.\n\nMore completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, which is possible during upgrades due to version skew, the controller skips updates for the Job.",
           "type": "string"
         },
         "completions": {
-          "description": "Specifies the desired number of successfully finished pods the job should be run with.  Setting to nil means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
+          "description": "Specifies the desired number of successfully finished pods the job should be run with.  Setting to null means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
           "format": "int32",
           "type": "integer"
         },
@@ -3495,12 +3705,12 @@
           "description": "A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors"
         },
         "suspend": {
-          "description": "Suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.",
+          "description": "suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.",
           "type": "boolean"
         },
         "template": {
           "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec",
-          "description": "Describes the pod that will be created when executing a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/"
+          "description": "Describes the pod that will be created when executing a job. The only allowed template.spec.restartPolicy values are \"Never\" or \"OnFailure\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/"
         },
         "ttlSecondsAfterFinished": {
           "description": "ttlSecondsAfterFinished limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted. When the Job is being deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the Job won't be automatically deleted. If this field is set to zero, the Job becomes eligible to be deleted immediately after it finishes.",
@@ -3522,7 +3732,7 @@
           "type": "integer"
         },
         "completedIndexes": {
-          "description": "CompletedIndexes holds the completed indexes when .spec.completionMode = \"Indexed\" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\".",
+          "description": "completedIndexes holds the completed indexes when .spec.completionMode = \"Indexed\" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\".",
           "type": "string"
         },
         "completionTime": {
@@ -3560,7 +3770,7 @@
         },
         "uncountedTerminatedPods": {
           "$ref": "#/definitions/io.k8s.api.batch.v1.UncountedTerminatedPods",
-          "description": "UncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status: (1) Add the pod UID to the arrays in this field. (2) Remove the pod finalizer. (3) Remove the pod UID from the arrays while increasing the corresponding\n    counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null."
+          "description": "uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:\n\n1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding\n    counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null."
         }
       },
       "type": "object"
@@ -3604,7 +3814,7 @@
           "type": "string"
         },
         "operator": {
-          "description": "Represents the relationship between the container exit code(s) and the specified values. Containers completed with success (exit code 0) are excluded from the requirement check. Possible values are: - In: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is in the set of specified values.\n- NotIn: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is not in the set of specified values.\nAdditional values are considered to be added in the future. Clients should react to an unknown operator by assuming the requirement is not satisfied.\n\n",
+          "description": "Represents the relationship between the container exit code(s) and the specified values. Containers completed with success (exit code 0) are excluded from the requirement check. Possible values are:\n\n- In: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is in the set of specified values.\n- NotIn: the requirement is satisfied if at least one container exit code\n  (might be multiple if there are multiple containers not restricted\n  by the 'containerName' field) is not in the set of specified values.\nAdditional values are considered to be added in the future. Clients should react to an unknown operator by assuming the requirement is not satisfied.",
           "type": "string"
         },
         "values": {
@@ -3642,10 +3852,10 @@
       "type": "object"
     },
     "io.k8s.api.batch.v1.PodFailurePolicyRule": {
-      "description": "PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of OnExitCodes and onPodConditions, but not both, can be used in each rule.",
+      "description": "PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of onExitCodes and onPodConditions, but not both, can be used in each rule.",
       "properties": {
         "action": {
-          "description": "Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are: - FailJob: indicates that the pod's job is marked as Failed and all\n  running pods are terminated.\n- Ignore: indicates that the counter towards the .backoffLimit is not\n  incremented and a replacement pod is created.\n- Count: indicates that the pod is handled in the default way - the\n  counter towards the .backoffLimit is incremented.\nAdditional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.\n\n",
+          "description": "Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are:\n\n- FailJob: indicates that the pod's job is marked as Failed and all\n  running pods are terminated.\n- Ignore: indicates that the counter towards the .backoffLimit is not\n  incremented and a replacement pod is created.\n- Count: indicates that the pod is handled in the default way - the\n  counter towards the .backoffLimit is incremented.\nAdditional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.",
           "type": "string"
         },
         "onExitCodes": {
@@ -3671,7 +3881,7 @@
       "description": "UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job status counters.",
       "properties": {
         "failed": {
-          "description": "Failed holds UIDs of failed Pods.",
+          "description": "failed holds UIDs of failed Pods.",
           "items": {
             "type": "string"
           },
@@ -3679,7 +3889,7 @@
           "x-kubernetes-list-type": "set"
         },
         "succeeded": {
-          "description": "Succeeded holds UIDs of succeeded Pods.",
+          "description": "succeeded holds UIDs of succeeded Pods.",
           "items": {
             "type": "string"
           },
@@ -3874,6 +4084,90 @@
       },
       "type": "object"
     },
+    "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle": {
+      "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection.  All service accounts have read access to ClusterTrustBundles by default.  Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "metadata contains the object metadata."
+        },
+        "spec": {
+          "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec",
+          "description": "spec contains the signer (if any) and trust anchors."
+        }
+      },
+      "required": [
+        "spec"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList": {
+      "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "description": "items is a collection of ClusterTrustBundle objects",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+          },
+          "type": "array"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
+          "description": "metadata contains the list metadata."
+        }
+      },
+      "required": [
+        "items"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundleList",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec": {
+      "description": "ClusterTrustBundleSpec contains the signer and trust anchors.",
+      "properties": {
+        "signerName": {
+          "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName= verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.",
+          "type": "string"
+        },
+        "trustBundle": {
+          "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates.  Each certificate must include a basic constraints extension with the CA bit set.  The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "trustBundle"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.coordination.v1.Lease": {
       "description": "Lease defines a lease concept.",
       "properties": {
@@ -3891,7 +4185,7 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.coordination.v1.LeaseSpec",
-          "description": "Specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         }
       },
       "type": "object",
@@ -3911,7 +4205,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is a list of schema objects.",
+          "description": "items is a list of schema objects.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.coordination.v1.Lease"
           },
@@ -3950,7 +4244,7 @@
           "type": "string"
         },
         "leaseDurationSeconds": {
-          "description": "leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.",
+          "description": "leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed renewTime.",
           "format": "int32",
           "type": "integer"
         },
@@ -4147,7 +4441,7 @@
       "properties": {
         "controllerExpandSecretRef": {
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference",
-          "description": "controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an beta field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed."
+          "description": "controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed."
         },
         "controllerPublishSecretRef": {
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference",
@@ -4163,7 +4457,7 @@
         },
         "nodeExpandSecretRef": {
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference",
-          "description": "nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This is an alpha field and requires enabling CSINodeExpandSecret feature gate. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed."
+          "description": "nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This is a beta field which is enabled default by CSINodeExpandSecret feature gate. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed."
         },
         "nodePublishSecretRef": {
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference",
@@ -4720,7 +5014,7 @@
           "type": "string"
         },
         "imagePullPolicy": {
-          "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\n",
+          "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images",
           "type": "string"
         },
         "lifecycle": {
@@ -4753,6 +5047,14 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.Probe",
           "description": "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
         },
+        "resizePolicy": {
+          "description": "Resources resize policy for the container.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        },
         "resources": {
           "$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements",
           "description": "Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
@@ -4778,7 +5080,7 @@
           "type": "string"
         },
         "terminationMessagePolicy": {
-          "description": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\n",
+          "description": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.",
           "type": "string"
         },
         "tty": {
@@ -4853,7 +5155,7 @@
           "type": "string"
         },
         "protocol": {
-          "description": "Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n\n",
+          "description": "Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".",
           "type": "string"
         }
       },
@@ -4862,6 +5164,24 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.core.v1.ContainerResizePolicy": {
+      "description": "ContainerResizePolicy represents resource resize policy for the container.",
+      "properties": {
+        "resourceName": {
+          "description": "Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.",
+          "type": "string"
+        },
+        "restartPolicy": {
+          "description": "Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "resourceName",
+        "restartPolicy"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.core.v1.ContainerState": {
       "description": "ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.",
       "properties": {
@@ -4946,42 +5266,53 @@
     "io.k8s.api.core.v1.ContainerStatus": {
       "description": "ContainerStatus contains details for the current status of this container.",
       "properties": {
+        "allocatedResources": {
+          "additionalProperties": {
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"
+          },
+          "description": "AllocatedResources represents the compute resources allocated for this container by the node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission and after successfully admitting desired pod resize.",
+          "type": "object"
+        },
         "containerID": {
-          "description": "Container's ID in the format '://'.",
+          "description": "ContainerID is the ID of the container in the format '://'. Where type is a container runtime identifier, returned from Version call of CRI API (for example \"containerd\").",
           "type": "string"
         },
         "image": {
-          "description": "The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.",
+          "description": "Image is the name of container image that the container is running. The container image may not match the image used in the PodSpec, as it may have been resolved by the runtime. More info: https://kubernetes.io/docs/concepts/containers/images.",
           "type": "string"
         },
         "imageID": {
-          "description": "ImageID of the container's image.",
+          "description": "ImageID is the image ID of the container's image. The image ID may not match the image ID of the image used in the PodSpec, as it may have been resolved by the runtime.",
           "type": "string"
         },
         "lastState": {
           "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState",
-          "description": "Details about the container's last termination condition."
+          "description": "LastTerminationState holds the last termination state of the container to help debug container crashes and restarts. This field is not populated if the container is still running and RestartCount is 0."
         },
         "name": {
-          "description": "This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.",
+          "description": "Name is a DNS_LABEL representing the unique name of the container. Each container in a pod must have a unique name across all container types. Cannot be updated.",
           "type": "string"
         },
         "ready": {
-          "description": "Specifies whether the container has passed its readiness probe.",
+          "description": "Ready specifies whether the container is currently passing its readiness check. The value will change as readiness probes keep executing. If no readiness probes are specified, this field defaults to true once the container is fully started (see Started field).\n\nThe value is typically used to determine whether a container is ready to accept traffic.",
           "type": "boolean"
         },
+        "resources": {
+          "$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements",
+          "description": "Resources represents the compute resource requests and limits that have been successfully enacted on the running container after it has been started or has been successfully resized."
+        },
         "restartCount": {
-          "description": "The number of times the container has been restarted.",
+          "description": "RestartCount holds the number of times the container has been restarted. Kubelet makes an effort to always increment the value, but there are cases when the state may be lost due to node restarts and then the value may be reset to 0. The value is never negative.",
           "format": "int32",
           "type": "integer"
         },
         "started": {
-          "description": "Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.",
+          "description": "Started indicates whether the container has finished its postStart lifecycle hook and passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. In both cases, startup probes will run again. Is always true when no startupProbe is defined and container is running and has passed the postStart lifecycle hook. The null value must be treated the same as false.",
           "type": "boolean"
         },
         "state": {
           "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState",
-          "description": "Details about the container's current condition."
+          "description": "State holds details about the container's current condition."
         }
       },
       "required": [
@@ -5073,7 +5404,7 @@
         },
         "sizeLimit": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir"
+          "description": "sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir"
         }
       },
       "type": "object"
@@ -5086,7 +5417,7 @@
           "type": "string"
         },
         "ip": {
-          "description": "The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24). IPv6 is also accepted but not fully supported on all platforms. Also, certain kubernetes components, like kube-proxy, are not IPv6 ready.",
+          "description": "The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).",
           "type": "string"
         },
         "nodeName": {
@@ -5108,7 +5439,7 @@
       "description": "EndpointPort is a tuple that describes a single port.",
       "properties": {
         "appProtocol": {
-          "description": "The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.",
+          "description": "The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n  * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.",
           "type": "string"
         },
         "name": {
@@ -5121,7 +5452,7 @@
           "type": "integer"
         },
         "protocol": {
-          "description": "The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.\n\n",
+          "description": "The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.",
           "type": "string"
         }
       },
@@ -5324,7 +5655,7 @@
           "type": "string"
         },
         "imagePullPolicy": {
-          "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\n",
+          "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images",
           "type": "string"
         },
         "lifecycle": {
@@ -5357,6 +5688,14 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.Probe",
           "description": "Probes are not allowed for ephemeral containers."
         },
+        "resizePolicy": {
+          "description": "Resources resize policy for the container.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        },
         "resources": {
           "$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements",
           "description": "Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod."
@@ -5386,7 +5725,7 @@
           "type": "string"
         },
         "terminationMessagePolicy": {
-          "description": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\n",
+          "description": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.",
           "type": "string"
         },
         "tty": {
@@ -5840,7 +6179,7 @@
           "description": "Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME."
         },
         "scheme": {
-          "description": "Scheme to use for connecting to the host. Defaults to HTTP.\n\n",
+          "description": "Scheme to use for connecting to the host. Defaults to HTTP.",
           "type": "string"
         }
       },
@@ -6408,7 +6747,7 @@
           "x-kubernetes-patch-strategy": "merge"
         },
         "phase": {
-          "description": "Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/\n\n",
+          "description": "Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/",
           "type": "string"
         }
       },
@@ -6618,7 +6957,7 @@
           "type": "string"
         },
         "operator": {
-          "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n\n",
+          "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.",
           "type": "string"
         },
         "values": {
@@ -6701,7 +7040,7 @@
       "description": "NodeStatus is information about the current status of a node.",
       "properties": {
         "addresses": {
-          "description": "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example.",
+          "description": "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.NodeAddress"
           },
@@ -6752,7 +7091,7 @@
           "description": "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info"
         },
         "phase": {
-          "description": "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.\n\n",
+          "description": "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
           "type": "string"
         },
         "volumesAttached": {
@@ -6950,7 +7289,7 @@
       ]
     },
     "io.k8s.api.core.v1.PersistentVolumeClaimCondition": {
-      "description": "PersistentVolumeClaimCondition contails details about state of pvc",
+      "description": "PersistentVolumeClaimCondition contains details about state of pvc",
       "properties": {
         "lastProbeTime": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
@@ -7091,7 +7430,7 @@
           "x-kubernetes-patch-strategy": "merge"
         },
         "phase": {
-          "description": "phase represents the current phase of PersistentVolumeClaim.\n\n",
+          "description": "phase represents the current phase of PersistentVolumeClaim.",
           "type": "string"
         },
         "resizeStatus": {
@@ -7264,7 +7603,7 @@
           "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume."
         },
         "persistentVolumeReclaimPolicy": {
-          "description": "persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming\n\n",
+          "description": "persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming",
           "type": "string"
         },
         "photonPersistentDisk": {
@@ -7314,7 +7653,7 @@
           "type": "string"
         },
         "phase": {
-          "description": "phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase\n\n",
+          "description": "phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase",
           "type": "string"
         },
         "reason": {
@@ -7703,7 +8042,7 @@
           "description": "Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy."
         },
         "dnsPolicy": {
-          "description": "Set DNS policy for the pod. Defaults to \"ClusterFirst\". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.\n\n",
+          "description": "Set DNS policy for the pod. Defaults to \"ClusterFirst\". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.",
           "type": "string"
         },
         "enableServiceLinks": {
@@ -7823,7 +8162,7 @@
           "x-kubernetes-patch-strategy": "merge,retainKeys"
         },
         "restartPolicy": {
-          "description": "Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy\n\n",
+          "description": "Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy",
           "type": "string"
         },
         "runtimeClassName": {
@@ -7835,7 +8174,7 @@
           "type": "string"
         },
         "schedulingGates": {
-          "description": "SchedulingGates is an opaque list of values that if specified will block scheduling the pod. More info:  https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness.\n\nThis is an alpha-level feature enabled by PodSchedulingReadiness feature gate.",
+          "description": "SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.\n\nSchedulingGates can only be set at pod creation time, and be removed only afterwards.\n\nThis is a beta feature enabled by the PodSchedulingReadiness feature gate.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.PodSchedulingGate"
           },
@@ -7958,7 +8297,7 @@
           "type": "string"
         },
         "phase": {
-          "description": "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\n",
+          "description": "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase",
           "type": "string"
         },
         "podIP": {
@@ -7975,13 +8314,17 @@
           "x-kubernetes-patch-strategy": "merge"
         },
         "qosClass": {
-          "description": "The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md\n\n",
+          "description": "The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes",
           "type": "string"
         },
         "reason": {
           "description": "A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'",
           "type": "string"
         },
+        "resize": {
+          "description": "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"",
+          "type": "string"
+        },
         "startTime": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
           "description": "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod."
@@ -8079,7 +8422,7 @@
           "type": "integer"
         },
         "protocol": {
-          "description": "Protocol is the protocol of the service port of which status is recorded here The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\n",
+          "description": "Protocol is the protocol of the service port of which status is recorded here The supported values are: \"TCP\", \"UDP\", \"SCTP\"",
           "type": "string"
         }
       },
@@ -8143,7 +8486,7 @@
         },
         "grpc": {
           "$ref": "#/definitions/io.k8s.api.core.v1.GRPCAction",
-          "description": "GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate."
+          "description": "GRPC specifies an action involving a GRPC port."
         },
         "httpGet": {
           "$ref": "#/definitions/io.k8s.api.core.v1.HTTPGetAction",
@@ -8444,7 +8787,7 @@
         },
         "template": {
           "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec",
-          "description": "Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template"
+          "description": "Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template"
         }
       },
       "type": "object"
@@ -8643,12 +8986,15 @@
       "description": "ResourceRequirements describes the compute resource requirements.",
       "properties": {
         "claims": {
-          "description": "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+          "description": "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.ResourceClaim"
           },
           "type": "array",
-          "x-kubernetes-list-type": "set"
+          "x-kubernetes-list-map-keys": [
+            "name"
+          ],
+          "x-kubernetes-list-type": "map"
         },
         "limits": {
           "additionalProperties": {
@@ -8661,7 +9007,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"
           },
-          "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
+          "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
           "type": "object"
         }
       },
@@ -8809,11 +9155,11 @@
       "description": "A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.",
       "properties": {
         "operator": {
-          "description": "Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.\n\n",
+          "description": "Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.",
           "type": "string"
         },
         "scopeName": {
-          "description": "The name of the scope that the selector applies to.\n\n",
+          "description": "The name of the scope that the selector applies to.",
           "type": "string"
         },
         "values": {
@@ -8838,7 +9184,7 @@
           "type": "string"
         },
         "type": {
-          "description": "type indicates which kind of seccomp profile will be applied. Valid options are:\n\nLocalhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.\n\n",
+          "description": "type indicates which kind of seccomp profile will be applied. Valid options are:\n\nLocalhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.",
           "type": "string"
         }
       },
@@ -9280,7 +9626,7 @@
           "type": "integer"
         },
         "protocol": {
-          "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.\n\n",
+          "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.",
           "type": "string"
         },
         "targetPort": {
@@ -9324,7 +9670,7 @@
           "type": "string"
         },
         "externalTrafficPolicy": {
-          "description": "externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's \"externally-facing\" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to \"Local\", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get \"Cluster\" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.\n\n",
+          "description": "externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's \"externally-facing\" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to \"Local\", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get \"Cluster\" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.",
           "type": "string"
         },
         "healthCheckNodePort": {
@@ -9390,7 +9736,7 @@
           "x-kubernetes-map-type": "atomic"
         },
         "sessionAffinity": {
-          "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies\n\n",
+          "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies",
           "type": "string"
         },
         "sessionAffinityConfig": {
@@ -9398,7 +9744,7 @@
           "description": "sessionAffinityConfig contains the configurations of session affinity."
         },
         "type": {
-          "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. \"ExternalName\" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types\n\n",
+          "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. \"ExternalName\" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types",
           "type": "string"
         }
       },
@@ -9528,7 +9874,7 @@
       "description": "The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint.",
       "properties": {
         "effect": {
-          "description": "Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.\n\n",
+          "description": "Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.",
           "type": "string"
         },
         "key": {
@@ -9554,7 +9900,7 @@
       "description": "The pod this Toleration is attached to tolerates any taint that matches the triple  using the matching operator .",
       "properties": {
         "effect": {
-          "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n\n",
+          "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.",
           "type": "string"
         },
         "key": {
@@ -9562,7 +9908,7 @@
           "type": "string"
         },
         "operator": {
-          "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n\n",
+          "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
           "type": "string"
         },
         "tolerationSeconds": {
@@ -9620,7 +9966,7 @@
           "description": "LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain."
         },
         "matchLabelKeys": {
-          "description": "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.",
+          "description": "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).",
           "items": {
             "type": "string"
           },
@@ -9650,7 +9996,7 @@
           "type": "string"
         },
         "whenUnsatisfiable": {
-          "description": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.\n\n",
+          "description": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,\n  but giving higher precedence to topologies that would help reduce the\n  skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.",
           "type": "string"
         }
       },
@@ -10040,7 +10386,7 @@
       "description": "EndpointConditions represents the current condition of an endpoint.",
       "properties": {
         "ready": {
-          "description": "ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be \"true\" for terminating endpoints.",
+          "description": "ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be \"true\" for terminating endpoints, except when the normal readiness behavior is being explicitly overridden, for example when the associated Service has set the publishNotReadyAddresses flag.",
           "type": "boolean"
         },
         "serving": {
@@ -10072,20 +10418,20 @@
       "description": "EndpointPort represents a Port used by an EndpointSlice",
       "properties": {
         "appProtocol": {
-          "description": "The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.",
+          "description": "The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n  * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.",
           "type": "string"
         },
         "name": {
-          "description": "The name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.",
+          "description": "name represents the name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.",
           "type": "string"
         },
         "port": {
-          "description": "The port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.",
+          "description": "port represents the port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.",
           "format": "int32",
           "type": "integer"
         },
         "protocol": {
-          "description": "The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.",
+          "description": "protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.",
           "type": "string"
         }
       },
@@ -10096,7 +10442,7 @@
       "description": "EndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.",
       "properties": {
         "addressType": {
-          "description": "addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.\n\n",
+          "description": "addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.",
           "type": "string"
         },
         "apiVersion": {
@@ -10149,7 +10495,7 @@
           "type": "string"
         },
         "items": {
-          "description": "List of endpoint slices",
+          "description": "items is the list of endpoint slices",
           "items": {
             "$ref": "#/definitions/io.k8s.api.discovery.v1.EndpointSlice"
           },
@@ -11455,14 +11801,14 @@
       "properties": {
         "backend": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend",
-          "description": "Backend defines the referenced service endpoint to which the traffic will be forwarded to."
+          "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to."
         },
         "path": {
-          "description": "Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".",
+          "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".",
           "type": "string"
         },
         "pathType": {
-          "description": "PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n  done on a path element by element basis. A path element refers is the\n  list of labels in the path split by the '/' separator. A request is a\n  match for path p if every p is an element-wise prefix of p of the\n  request path. Note that if the last element of the path is a substring\n  of the last element in request path, it is not a match (e.g. /foo/bar\n  matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n  the IngressClass. Implementations can treat this as a separate PathType\n  or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.",
+          "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n  done on a path element by element basis. A path element refers is the\n  list of labels in the path split by the '/' separator. A request is a\n  match for path p if every p is an element-wise prefix of p of the\n  request path. Note that if the last element of the path is a substring\n  of the last element in request path, it is not a match (e.g. /foo/bar\n  matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n  the IngressClass. Implementations can treat this as a separate PathType\n  or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.",
           "type": "string"
         }
       },
@@ -11476,7 +11822,7 @@
       "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.",
       "properties": {
         "paths": {
-          "description": "A collection of paths that map requests to backends.",
+          "description": "paths is a collection of paths that map requests to backends.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath"
           },
@@ -11493,11 +11839,11 @@
       "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
       "properties": {
         "cidr": {
-          "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"",
+          "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"",
           "type": "string"
         },
         "except": {
-          "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the CIDR range",
+          "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range",
           "items": {
             "type": "string"
           },
@@ -11526,11 +11872,11 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec",
-          "description": "Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         },
         "status": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus",
-          "description": "Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         }
       },
       "type": "object",
@@ -11547,11 +11893,11 @@
       "properties": {
         "resource": {
           "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference",
-          "description": "Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"."
+          "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"."
         },
         "service": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend",
-          "description": "Service references a Service as a Backend. This is a mutually exclusive setting with \"Resource\"."
+          "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"."
         }
       },
       "type": "object"
@@ -11573,7 +11919,7 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec",
-          "description": "Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         }
       },
       "type": "object",
@@ -11593,7 +11939,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of IngressClasses.",
+          "description": "items is the list of IngressClasses.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass"
           },
@@ -11624,23 +11970,23 @@
       "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.",
       "properties": {
         "apiGroup": {
-          "description": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.",
+          "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.",
           "type": "string"
         },
         "kind": {
-          "description": "Kind is the type of resource being referenced.",
+          "description": "kind is the type of resource being referenced.",
           "type": "string"
         },
         "name": {
-          "description": "Name is the name of resource being referenced.",
+          "description": "name is the name of resource being referenced.",
           "type": "string"
         },
         "namespace": {
-          "description": "Namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".",
+          "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".",
           "type": "string"
         },
         "scope": {
-          "description": "Scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".",
+          "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".",
           "type": "string"
         }
       },
@@ -11654,12 +12000,12 @@
       "description": "IngressClassSpec provides information about the class of an Ingress.",
       "properties": {
         "controller": {
-          "description": "Controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different Parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.",
+          "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.",
           "type": "string"
         },
         "parameters": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference",
-          "description": "Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters."
+          "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters."
         }
       },
       "type": "object"
@@ -11672,7 +12018,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of Ingress.",
+          "description": "items is the list of Ingress.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress"
           },
@@ -11703,15 +12049,15 @@
       "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.",
       "properties": {
         "hostname": {
-          "description": "Hostname is set for load-balancer ingress points that are DNS based.",
+          "description": "hostname is set for load-balancer ingress points that are DNS based.",
           "type": "string"
         },
         "ip": {
-          "description": "IP is set for load-balancer ingress points that are IP based.",
+          "description": "ip is set for load-balancer ingress points that are IP based.",
           "type": "string"
         },
         "ports": {
-          "description": "Ports provides information about the ports exposed by this LoadBalancer.",
+          "description": "ports provides information about the ports exposed by this LoadBalancer.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus"
           },
@@ -11725,7 +12071,7 @@
       "description": "IngressLoadBalancerStatus represents the status of a load-balancer.",
       "properties": {
         "ingress": {
-          "description": "Ingress is a list containing ingress points for the load-balancer.",
+          "description": "ingress is a list containing ingress points for the load-balancer.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress"
           },
@@ -11738,16 +12084,16 @@
       "description": "IngressPortStatus represents the error condition of a service port",
       "properties": {
         "error": {
-          "description": "Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n  CamelCase names\n- cloud provider specific error values must have names that comply with the\n  format foo.example.com/CamelCase.",
+          "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n  CamelCase names\n- cloud provider specific error values must have names that comply with the\n  format foo.example.com/CamelCase.",
           "type": "string"
         },
         "port": {
-          "description": "Port is the port number of the ingress port.",
+          "description": "port is the port number of the ingress port.",
           "format": "int32",
           "type": "integer"
         },
         "protocol": {
-          "description": "Protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\n",
+          "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"",
           "type": "string"
         }
       },
@@ -11761,7 +12107,7 @@
       "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
       "properties": {
         "host": {
-          "description": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n   the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t  Currently the port of an Ingress is implicitly :80 for http and\n\t  :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nHost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
+          "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n   the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t  Currently the port of an Ingress is implicitly :80 for http and\n\t  :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
           "type": "string"
         },
         "http": {
@@ -11774,12 +12120,12 @@
       "description": "IngressServiceBackend references a Kubernetes Service as a Backend.",
       "properties": {
         "name": {
-          "description": "Name is the referenced service. The service must exist in the same namespace as the Ingress object.",
+          "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.",
           "type": "string"
         },
         "port": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort",
-          "description": "Port of the referenced service. A port name or port number is required for a IngressServiceBackend."
+          "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend."
         }
       },
       "required": [
@@ -11792,14 +12138,14 @@
       "properties": {
         "defaultBackend": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend",
-          "description": "DefaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller."
+          "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller."
         },
         "ingressClassName": {
-          "description": "IngressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.",
+          "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.",
           "type": "string"
         },
         "rules": {
-          "description": "A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.",
+          "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule"
           },
@@ -11807,7 +12153,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "tls": {
-          "description": "TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.",
+          "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS"
           },
@@ -11822,16 +12168,16 @@
       "properties": {
         "loadBalancer": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus",
-          "description": "LoadBalancer contains the current status of the load-balancer."
+          "description": "loadBalancer contains the current status of the load-balancer."
         }
       },
       "type": "object"
     },
     "io.k8s.api.networking.v1.IngressTLS": {
-      "description": "IngressTLS describes the transport layer security associated with an Ingress.",
+      "description": "IngressTLS describes the transport layer security associated with an ingress.",
       "properties": {
         "hosts": {
-          "description": "Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.",
+          "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.",
           "items": {
             "type": "string"
           },
@@ -11839,7 +12185,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "secretName": {
-          "description": "SecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.",
+          "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.",
           "type": "string"
         }
       },
@@ -11862,11 +12208,11 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec",
-          "description": "Specification of the desired behavior for this NetworkPolicy."
+          "description": "spec represents the specification of the desired behavior for this NetworkPolicy."
         },
         "status": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyStatus",
-          "description": "Status is the current state of the NetworkPolicy. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "status represents the current state of the NetworkPolicy. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         }
       },
       "type": "object",
@@ -11882,14 +12228,14 @@
       "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
       "properties": {
         "ports": {
-          "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+          "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"
           },
           "type": "array"
         },
         "to": {
-          "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+          "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"
           },
@@ -11902,14 +12248,14 @@
       "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.",
       "properties": {
         "from": {
-          "description": "List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.",
+          "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"
           },
           "type": "array"
         },
         "ports": {
-          "description": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+          "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"
           },
@@ -11926,7 +12272,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is a list of schema objects.",
+          "description": "items is a list of schema objects.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy"
           },
@@ -11958,15 +12304,15 @@
       "properties": {
         "ipBlock": {
           "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock",
-          "description": "IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be."
+          "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be."
         },
         "namespaceSelector": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
-          "description": "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector."
+          "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."
         },
         "podSelector": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
-          "description": "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace."
+          "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."
         }
       },
       "type": "object"
@@ -11975,16 +12321,16 @@
       "description": "NetworkPolicyPort describes a port to allow traffic on",
       "properties": {
         "endPort": {
-          "description": "If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.",
+          "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.",
           "format": "int32",
           "type": "integer"
         },
         "port": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString",
-          "description": "The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched."
+          "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched."
         },
         "protocol": {
-          "description": "The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.",
+          "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.",
           "type": "string"
         }
       },
@@ -11994,14 +12340,14 @@
       "description": "NetworkPolicySpec provides the specification of a NetworkPolicy",
       "properties": {
         "egress": {
-          "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+          "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule"
           },
           "type": "array"
         },
         "ingress": {
-          "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)",
+          "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule"
           },
@@ -12009,10 +12355,10 @@
         },
         "podSelector": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
-          "description": "Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace."
+          "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace."
         },
         "policyTypes": {
-          "description": "List of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
+          "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
           "items": {
             "type": "string"
           },
@@ -12025,10 +12371,10 @@
       "type": "object"
     },
     "io.k8s.api.networking.v1.NetworkPolicyStatus": {
-      "description": "NetworkPolicyStatus describe the current state of the NetworkPolicy.",
+      "description": "NetworkPolicyStatus describes the current state of the NetworkPolicy.",
       "properties": {
         "conditions": {
-          "description": "Conditions holds an array of metav1.Condition that describe the state of the NetworkPolicy. Current service state",
+          "description": "conditions holds an array of metav1.Condition that describe the state of the NetworkPolicy. Current service state",
           "items": {
             "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
           },
@@ -12047,11 +12393,11 @@
       "description": "ServiceBackendPort is the service port being referenced.",
       "properties": {
         "name": {
-          "description": "Name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".",
+          "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".",
           "type": "string"
         },
         "number": {
-          "description": "Number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".",
+          "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".",
           "format": "int32",
           "type": "integer"
         }
@@ -12075,7 +12421,7 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.ClusterCIDRSpec",
-          "description": "Spec is the desired state of the ClusterCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+          "description": "spec is the desired state of the ClusterCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
         }
       },
       "type": "object",
@@ -12095,7 +12441,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of ClusterCIDRs.",
+          "description": "items is the list of ClusterCIDRs.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.ClusterCIDR"
           },
@@ -12126,19 +12472,19 @@
       "description": "ClusterCIDRSpec defines the desired state of ClusterCIDR.",
       "properties": {
         "ipv4": {
-          "description": "IPv4 defines an IPv4 IP block in CIDR notation(e.g. \"10.0.0.0/8\"). At least one of IPv4 and IPv6 must be specified. This field is immutable.",
+          "description": "ipv4 defines an IPv4 IP block in CIDR notation(e.g. \"10.0.0.0/8\"). At least one of ipv4 and ipv6 must be specified. This field is immutable.",
           "type": "string"
         },
         "ipv6": {
-          "description": "IPv6 defines an IPv6 IP block in CIDR notation(e.g. \"2001:db8::/64\"). At least one of IPv4 and IPv6 must be specified. This field is immutable.",
+          "description": "ipv6 defines an IPv6 IP block in CIDR notation(e.g. \"2001:db8::/64\"). At least one of ipv4 and ipv6 must be specified. This field is immutable.",
           "type": "string"
         },
         "nodeSelector": {
           "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector",
-          "description": "NodeSelector defines which nodes the config is applicable to. An empty or nil NodeSelector selects all nodes. This field is immutable."
+          "description": "nodeSelector defines which nodes the config is applicable to. An empty or nil nodeSelector selects all nodes. This field is immutable."
         },
         "perNodeHostBits": {
-          "description": "PerNodeHostBits defines the number of host bits to be configured per node. A subnet mask determines how much of the address is used for network bits and host bits. For example an IPv4 address of 192.168.0.0/24, splits the address into 24 bits for the network portion and 8 bits for the host portion. To allocate 256 IPs, set this field to 8 (a /24 mask for IPv4 or a /120 for IPv6). Minimum value is 4 (16 IPs). This field is immutable.",
+          "description": "perNodeHostBits defines the number of host bits to be configured per node. A subnet mask determines how much of the address is used for network bits and host bits. For example an IPv4 address of 192.168.0.0/24, splits the address into 24 bits for the network portion and 8 bits for the host portion. To allocate 256 IPs, set this field to 8 (a /24 mask for IPv4 or a /120 for IPv6). Minimum value is 4 (16 IPs). This field is immutable.",
           "format": "int32",
           "type": "integer"
         }
@@ -12148,6 +12494,106 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.networking.v1alpha1.IPAddress": {
+      "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+        },
+        "spec": {
+          "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddressSpec",
+          "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+        }
+      },
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.networking.v1alpha1.IPAddressList": {
+      "description": "IPAddressList contains a list of IPAddress.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "description": "items is the list of IPAddresses.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+          },
+          "type": "array"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
+          "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+        }
+      },
+      "required": [
+        "items"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "networking.k8s.io",
+          "kind": "IPAddressList",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.networking.v1alpha1.IPAddressSpec": {
+      "description": "IPAddressSpec describe the attributes in an IP Address.",
+      "properties": {
+        "parentRef": {
+          "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.ParentReference",
+          "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object."
+        }
+      },
+      "type": "object"
+    },
+    "io.k8s.api.networking.v1alpha1.ParentReference": {
+      "description": "ParentReference describes a reference to a parent object.",
+      "properties": {
+        "group": {
+          "description": "Group is the group of the object being referenced.",
+          "type": "string"
+        },
+        "name": {
+          "description": "Name is the name of the object being referenced.",
+          "type": "string"
+        },
+        "namespace": {
+          "description": "Namespace is the namespace of the object being referenced.",
+          "type": "string"
+        },
+        "resource": {
+          "description": "Resource is the resource of the object being referenced.",
+          "type": "string"
+        },
+        "uid": {
+          "description": "UID is the uid of the object being referenced.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.node.v1.Overhead": {
       "description": "Overhead structure represents the resource overhead associated with running a pod.",
       "properties": {
@@ -12155,7 +12601,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"
           },
-          "description": "PodFixed represents the fixed resource overhead associated with running a pod.",
+          "description": "podFixed represents the fixed resource overhead associated with running a pod.",
           "type": "object"
         }
       },
@@ -12169,7 +12615,7 @@
           "type": "string"
         },
         "handler": {
-          "description": "Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.",
+          "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.",
           "type": "string"
         },
         "kind": {
@@ -12182,11 +12628,11 @@
         },
         "overhead": {
           "$ref": "#/definitions/io.k8s.api.node.v1.Overhead",
-          "description": "Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/"
+          "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/"
         },
         "scheduling": {
           "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling",
-          "description": "Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes."
+          "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes."
         }
       },
       "required": [
@@ -12209,7 +12655,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is a list of schema objects.",
+          "description": "items is a list of schema objects.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass"
           },
@@ -12372,7 +12818,7 @@
           "x-kubernetes-patch-strategy": "replace"
         },
         "unhealthyPodEvictionPolicy": {
-          "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is alpha-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (disabled by default).",
+          "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).",
           "type": "string"
         }
       },
@@ -12829,16 +13275,20 @@
       "type": "object",
       "x-kubernetes-map-type": "atomic"
     },
-    "io.k8s.api.resource.v1alpha1.AllocationResult": {
-      "description": "AllocationResult contains attributed of an allocated resource.",
+    "io.k8s.api.resource.v1alpha2.AllocationResult": {
+      "description": "AllocationResult contains attributes of an allocated resource.",
       "properties": {
         "availableOnNodes": {
           "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector",
-          "description": "This field will get set by the resource driver after it has allocated the resource driver to inform the scheduler where it can schedule Pods using the ResourceClaim.\n\nSetting this field is optional. If null, the resource is available everywhere."
+          "description": "This field will get set by the resource driver after it has allocated the resource to inform the scheduler where it can schedule Pods using the ResourceClaim.\n\nSetting this field is optional. If null, the resource is available everywhere."
         },
-        "resourceHandle": {
-          "description": "ResourceHandle contains arbitrary data returned by the driver after a successful allocation. This is opaque for Kubernetes. Driver documentation may explain to users how to interpret this data if needed.\n\nThe maximum size of this field is 16KiB. This may get increased in the future, but not reduced.",
-          "type": "string"
+        "resourceHandles": {
+          "description": "ResourceHandles contain the state associated with an allocation that should be maintained throughout the lifetime of a claim. Each ResourceHandle contains data that should be passed to a specific kubelet plugin once it lands on a node. This data is returned by the driver after a successful allocation and is opaque to Kubernetes. Driver documentation may explain to users how to interpret this data if needed.\n\nSetting this field is optional. It has a maximum size of 32 entries. If null (or empty), it is assumed this allocation will be processed by a single kubelet plugin with no ResourceHandle data attached. The name of the kubelet plugin invoked will match the DriverName set in the ResourceClaimStatus this AllocationResult is embedded in.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceHandle"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         },
         "shareable": {
           "description": "Shareable determines whether the resource supports more than one consumer at a time.",
@@ -12847,8 +13297,8 @@
       },
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.PodScheduling": {
-      "description": "PodScheduling objects hold information that is needed to schedule a Pod with ResourceClaims that use \"WaitForFirstConsumer\" allocation mode.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.",
+    "io.k8s.api.resource.v1alpha2.PodSchedulingContext": {
+      "description": "PodSchedulingContext objects hold information that is needed to schedule a Pod with ResourceClaims that use \"WaitForFirstConsumer\" allocation mode.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.",
       "properties": {
         "apiVersion": {
           "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
@@ -12863,11 +13313,11 @@
           "description": "Standard object metadata"
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodSchedulingSpec",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContextSpec",
           "description": "Spec describes where resources for the Pod are needed."
         },
         "status": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodSchedulingStatus",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContextStatus",
           "description": "Status describes where resources for the Pod can be allocated."
         }
       },
@@ -12878,22 +13328,22 @@
       "x-kubernetes-group-version-kind": [
         {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.PodSchedulingList": {
-      "description": "PodSchedulingList is a collection of Pod scheduling objects.",
+    "io.k8s.api.resource.v1alpha2.PodSchedulingContextList": {
+      "description": "PodSchedulingContextList is a collection of Pod scheduling objects.",
       "properties": {
         "apiVersion": {
           "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of PodScheduling objects.",
+          "description": "Items is the list of PodSchedulingContext objects.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
           },
           "type": "array"
         },
@@ -12913,13 +13363,13 @@
       "x-kubernetes-group-version-kind": [
         {
           "group": "resource.k8s.io",
-          "kind": "PodSchedulingList",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContextList",
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.PodSchedulingSpec": {
-      "description": "PodSchedulingSpec describes where resources for the Pod are needed.",
+    "io.k8s.api.resource.v1alpha2.PodSchedulingContextSpec": {
+      "description": "PodSchedulingContextSpec describes where resources for the Pod are needed.",
       "properties": {
         "potentialNodes": {
           "description": "PotentialNodes lists nodes where the Pod might be able to run.\n\nThe size of this field is limited to 128. This is large enough for many clusters. Larger clusters may need more attempts to find a node that suits all pending resources. This may get increased in the future, but not reduced.",
@@ -12936,13 +13386,13 @@
       },
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.PodSchedulingStatus": {
-      "description": "PodSchedulingStatus describes where resources for the Pod can be allocated.",
+    "io.k8s.api.resource.v1alpha2.PodSchedulingContextStatus": {
+      "description": "PodSchedulingContextStatus describes where resources for the Pod can be allocated.",
       "properties": {
         "resourceClaims": {
           "description": "ResourceClaims describes resource availability for each pod.spec.resourceClaim entry where the corresponding ResourceClaim uses \"WaitForFirstConsumer\" allocation mode.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimSchedulingStatus"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimSchedulingStatus"
           },
           "type": "array",
           "x-kubernetes-list-map-keys": [
@@ -12953,7 +13403,7 @@
       },
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaim": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaim": {
       "description": "ResourceClaim describes which resources are needed by a resource consumer. Its status tracks whether the resource has been allocated and what the resulting attributes are.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.",
       "properties": {
         "apiVersion": {
@@ -12969,11 +13419,11 @@
           "description": "Standard object metadata"
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimSpec",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimSpec",
           "description": "Spec describes the desired attributes of a resource that then needs to be allocated. It can only be set once when creating the ResourceClaim."
         },
         "status": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimStatus",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimStatus",
           "description": "Status describes whether the resource is available and with which attributes."
         }
       },
@@ -12985,11 +13435,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimConsumerReference": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimConsumerReference": {
       "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.",
       "properties": {
         "apiGroup": {
@@ -13016,7 +13466,7 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimList": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimList": {
       "description": "ResourceClaimList is a collection of claims.",
       "properties": {
         "apiVersion": {
@@ -13026,7 +13476,7 @@
         "items": {
           "description": "Items is the list of resource claims.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
           },
           "type": "array"
         },
@@ -13047,11 +13497,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimList",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimParametersReference": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimParametersReference": {
       "description": "ResourceClaimParametersReference contains enough information to let you locate the parameters for a ResourceClaim. The object must be in the same namespace as the ResourceClaim.",
       "properties": {
         "apiGroup": {
@@ -13073,7 +13523,7 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimSchedulingStatus": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimSchedulingStatus": {
       "description": "ResourceClaimSchedulingStatus contains information about one particular ResourceClaim with \"WaitForFirstConsumer\" allocation mode.",
       "properties": {
         "name": {
@@ -13091,7 +13541,7 @@
       },
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimSpec": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimSpec": {
       "description": "ResourceClaimSpec defines how a resource is to be allocated.",
       "properties": {
         "allocationMode": {
@@ -13099,7 +13549,7 @@
           "type": "string"
         },
         "parametersRef": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimParametersReference",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimParametersReference",
           "description": "ParametersRef references a separate object with arbitrary parameters that will be used by the driver when allocating a resource for the claim.\n\nThe object must be in the same namespace as the ResourceClaim."
         },
         "resourceClassName": {
@@ -13112,12 +13562,12 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimStatus": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimStatus": {
       "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the resulting attributes are.",
       "properties": {
         "allocation": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.AllocationResult",
-          "description": "Allocation is set by the resource driver once a resource has been allocated successfully. If this is not specified, the resource is not yet allocated."
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.AllocationResult",
+          "description": "Allocation is set by the resource driver once a resource or set of resources has been allocated successfully. If this is not specified, the resources have not been allocated yet."
         },
         "deallocationRequested": {
           "description": "DeallocationRequested indicates that a ResourceClaim is to be deallocated.\n\nThe driver then must deallocate this claim and reset the field together with clearing the Allocation field.\n\nWhile DeallocationRequested is set, no new consumers may be added to ReservedFor.",
@@ -13130,15 +13580,18 @@
         "reservedFor": {
           "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimConsumerReference"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimConsumerReference"
           },
           "type": "array",
-          "x-kubernetes-list-type": "set"
+          "x-kubernetes-list-map-keys": [
+            "uid"
+          ],
+          "x-kubernetes-list-type": "map"
         }
       },
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimTemplate": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimTemplate": {
       "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.",
       "properties": {
         "apiVersion": {
@@ -13154,7 +13607,7 @@
           "description": "Standard object metadata"
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplateSpec",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplateSpec",
           "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore."
         }
       },
@@ -13166,11 +13619,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimTemplateList": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimTemplateList": {
       "description": "ResourceClaimTemplateList is a collection of claim templates.",
       "properties": {
         "apiVersion": {
@@ -13180,7 +13633,7 @@
         "items": {
           "description": "Items is the list of resource claim templates.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
           },
           "type": "array"
         },
@@ -13201,11 +13654,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplateList",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClaimTemplateSpec": {
+    "io.k8s.api.resource.v1alpha2.ResourceClaimTemplateSpec": {
       "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.",
       "properties": {
         "metadata": {
@@ -13213,7 +13666,7 @@
           "description": "ObjectMeta may contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation."
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimSpec",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimSpec",
           "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here."
         }
       },
@@ -13222,7 +13675,7 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClass": {
+    "io.k8s.api.resource.v1alpha2.ResourceClass": {
       "description": "ResourceClass is used by administrators to influence how resources are allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.",
       "properties": {
         "apiVersion": {
@@ -13242,7 +13695,7 @@
           "description": "Standard object metadata"
         },
         "parametersRef": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClassParametersReference",
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClassParametersReference",
           "description": "ParametersRef references an arbitrary separate object that may hold parameters that will be used by the driver when allocating a resource that uses this class. A dynamic resource driver can distinguish between parameters stored here and and those stored in ResourceClaimSpec."
         },
         "suitableNodes": {
@@ -13258,11 +13711,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClassList": {
+    "io.k8s.api.resource.v1alpha2.ResourceClassList": {
       "description": "ResourceClassList is a collection of classes.",
       "properties": {
         "apiVersion": {
@@ -13272,7 +13725,7 @@
         "items": {
           "description": "Items is the list of resource classes.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
           },
           "type": "array"
         },
@@ -13293,11 +13746,11 @@
         {
           "group": "resource.k8s.io",
           "kind": "ResourceClassList",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
-    "io.k8s.api.resource.v1alpha1.ResourceClassParametersReference": {
+    "io.k8s.api.resource.v1alpha2.ResourceClassParametersReference": {
       "description": "ResourceClassParametersReference contains enough information to let you locate the parameters for a ResourceClass.",
       "properties": {
         "apiGroup": {
@@ -13323,6 +13776,20 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.resource.v1alpha2.ResourceHandle": {
+      "description": "ResourceHandle holds opaque resource data for processing by a specific kubelet plugin.",
+      "properties": {
+        "data": {
+          "description": "Data contains the opaque data associated with this ResourceHandle. It is set by the controller component of the resource driver whose name matches the DriverName set in the ResourceClaimStatus this ResourceHandle is embedded in. It is set at allocation time and is intended for processing by the kubelet plugin whose name matches the DriverName set in this ResourceHandle.\n\nThe maximum size of this field is 16KiB. This may get increased in the future, but not reduced.",
+          "type": "string"
+        },
+        "driverName": {
+          "description": "DriverName specifies the name of the resource driver whose kubelet plugin should be invoked to process this ResourceHandle's data once it lands on a node. This may differ from the DriverName set in ResourceClaimStatus this ResourceHandle is embedded in.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.scheduling.v1.PriorityClass": {
       "description": "PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.",
       "properties": {
@@ -13347,11 +13814,11 @@
           "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
         },
         "preemptionPolicy": {
-          "description": "PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.",
+          "description": "preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.",
           "type": "string"
         },
         "value": {
-          "description": "The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.",
+          "description": "value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.",
           "format": "int32",
           "type": "integer"
         }
@@ -13420,7 +13887,7 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriverSpec",
-          "description": "Specification of the CSI Driver."
+          "description": "spec represents the specification of the CSI Driver."
         }
       },
       "required": [
@@ -13478,27 +13945,27 @@
           "type": "boolean"
         },
         "fsGroupPolicy": {
-          "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.\n\nThis field is immutable.\n\nDefaults to ReadWriteOnceWithFSType, which will examine each volume to determine if Kubernetes should modify ownership and permissions of the volume. With the default policy the defined fsGroup will only be applied if a fstype is defined and the volume's access mode contains ReadWriteOnce.",
+          "description": "fsGroupPolicy defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.\n\nThis field is immutable.\n\nDefaults to ReadWriteOnceWithFSType, which will examine each volume to determine if Kubernetes should modify ownership and permissions of the volume. With the default policy the defined fsGroup will only be applied if a fstype is defined and the volume's access mode contains ReadWriteOnce.",
           "type": "string"
         },
         "podInfoOnMount": {
-          "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n                                defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.",
+          "description": "podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations, if set to true. If set to false, pod information will not be passed on mount. Default is false.\n\nThe CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.\n\nThe following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n                                defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field is immutable.",
           "type": "boolean"
         },
         "requiresRepublish": {
-          "description": "RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.",
+          "description": "requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.",
           "type": "boolean"
         },
         "seLinuxMount": {
-          "description": "SELinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
+          "description": "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
           "type": "boolean"
         },
         "storageCapacity": {
-          "description": "If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.",
+          "description": "storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.",
           "type": "boolean"
         },
         "tokenRequests": {
-          "description": "TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n  \"\": {\n    \"token\": ,\n    \"expirationTimestamp\": ,\n  },\n  ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.",
+          "description": "tokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n  \"\": {\n    \"token\": ,\n    \"expirationTimestamp\": ,\n  },\n  ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.storage.v1.TokenRequest"
           },
@@ -13506,7 +13973,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "volumeLifecycleModes": {
-          "description": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.\n\nThis field is immutable.",
+          "description": "volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.\n\nThe other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.\n\nFor more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.\n\nThis field is beta. This field is immutable.",
           "items": {
             "type": "string"
           },
@@ -13529,7 +13996,7 @@
         },
         "metadata": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
-          "description": "metadata.name must be the Kubernetes node name."
+          "description": "Standard object's metadata. metadata.name must be the Kubernetes node name."
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.CSINodeSpec",
@@ -13556,7 +14023,7 @@
           "description": "allocatable represents the volume resources of a node that are available for scheduling. This field is beta."
         },
         "name": {
-          "description": "This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.",
+          "description": "name represents the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.",
           "type": "string"
         },
         "nodeID": {
@@ -13639,7 +14106,7 @@
         },
         "capacity": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable."
+          "description": "capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable."
         },
         "kind": {
           "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -13647,18 +14114,18 @@
         },
         "maximumVolumeSize": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim."
+          "description": "maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim."
         },
         "metadata": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
-          "description": "Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          "description": "Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
         },
         "nodeTopology": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
-          "description": "NodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable."
+          "description": "nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable."
         },
         "storageClassName": {
-          "description": "The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.",
+          "description": "storageClassName represents the name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.",
           "type": "string"
         }
       },
@@ -13682,7 +14149,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of CSIStorageCapacity objects.",
+          "description": "items is the list of CSIStorageCapacity objects.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
           },
@@ -13717,11 +14184,11 @@
       "description": "StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.\n\nStorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.",
       "properties": {
         "allowVolumeExpansion": {
-          "description": "AllowVolumeExpansion shows whether the storage class allow volume expand",
+          "description": "allowVolumeExpansion shows whether the storage class allow volume expand.",
           "type": "boolean"
         },
         "allowedTopologies": {
-          "description": "Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.",
+          "description": "allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.TopologySelectorTerm"
           },
@@ -13741,7 +14208,7 @@
           "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
         },
         "mountOptions": {
-          "description": "Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.",
+          "description": "mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.",
           "items": {
             "type": "string"
           },
@@ -13751,19 +14218,19 @@
           "additionalProperties": {
             "type": "string"
           },
-          "description": "Parameters holds the parameters for the provisioner that should create volumes of this storage class.",
+          "description": "parameters holds the parameters for the provisioner that should create volumes of this storage class.",
           "type": "object"
         },
         "provisioner": {
-          "description": "Provisioner indicates the type of the provisioner.",
+          "description": "provisioner indicates the type of the provisioner.",
           "type": "string"
         },
         "reclaimPolicy": {
-          "description": "Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.",
+          "description": "reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. Defaults to Delete.",
           "type": "string"
         },
         "volumeBindingMode": {
-          "description": "VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.",
+          "description": "volumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.",
           "type": "string"
         }
       },
@@ -13787,7 +14254,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of StorageClasses",
+          "description": "items is the list of StorageClasses",
           "items": {
             "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
           },
@@ -13818,11 +14285,11 @@
       "description": "TokenRequest contains parameters of a service account token.",
       "properties": {
         "audience": {
-          "description": "Audience is the intended audience of the token in \"TokenRequestSpec\". It will default to the audiences of kube apiserver.",
+          "description": "audience is the intended audience of the token in \"TokenRequestSpec\". It will default to the audiences of kube apiserver.",
           "type": "string"
         },
         "expirationSeconds": {
-          "description": "ExpirationSeconds is the duration of validity of the token in \"TokenRequestSpec\". It has the same default value of \"ExpirationSeconds\" in \"TokenRequestSpec\".",
+          "description": "expirationSeconds is the duration of validity of the token in \"TokenRequestSpec\". It has the same default value of \"ExpirationSeconds\" in \"TokenRequestSpec\".",
           "format": "int64",
           "type": "integer"
         }
@@ -13849,11 +14316,11 @@
         },
         "spec": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSpec",
-          "description": "Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system."
+          "description": "spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system."
         },
         "status": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachmentStatus",
-          "description": "Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher."
+          "description": "status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher."
         }
       },
       "required": [
@@ -13876,7 +14343,7 @@
           "type": "string"
         },
         "items": {
-          "description": "Items is the list of VolumeAttachments",
+          "description": "items is the list of VolumeAttachments",
           "items": {
             "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
           },
@@ -13911,7 +14378,7 @@
           "description": "inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature."
         },
         "persistentVolumeName": {
-          "description": "Name of the persistent volume to attach.",
+          "description": "persistentVolumeName represents the name of the persistent volume to attach.",
           "type": "string"
         }
       },
@@ -13921,16 +14388,16 @@
       "description": "VolumeAttachmentSpec is the specification of a VolumeAttachment request.",
       "properties": {
         "attacher": {
-          "description": "Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().",
+          "description": "attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().",
           "type": "string"
         },
         "nodeName": {
-          "description": "The node that the volume should be attached to.",
+          "description": "nodeName represents the node that the volume should be attached to.",
           "type": "string"
         },
         "source": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSource",
-          "description": "Source represents the volume that should be attached."
+          "description": "source represents the volume that should be attached."
         }
       },
       "required": [
@@ -13945,22 +14412,22 @@
       "properties": {
         "attachError": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeError",
-          "description": "The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher."
+          "description": "attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher."
         },
         "attached": {
-          "description": "Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
+          "description": "attached indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
           "type": "boolean"
         },
         "attachmentMetadata": {
           "additionalProperties": {
             "type": "string"
           },
-          "description": "Upon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
+          "description": "attachmentMetadata is populated with any information returned by the attach operation, upon successful attach, that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
           "type": "object"
         },
         "detachError": {
           "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeError",
-          "description": "The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher."
+          "description": "detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher."
         }
       },
       "required": [
@@ -13972,12 +14439,12 @@
       "description": "VolumeError captures an error encountered during a volume operation.",
       "properties": {
         "message": {
-          "description": "String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.",
+          "description": "message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.",
           "type": "string"
         },
         "time": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
-          "description": "Time the error was encountered."
+          "description": "time represents the time the error was encountered."
         }
       },
       "type": "object"
@@ -13986,96 +14453,13 @@
       "description": "VolumeNodeResources is a set of resource limits for scheduling of volumes.",
       "properties": {
         "count": {
-          "description": "Maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.",
+          "description": "count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.",
           "format": "int32",
           "type": "integer"
         }
       },
       "type": "object"
     },
-    "io.k8s.api.storage.v1beta1.CSIStorageCapacity": {
-      "description": "CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment.  This can be used when considering where to instantiate new PersistentVolumes.\n\nFor example this can express things like: - StorageClass \"standard\" has \"1234 GiB\" available in \"topology.kubernetes.io/zone=us-east1\" - StorageClass \"localssd\" has \"10 GiB\" available in \"kubernetes.io/hostname=knode-abc123\"\n\nThe following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero\n\nThe producer of these objects can decide which approach is more suitable.\n\nThey are consumed by the kube-scheduler when a CSI driver opts into capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler compares the MaximumVolumeSize against the requested size of pending volumes to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back to a comparison against the less precise Capacity. If that is also unset, the scheduler assumes that capacity is insufficient and tries some other node.",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "capacity": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable."
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "maximumVolumeSize": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim."
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
-          "description": "Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-        },
-        "nodeTopology": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
-          "description": "NodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable."
-        },
-        "storageClassName": {
-          "description": "The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "storageClassName"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      ]
-    },
-    "io.k8s.api.storage.v1beta1.CSIStorageCapacityList": {
-      "description": "CSIStorageCapacityList is a collection of CSIStorageCapacity objects.",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "items": {
-          "description": "Items is the list of CSIStorageCapacity objects.",
-          "items": {
-            "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-          },
-          "type": "array",
-          "x-kubernetes-list-map-keys": [
-            "name"
-          ],
-          "x-kubernetes-list-type": "map"
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
-          "description": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-        }
-      },
-      "required": [
-        "items"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacityList",
-          "version": "v1beta1"
-        }
-      ]
-    },
     "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition": {
       "description": "CustomResourceColumnDefinition specifies a column for server side printing.",
       "properties": {
@@ -14116,12 +14500,12 @@
       "description": "CustomResourceConversion describes how to convert different versions of a CR.",
       "properties": {
         "strategy": {
-          "description": "strategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information\n  is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.",
+          "description": "strategy specifies how custom resources are converted between versions. Allowed values are: - `\"None\"`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `\"Webhook\"`: API Server will call to an external webhook to do the conversion. Additional information\n  is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.",
           "type": "string"
         },
         "webhook": {
           "$ref": "#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion",
-          "description": "webhook describes how to call the conversion webhook. Required when `strategy` is set to `Webhook`."
+          "description": "webhook describes how to call the conversion webhook. Required when `strategy` is set to `\"Webhook\"`."
         }
       },
       "required": [
@@ -14686,6 +15070,10 @@
           "description": "Message represents the message displayed when validation fails. The message is required if the Rule contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\"",
           "type": "string"
         },
+        "messageExpression": {
+          "description": "MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a rule, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the rule; the only difference is the return type. Example: \"x must be less than max (\"+string(self.max)+\")\"",
+          "type": "string"
+        },
         "rule": {
           "description": "Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. The `self` variable in the CEL expression is bound to the scoped value. Example: - Rule scoped to the root of a resource with a status subresource: {\"rule\": \"self.status.actual <= self.spec.maxDesired\"}\n\nIf the Rule is scoped to an object with properties, the accessible properties of the object are field selectable via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as absent fields in CEL expressions. If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map are accessible via CEL macros and functions such as `self.all(...)`. If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and functions. If the Rule is scoped to a scalar, `self` is bound to the scalar value. Examples: - Rule scoped to a map of objects: {\"rule\": \"self.components['Widget'].priority < 10\"} - Rule scoped to a list of integers: {\"rule\": \"self.values.all(value, value >= 0 && value < 100)\"} - Rule scoped to a string value: {\"rule\": \"self.startsWith('kube')\"}\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.\n\nUnknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL expressions. This includes: - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. - Object properties where the property schema is of an \"unknown type\". An \"unknown type\" is recursively defined as:\n  - A schema with no type and x-kubernetes-preserve-unknown-fields set to true\n  - An array where the items schema is of an \"unknown type\"\n  - An object where the additionalProperties schema is of an \"unknown type\"\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t  \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t  \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n  - Rule accessing a property named \"namespace\": {\"rule\": \"self.__namespace__ > 0\"}\n  - Rule accessing a property named \"x-prop\": {\"rule\": \"self.x__dash__prop > 0\"}\n  - Rule accessing a property named \"redact__d\": {\"rule\": \"self.redact__underscores__d > 0\"}\n\nEquality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n  - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n    non-intersecting elements in `Y` are appended, retaining their partial order.\n  - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n    are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n    non-intersecting keys are appended, retaining their partial order.",
           "type": "string"
@@ -15155,6 +15543,11 @@
           "kind": "DeleteOptions",
           "version": "v1"
         },
+        {
+          "group": "certificates.k8s.io",
+          "kind": "DeleteOptions",
+          "version": "v1alpha1"
+        },
         {
           "group": "certificates.k8s.io",
           "kind": "DeleteOptions",
@@ -15283,7 +15676,7 @@
         {
           "group": "resource.k8s.io",
           "kind": "DeleteOptions",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         },
         {
           "group": "scheduling.k8s.io",
@@ -15456,7 +15849,7 @@
           "additionalProperties": {
             "type": "string"
           },
-          "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations",
+          "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations",
           "type": "object"
         },
         "creationTimestamp": {
@@ -15493,7 +15886,7 @@
           "additionalProperties": {
             "type": "string"
           },
-          "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels",
+          "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels",
           "type": "object"
         },
         "managedFields": {
@@ -15504,11 +15897,11 @@
           "type": "array"
         },
         "name": {
-          "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+          "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
           "type": "string"
         },
         "namespace": {
-          "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces",
+          "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces",
           "type": "string"
         },
         "ownerReferences": {
@@ -15529,7 +15922,7 @@
           "type": "string"
         },
         "uid": {
-          "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+          "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
           "type": "string"
         }
       },
@@ -15555,11 +15948,11 @@
           "type": "string"
         },
         "name": {
-          "description": "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+          "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
           "type": "string"
         },
         "uid": {
-          "description": "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+          "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
           "type": "string"
         }
       },
@@ -15655,7 +16048,7 @@
         {
           "group": "resource.k8s.io",
           "kind": "Status",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       ]
     },
@@ -15705,7 +16098,7 @@
           "type": "integer"
         },
         "uid": {
-          "description": "UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+          "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
           "type": "string"
         }
       },
@@ -15858,6 +16251,11 @@
           "kind": "WatchEvent",
           "version": "v1"
         },
+        {
+          "group": "certificates.k8s.io",
+          "kind": "WatchEvent",
+          "version": "v1alpha1"
+        },
         {
           "group": "certificates.k8s.io",
           "kind": "WatchEvent",
@@ -15986,7 +16384,7 @@
         {
           "group": "resource.k8s.io",
           "kind": "WatchEvent",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         },
         {
           "group": "scheduling.k8s.io",
@@ -16444,6 +16842,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -16609,6 +17014,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -16720,6 +17132,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -16831,6 +17250,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -16942,6 +17368,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -17015,6 +17448,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -17100,7 +17540,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -17166,7 +17606,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -17331,6 +17771,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -17424,6 +17871,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -17517,7 +17971,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -17738,7 +18192,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -17817,7 +18271,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -17945,6 +18399,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -18038,6 +18499,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -18131,7 +18599,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -18352,7 +18820,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -18431,7 +18899,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -18559,6 +19027,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -18652,6 +19127,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -18745,7 +19227,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -18966,7 +19448,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -19045,7 +19527,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -19173,6 +19655,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -19266,6 +19755,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -19359,7 +19855,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -19580,7 +20076,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -19659,7 +20155,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -19787,6 +20283,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -19880,6 +20383,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -19973,7 +20483,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -20194,7 +20704,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -20273,7 +20783,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -20410,7 +20920,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -20489,7 +20999,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -20617,6 +21127,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -20710,6 +21227,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -20803,7 +21327,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -21024,7 +21548,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -21103,7 +21627,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -21284,7 +21808,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -21466,7 +21990,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -21545,7 +22069,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -21605,7 +22129,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -22651,7 +23175,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -22730,7 +23254,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -22858,6 +23382,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -22951,6 +23482,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -23044,7 +23582,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -23265,7 +23803,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -23344,7 +23882,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -23472,6 +24010,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -23565,6 +24110,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -23658,7 +24210,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -23879,7 +24431,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -23958,7 +24510,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24095,7 +24647,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24174,7 +24726,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24311,7 +24863,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24390,7 +24942,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24518,6 +25070,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -24611,6 +25170,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -24704,7 +25270,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -24925,7 +25491,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25004,7 +25570,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25141,7 +25707,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25220,7 +25786,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25348,6 +25914,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -25441,6 +26014,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -25534,7 +26114,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25755,7 +26335,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25834,7 +26414,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -25962,6 +26542,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -26055,6 +26642,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -26148,7 +26742,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -26369,7 +26963,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -26448,7 +27042,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -26508,7 +27102,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -26681,6 +27275,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -26774,6 +27375,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -26867,7 +27475,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -27088,7 +27696,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -27167,7 +27775,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -27828,7 +28436,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -27907,7 +28515,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -28114,7 +28722,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -28193,7 +28801,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -28253,7 +28861,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -28413,7 +29021,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -28492,7 +29100,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -28620,6 +29228,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -28713,6 +29328,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -28798,7 +29420,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -29011,7 +29633,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -29090,7 +29712,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -29727,7 +30349,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -29806,7 +30428,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -29944,6 +30566,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -30045,6 +30674,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -30138,6 +30774,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -30223,7 +30866,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -30436,7 +31079,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -30515,7 +31158,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -30644,7 +31287,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -30723,7 +31366,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -30861,6 +31504,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -30972,6 +31622,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31083,6 +31740,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31194,6 +31858,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31305,6 +31976,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31416,6 +32094,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31527,6 +32212,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31638,6 +32330,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31749,6 +32448,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31860,6 +32566,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -31971,6 +32684,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32082,6 +32802,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32201,6 +32928,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32328,6 +33062,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32447,6 +33188,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32574,6 +33322,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32693,6 +33448,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32820,6 +33582,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -32939,6 +33708,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33066,6 +33842,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33185,6 +33968,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33312,6 +34102,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33431,6 +34228,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33558,6 +34362,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33677,6 +34488,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33804,6 +34622,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -33923,6 +34748,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34050,6 +34882,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34169,6 +35008,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34296,6 +35142,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34415,6 +35268,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34542,6 +35402,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34661,6 +35528,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34788,6 +35662,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -34907,6 +35788,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35034,6 +35922,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35153,6 +36048,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35264,6 +36166,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35383,6 +36292,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35494,6 +36410,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35605,6 +36528,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35724,6 +36654,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35835,6 +36772,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -35946,6 +36890,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36057,6 +37008,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36168,6 +37126,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36279,6 +37244,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36390,6 +37362,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36501,6 +37480,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -36701,6 +37687,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -36794,6 +37787,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -36879,7 +37879,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37092,7 +38092,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37171,7 +38171,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37299,6 +38299,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -37392,6 +38399,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -37477,7 +38491,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37690,7 +38704,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37769,7 +38783,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -37907,6 +38921,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -38026,6 +39047,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -38137,6 +39165,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -38256,6 +39291,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -38390,6 +39432,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -38483,6 +39532,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -38568,7 +39624,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -38781,7 +39837,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -38860,7 +39916,215 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "admissionregistration_v1alpha1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "admissionregistration.k8s.io",
+          "kind": "ValidatingAdmissionPolicy",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{name}/status": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read status of the specified ValidatingAdmissionPolicy",
+        "operationId": "readAdmissionregistrationV1alpha1ValidatingAdmissionPolicyStatus",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "admissionregistration_v1alpha1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "admissionregistration.k8s.io",
+          "kind": "ValidatingAdmissionPolicy",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the ValidatingAdmissionPolicy",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml"
+        ],
+        "description": "partially update status of the specified ValidatingAdmissionPolicy",
+        "operationId": "patchAdmissionregistrationV1alpha1ValidatingAdmissionPolicyStatus",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "admissionregistration_v1alpha1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "admissionregistration.k8s.io",
+          "kind": "ValidatingAdmissionPolicy",
+          "version": "v1alpha1"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace status of the specified ValidatingAdmissionPolicy",
+        "operationId": "replaceAdmissionregistrationV1alpha1ValidatingAdmissionPolicyStatus",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -38988,6 +40252,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -39081,6 +40352,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -39166,7 +40444,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -39379,7 +40657,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -39458,7 +40736,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -39596,6 +40874,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -39715,6 +41000,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -39826,6 +41118,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -39945,6 +41244,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -40112,6 +41418,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -40205,6 +41518,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -40290,7 +41610,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -40503,7 +41823,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -40582,7 +41902,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -40711,7 +42031,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -40790,7 +42110,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -40928,6 +42248,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -41047,6 +42374,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -41214,6 +42548,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -41307,6 +42648,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -41392,7 +42740,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -41605,7 +42953,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -41684,7 +43032,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -41813,7 +43161,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -41892,7 +43240,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -42030,6 +43378,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -42149,6 +43504,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -42326,6 +43688,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -42437,6 +43806,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -42548,6 +43924,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -42649,6 +44032,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -42742,6 +44132,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -42835,7 +44232,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43056,7 +44453,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43135,7 +44532,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43263,6 +44660,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -43356,6 +44760,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -43449,7 +44860,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43670,7 +45081,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43749,7 +45160,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43886,7 +45297,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -43965,7 +45376,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44093,6 +45504,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -44186,6 +45604,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -44279,7 +45704,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44500,7 +45925,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44579,7 +46004,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44716,7 +46141,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44795,7 +46220,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -44932,7 +46357,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45011,7 +46436,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45139,6 +46564,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -45232,6 +46664,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -45325,7 +46764,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45546,7 +46985,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45625,7 +47064,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45762,7 +47201,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45841,7 +47280,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -45978,7 +47417,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46057,7 +47496,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46185,6 +47624,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -46278,6 +47724,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -46371,7 +47824,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46592,7 +48045,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46671,7 +48124,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46808,7 +48261,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -46887,7 +48340,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -47024,7 +48477,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -47103,7 +48556,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -47241,6 +48694,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47352,6 +48812,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47463,6 +48930,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47574,6 +49048,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47685,6 +49166,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47804,6 +49292,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -47931,6 +49426,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48050,6 +49552,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48177,6 +49686,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48296,6 +49812,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48423,6 +49946,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48542,6 +50072,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48669,6 +50206,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48788,6 +50332,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -48915,6 +50466,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -49026,6 +50584,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -49137,6 +50702,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -49236,7 +50808,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -49358,7 +50930,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -49430,6 +51002,128 @@
         }
       }
     },
+    "/apis/authentication.k8s.io/v1beta1/": {
+      "get": {
+        "consumes": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "description": "get available resources",
+        "operationId": "getAuthenticationV1beta1APIResources",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "authentication_v1beta1"
+        ]
+      }
+    },
+    "/apis/authentication.k8s.io/v1beta1/selfsubjectreviews": {
+      "parameters": [
+        {
+          "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+          "in": "query",
+          "name": "dryRun",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+          "in": "query",
+          "name": "fieldManager",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "in": "query",
+          "name": "fieldValidation",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "post": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "create a SelfSubjectReview",
+        "operationId": "createAuthenticationV1beta1SelfSubjectReview",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview"
+            }
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "authentication_v1beta1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "authentication.k8s.io",
+          "kind": "SelfSubjectReview",
+          "version": "v1beta1"
+        }
+      }
+    },
     "/apis/authorization.k8s.io/": {
       "get": {
         "consumes": [
@@ -49513,7 +51207,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -49610,7 +51304,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -49699,7 +51393,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -49788,7 +51482,7 @@
           "uniqueItems": true
         },
         {
-          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+          "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
           "in": "query",
           "name": "fieldValidation",
           "type": "string",
@@ -50021,6 +51715,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -50122,6 +51823,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -50215,6 +51923,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -50308,7 +52023,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -50529,7 +52244,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -50608,7 +52323,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -50745,7 +52460,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -50824,7 +52539,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -50962,6 +52677,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -51081,6 +52803,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -51208,6 +52937,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -51352,6 +53088,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -51453,6 +53196,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -51546,6 +53296,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -51639,7 +53396,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -51860,7 +53617,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -51939,7 +53696,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -52076,7 +53833,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -52155,7 +53912,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -52293,6 +54050,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -52412,6 +54176,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -52539,6 +54310,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -52716,6 +54494,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -52827,6 +54612,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -52928,6 +54720,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -53021,6 +54820,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -53114,7 +54920,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -53335,7 +55141,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -53414,7 +55220,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -53551,7 +55357,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -53630,7 +55436,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -53758,6 +55564,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -53851,6 +55664,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -53944,7 +55764,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -54165,7 +55985,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -54244,7 +56064,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -54381,7 +56201,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -54460,7 +56280,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -54598,6 +56418,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -54709,6 +56536,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -54828,6 +56662,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -54955,6 +56796,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -55074,6 +56922,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -55201,6 +57056,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -55368,6 +57230,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -55461,6 +57330,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -55546,7 +57422,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -55759,7 +57635,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -55838,7 +57714,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -55967,7 +57843,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -56046,7 +57922,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -56175,7 +58051,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -56254,7 +58130,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -56392,6 +58268,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -56511,6 +58394,902 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "type": "boolean",
+          "uniqueItems": true
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1alpha1/": {
+      "get": {
+        "consumes": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "description": "get available resources",
+        "operationId": "getCertificatesV1alpha1APIResources",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ]
+      }
+    },
+    "/apis/certificates.k8s.io/v1alpha1/clustertrustbundles": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete collection of ClusterTrustBundle",
+        "operationId": "deleteCertificatesV1alpha1CollectionClusterTrustBundle",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "list or watch objects of kind ClusterTrustBundle",
+        "operationId": "listCertificatesV1alpha1ClusterTrustBundle",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "post": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "create a ClusterTrustBundle",
+        "operationId": "createCertificatesV1alpha1ClusterTrustBundle",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/certificates.k8s.io/v1alpha1/clustertrustbundles/{name}": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete a ClusterTrustBundle",
+        "operationId": "deleteCertificatesV1alpha1ClusterTrustBundle",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read the specified ClusterTrustBundle",
+        "operationId": "readCertificatesV1alpha1ClusterTrustBundle",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the ClusterTrustBundle",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml"
+        ],
+        "description": "partially update the specified ClusterTrustBundle",
+        "operationId": "patchCertificatesV1alpha1ClusterTrustBundle",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace the specified ClusterTrustBundle",
+        "operationId": "replaceCertificatesV1alpha1ClusterTrustBundle",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundleList",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "type": "boolean",
+          "uniqueItems": true
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles/{name}": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundle",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "name of the ClusterTrustBundle",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -56688,6 +59467,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -56789,6 +59575,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -56882,6 +59675,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -56975,7 +59775,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -57196,7 +59996,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -57275,7 +60075,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -57413,6 +60213,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -57532,6 +60339,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -57659,6 +60473,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -57836,6 +60657,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -57937,6 +60765,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -58030,6 +60865,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -58123,7 +60965,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -58344,7 +61186,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -58423,7 +61265,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -58561,6 +61403,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -58680,6 +61529,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -58807,6 +61663,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -58984,6 +61847,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -59085,6 +61955,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -59178,6 +62055,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -59271,7 +62155,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -59492,7 +62376,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -59571,7 +62455,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -59709,6 +62593,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -59828,6 +62719,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -59955,6 +62853,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -60122,6 +63027,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -60215,6 +63127,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -60300,7 +63219,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -60513,7 +63432,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -60592,7 +63511,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -60721,7 +63640,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -60800,7 +63719,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -60928,6 +63847,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -61021,6 +63947,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -61106,7 +64039,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -61319,7 +64252,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -61398,7 +64331,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -61527,7 +64460,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -61606,7 +64539,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -61744,6 +64677,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -61863,6 +64803,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -61974,6 +64921,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -62093,6 +65047,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -62227,6 +65188,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -62320,6 +65288,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -62405,7 +65380,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -62618,7 +65593,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -62697,7 +65672,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -62826,7 +65801,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -62905,7 +65880,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63033,6 +66008,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -63126,6 +66108,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -63211,7 +66200,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63424,7 +66413,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63503,7 +66492,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63632,7 +66621,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63711,7 +66700,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -63849,6 +66838,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -63968,6 +66964,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -64079,6 +67082,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -64198,6 +67208,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -64365,6 +67382,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -64458,6 +67482,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -64543,7 +67574,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -64756,7 +67787,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -64835,7 +67866,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -64964,7 +67995,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -65043,7 +68074,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -65181,6 +68212,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -65300,6 +68338,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -65467,6 +68512,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -65560,6 +68612,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -65645,7 +68704,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -65858,7 +68917,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -65937,7 +68996,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -66075,6 +69134,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -66176,6 +69242,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -66269,6 +69342,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -66362,7 +69442,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -66583,7 +69663,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -66662,7 +69742,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -66799,7 +69879,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -66878,7 +69958,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67006,6 +70086,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -67099,6 +70186,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -67192,7 +70286,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67413,7 +70507,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67492,7 +70586,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67629,7 +70723,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67708,7 +70802,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -67846,6 +70940,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -67957,6 +71058,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68076,6 +71184,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68187,6 +71302,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68306,6 +71428,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68433,6 +71562,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68552,6 +71688,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68679,6 +71822,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68790,6 +71940,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -68924,6 +72081,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -69017,6 +72181,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -69102,7 +72273,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -69315,7 +72486,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -69394,7 +72565,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -69437,6 +72608,618 @@
         }
       }
     },
+    "/apis/networking.k8s.io/v1alpha1/ipaddresses": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete collection of IPAddress",
+        "operationId": "deleteNetworkingV1alpha1CollectionIPAddress",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "list or watch objects of kind IPAddress",
+        "operationId": "listNetworkingV1alpha1IPAddress",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddressList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "post": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "create an IPAddress",
+        "operationId": "createNetworkingV1alpha1IPAddress",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/networking.k8s.io/v1alpha1/ipaddresses/{name}": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete an IPAddress",
+        "operationId": "deleteNetworkingV1alpha1IPAddress",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "type": "integer",
+            "uniqueItems": true
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read the specified IPAddress",
+        "operationId": "readNetworkingV1alpha1IPAddress",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the IPAddress",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml"
+        ],
+        "description": "partially update the specified IPAddress",
+        "operationId": "patchNetworkingV1alpha1IPAddress",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace the specified IPAddress",
+        "operationId": "replaceNetworkingV1alpha1IPAddress",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.networking.v1alpha1.IPAddress"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      }
+    },
     "/apis/networking.k8s.io/v1alpha1/watch/clustercidrs": {
       "get": {
         "consumes": [
@@ -69532,6 +73315,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -69651,6 +73441,257 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "type": "boolean",
+          "uniqueItems": true
+        }
+      ]
+    },
+    "/apis/networking.k8s.io/v1alpha1/watch/ipaddresses": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of IPAddress. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchNetworkingV1alpha1IPAddressList",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "type": "boolean",
+          "uniqueItems": true
+        }
+      ]
+    },
+    "/apis/networking.k8s.io/v1alpha1/watch/ipaddresses/{name}": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch changes to an object of kind IPAddress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchNetworkingV1alpha1IPAddress",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "networking_v1alpha1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "networking.k8s.io",
+          "kind": "IPAddress",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "type": "boolean",
+          "uniqueItems": true
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "type": "integer",
+          "uniqueItems": true
+        },
+        {
+          "description": "name of the IPAddress",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "If 'true', then the output is pretty printed.",
+          "in": "query",
+          "name": "pretty",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -69818,6 +73859,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -69911,6 +73959,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -69996,7 +74051,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -70209,7 +74264,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -70288,7 +74343,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -70426,6 +74481,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -70545,6 +74607,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -70712,6 +74781,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -70805,6 +74881,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -70898,7 +74981,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -71119,7 +75202,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -71198,7 +75281,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -71335,7 +75418,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -71414,7 +75497,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -71552,6 +75635,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -71671,6 +75761,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -71798,6 +75895,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -71909,6 +76013,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -72076,6 +76187,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -72169,6 +76287,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -72254,7 +76379,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -72467,7 +76592,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -72546,7 +76671,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -72674,6 +76799,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -72767,6 +76899,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -72852,7 +76991,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73065,7 +77204,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73144,7 +77283,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73272,6 +77411,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -73365,6 +77511,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -73458,7 +77611,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73679,7 +77832,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73758,7 +77911,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -73886,6 +78039,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -73979,6 +78139,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -74072,7 +78239,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -74293,7 +78460,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -74372,7 +78539,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -74510,6 +78677,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -74621,6 +78795,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -74732,6 +78913,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -74851,6 +79039,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -74962,6 +79157,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75081,6 +79283,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75200,6 +79409,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75327,6 +79543,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75446,6 +79669,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75573,6 +79803,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75684,6 +79921,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75795,6 +80039,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -75844,7 +80095,7 @@
         ]
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/": {
+    "/apis/resource.k8s.io/v1alpha2/": {
       "get": {
         "consumes": [
           "application/json",
@@ -75852,7 +80103,7 @@
           "application/vnd.kubernetes.protobuf"
         ],
         "description": "get available resources",
-        "operationId": "getResourceV1alpha1APIResources",
+        "operationId": "getResourceV1alpha2APIResources",
         "produces": [
           "application/json",
           "application/yaml",
@@ -75873,17 +80124,17 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ]
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of PodScheduling",
-        "operationId": "deleteResourceV1alpha1CollectionNamespacedPodScheduling",
+        "description": "delete collection of PodSchedulingContext",
+        "operationId": "deleteResourceV1alpha2CollectionNamespacedPodSchedulingContext",
         "parameters": [
           {
             "in": "body",
@@ -75962,6 +80213,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -75990,21 +80248,21 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind PodScheduling",
-        "operationId": "listResourceV1alpha1NamespacedPodScheduling",
+        "description": "list or watch objects of kind PodSchedulingContext",
+        "operationId": "listResourceV1alpha2NamespacedPodSchedulingContext",
         "parameters": [
           {
             "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
@@ -76055,6 +80313,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -76081,7 +80346,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodSchedulingList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContextList"
             }
           },
           "401": {
@@ -76092,13 +80357,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -76122,15 +80387,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a PodScheduling",
-        "operationId": "createResourceV1alpha1NamespacedPodScheduling",
+        "description": "create a PodSchedulingContext",
+        "operationId": "createResourceV1alpha2NamespacedPodSchedulingContext",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           {
@@ -76148,7 +80413,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76164,19 +80429,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76187,23 +80452,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a PodScheduling",
-        "operationId": "deleteResourceV1alpha1NamespacedPodScheduling",
+        "description": "delete a PodSchedulingContext",
+        "operationId": "deleteResourceV1alpha2NamespacedPodSchedulingContext",
         "parameters": [
           {
             "in": "body",
@@ -76250,13 +80515,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76267,21 +80532,21 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified PodScheduling",
-        "operationId": "readResourceV1alpha1NamespacedPodScheduling",
+        "description": "read the specified PodSchedulingContext",
+        "operationId": "readResourceV1alpha2NamespacedPodSchedulingContext",
         "produces": [
           "application/json",
           "application/yaml",
@@ -76291,7 +80556,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76302,18 +80567,18 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
         {
-          "description": "name of the PodScheduling",
+          "description": "name of the PodSchedulingContext",
           "in": "path",
           "name": "name",
           "required": true,
@@ -76343,8 +80608,8 @@
           "application/strategic-merge-patch+json",
           "application/apply-patch+yaml"
         ],
-        "description": "partially update the specified PodScheduling",
-        "operationId": "patchResourceV1alpha1NamespacedPodScheduling",
+        "description": "partially update the specified PodSchedulingContext",
+        "operationId": "patchResourceV1alpha2NamespacedPodSchedulingContext",
         "parameters": [
           {
             "in": "body",
@@ -76369,7 +80634,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76392,13 +80657,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76409,28 +80674,28 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified PodScheduling",
-        "operationId": "replaceResourceV1alpha1NamespacedPodScheduling",
+        "description": "replace the specified PodSchedulingContext",
+        "operationId": "replaceResourceV1alpha2NamespacedPodSchedulingContext",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           {
@@ -76448,7 +80713,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76464,13 +80729,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76481,23 +80746,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/status": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}/status": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read status of the specified PodScheduling",
-        "operationId": "readResourceV1alpha1NamespacedPodSchedulingStatus",
+        "description": "read status of the specified PodSchedulingContext",
+        "operationId": "readResourceV1alpha2NamespacedPodSchedulingContextStatus",
         "produces": [
           "application/json",
           "application/yaml",
@@ -76507,7 +80772,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76518,18 +80783,18 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
         {
-          "description": "name of the PodScheduling",
+          "description": "name of the PodSchedulingContext",
           "in": "path",
           "name": "name",
           "required": true,
@@ -76559,8 +80824,8 @@
           "application/strategic-merge-patch+json",
           "application/apply-patch+yaml"
         ],
-        "description": "partially update status of the specified PodScheduling",
-        "operationId": "patchResourceV1alpha1NamespacedPodSchedulingStatus",
+        "description": "partially update status of the specified PodSchedulingContext",
+        "operationId": "patchResourceV1alpha2NamespacedPodSchedulingContextStatus",
         "parameters": [
           {
             "in": "body",
@@ -76585,7 +80850,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76608,13 +80873,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76625,28 +80890,28 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace status of the specified PodScheduling",
-        "operationId": "replaceResourceV1alpha1NamespacedPodSchedulingStatus",
+        "description": "replace status of the specified PodSchedulingContext",
+        "operationId": "replaceResourceV1alpha2NamespacedPodSchedulingContextStatus",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           {
@@ -76664,7 +80929,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76680,13 +80945,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodScheduling"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContext"
             }
           },
           "401": {
@@ -76697,23 +80962,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete collection of ResourceClaim",
-        "operationId": "deleteResourceV1alpha1CollectionNamespacedResourceClaim",
+        "operationId": "deleteResourceV1alpha2CollectionNamespacedResourceClaim",
         "parameters": [
           {
             "in": "body",
@@ -76792,6 +81057,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -76820,13 +81092,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -76834,7 +81106,7 @@
           "*/*"
         ],
         "description": "list or watch objects of kind ResourceClaim",
-        "operationId": "listResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "listResourceV1alpha2NamespacedResourceClaim",
         "parameters": [
           {
             "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
@@ -76885,6 +81157,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -76911,7 +81190,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimList"
             }
           },
           "401": {
@@ -76922,13 +81201,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -76953,14 +81232,14 @@
           "*/*"
         ],
         "description": "create a ResourceClaim",
-        "operationId": "createResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "createResourceV1alpha2NamespacedResourceClaim",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           {
@@ -76978,7 +81257,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -76994,19 +81273,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77017,23 +81296,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete a ResourceClaim",
-        "operationId": "deleteResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "deleteResourceV1alpha2NamespacedResourceClaim",
         "parameters": [
           {
             "in": "body",
@@ -77080,13 +81359,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77097,13 +81376,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -77111,7 +81390,7 @@
           "*/*"
         ],
         "description": "read the specified ResourceClaim",
-        "operationId": "readResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "readResourceV1alpha2NamespacedResourceClaim",
         "produces": [
           "application/json",
           "application/yaml",
@@ -77121,7 +81400,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77132,13 +81411,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -77174,7 +81453,7 @@
           "application/apply-patch+yaml"
         ],
         "description": "partially update the specified ResourceClaim",
-        "operationId": "patchResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "patchResourceV1alpha2NamespacedResourceClaim",
         "parameters": [
           {
             "in": "body",
@@ -77199,7 +81478,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -77222,13 +81501,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77239,13 +81518,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "put": {
@@ -77253,14 +81532,14 @@
           "*/*"
         ],
         "description": "replace the specified ResourceClaim",
-        "operationId": "replaceResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "replaceResourceV1alpha2NamespacedResourceClaim",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           {
@@ -77278,7 +81557,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -77294,13 +81573,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77311,23 +81590,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/status": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}/status": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "read status of the specified ResourceClaim",
-        "operationId": "readResourceV1alpha1NamespacedResourceClaimStatus",
+        "operationId": "readResourceV1alpha2NamespacedResourceClaimStatus",
         "produces": [
           "application/json",
           "application/yaml",
@@ -77337,7 +81616,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77348,13 +81627,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -77390,7 +81669,7 @@
           "application/apply-patch+yaml"
         ],
         "description": "partially update status of the specified ResourceClaim",
-        "operationId": "patchResourceV1alpha1NamespacedResourceClaimStatus",
+        "operationId": "patchResourceV1alpha2NamespacedResourceClaimStatus",
         "parameters": [
           {
             "in": "body",
@@ -77415,7 +81694,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -77438,13 +81717,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77455,13 +81734,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "put": {
@@ -77469,14 +81748,14 @@
           "*/*"
         ],
         "description": "replace status of the specified ResourceClaim",
-        "operationId": "replaceResourceV1alpha1NamespacedResourceClaimStatus",
+        "operationId": "replaceResourceV1alpha2NamespacedResourceClaimStatus",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           {
@@ -77494,7 +81773,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -77510,13 +81789,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaim"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaim"
             }
           },
           "401": {
@@ -77527,23 +81806,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete collection of ResourceClaimTemplate",
-        "operationId": "deleteResourceV1alpha1CollectionNamespacedResourceClaimTemplate",
+        "operationId": "deleteResourceV1alpha2CollectionNamespacedResourceClaimTemplate",
         "parameters": [
           {
             "in": "body",
@@ -77622,6 +81901,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -77650,13 +81936,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -77664,7 +81950,7 @@
           "*/*"
         ],
         "description": "list or watch objects of kind ResourceClaimTemplate",
-        "operationId": "listResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "listResourceV1alpha2NamespacedResourceClaimTemplate",
         "parameters": [
           {
             "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
@@ -77715,6 +82001,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -77741,7 +82034,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplateList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplateList"
             }
           },
           "401": {
@@ -77752,13 +82045,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -77783,14 +82076,14 @@
           "*/*"
         ],
         "description": "create a ResourceClaimTemplate",
-        "operationId": "createResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "createResourceV1alpha2NamespacedResourceClaimTemplate",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           {
@@ -77808,7 +82101,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -77824,19 +82117,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "401": {
@@ -77847,23 +82140,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete a ResourceClaimTemplate",
-        "operationId": "deleteResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "deleteResourceV1alpha2NamespacedResourceClaimTemplate",
         "parameters": [
           {
             "in": "body",
@@ -77910,13 +82203,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "401": {
@@ -77927,13 +82220,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -77941,7 +82234,7 @@
           "*/*"
         ],
         "description": "read the specified ResourceClaimTemplate",
-        "operationId": "readResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "readResourceV1alpha2NamespacedResourceClaimTemplate",
         "produces": [
           "application/json",
           "application/yaml",
@@ -77951,7 +82244,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "401": {
@@ -77962,13 +82255,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78004,7 +82297,7 @@
           "application/apply-patch+yaml"
         ],
         "description": "partially update the specified ResourceClaimTemplate",
-        "operationId": "patchResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "patchResourceV1alpha2NamespacedResourceClaimTemplate",
         "parameters": [
           {
             "in": "body",
@@ -78029,7 +82322,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -78052,13 +82345,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "401": {
@@ -78069,13 +82362,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "put": {
@@ -78083,14 +82376,14 @@
           "*/*"
         ],
         "description": "replace the specified ResourceClaimTemplate",
-        "operationId": "replaceResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "replaceResourceV1alpha2NamespacedResourceClaimTemplate",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           {
@@ -78108,7 +82401,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -78124,13 +82417,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplate"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplate"
             }
           },
           "401": {
@@ -78141,23 +82434,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/podschedulings": {
+    "/apis/resource.k8s.io/v1alpha2/podschedulingcontexts": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind PodScheduling",
-        "operationId": "listResourceV1alpha1PodSchedulingForAllNamespaces",
+        "description": "list or watch objects of kind PodSchedulingContext",
+        "operationId": "listResourceV1alpha2PodSchedulingContextForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -78169,7 +82462,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.PodSchedulingList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.PodSchedulingContextList"
             }
           },
           "401": {
@@ -78180,13 +82473,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78246,6 +82539,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -78262,13 +82562,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/resourceclaims": {
+    "/apis/resource.k8s.io/v1alpha2/resourceclaims": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "list or watch objects of kind ResourceClaim",
-        "operationId": "listResourceV1alpha1ResourceClaimForAllNamespaces",
+        "operationId": "listResourceV1alpha2ResourceClaimForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -78280,7 +82580,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimList"
             }
           },
           "401": {
@@ -78291,13 +82591,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78357,6 +82657,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -78373,13 +82680,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/resourceclaimtemplates": {
+    "/apis/resource.k8s.io/v1alpha2/resourceclaimtemplates": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "list or watch objects of kind ResourceClaimTemplate",
-        "operationId": "listResourceV1alpha1ResourceClaimTemplateForAllNamespaces",
+        "operationId": "listResourceV1alpha2ResourceClaimTemplateForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -78391,7 +82698,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClaimTemplateList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClaimTemplateList"
             }
           },
           "401": {
@@ -78402,13 +82709,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78468,6 +82775,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -78484,13 +82798,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/resourceclasses": {
+    "/apis/resource.k8s.io/v1alpha2/resourceclasses": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete collection of ResourceClass",
-        "operationId": "deleteResourceV1alpha1CollectionResourceClass",
+        "operationId": "deleteResourceV1alpha2CollectionResourceClass",
         "parameters": [
           {
             "in": "body",
@@ -78569,6 +82883,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -78597,13 +82918,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -78611,7 +82932,7 @@
           "*/*"
         ],
         "description": "list or watch objects of kind ResourceClass",
-        "operationId": "listResourceV1alpha1ResourceClass",
+        "operationId": "listResourceV1alpha2ResourceClass",
         "parameters": [
           {
             "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
@@ -78662,6 +82983,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -78688,7 +83016,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClassList"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClassList"
             }
           },
           "401": {
@@ -78699,13 +83027,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78722,14 +83050,14 @@
           "*/*"
         ],
         "description": "create a ResourceClass",
-        "operationId": "createResourceV1alpha1ResourceClass",
+        "operationId": "createResourceV1alpha2ResourceClass",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           {
@@ -78747,7 +83075,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -78763,19 +83091,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "401": {
@@ -78786,23 +83114,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/resourceclasses/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/resourceclasses/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete a ResourceClass",
-        "operationId": "deleteResourceV1alpha1ResourceClass",
+        "operationId": "deleteResourceV1alpha2ResourceClass",
         "parameters": [
           {
             "in": "body",
@@ -78849,13 +83177,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "401": {
@@ -78866,13 +83194,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "get": {
@@ -78880,7 +83208,7 @@
           "*/*"
         ],
         "description": "read the specified ResourceClass",
-        "operationId": "readResourceV1alpha1ResourceClass",
+        "operationId": "readResourceV1alpha2ResourceClass",
         "produces": [
           "application/json",
           "application/yaml",
@@ -78890,7 +83218,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "401": {
@@ -78901,13 +83229,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -78935,7 +83263,7 @@
           "application/apply-patch+yaml"
         ],
         "description": "partially update the specified ResourceClass",
-        "operationId": "patchResourceV1alpha1ResourceClass",
+        "operationId": "patchResourceV1alpha2ResourceClass",
         "parameters": [
           {
             "in": "body",
@@ -78960,7 +83288,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -78983,13 +83311,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "401": {
@@ -79000,13 +83328,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "put": {
@@ -79014,14 +83342,14 @@
           "*/*"
         ],
         "description": "replace the specified ResourceClass",
-        "operationId": "replaceResourceV1alpha1ResourceClass",
+        "operationId": "replaceResourceV1alpha2ResourceClass",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           {
@@ -79039,7 +83367,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -79055,13 +83383,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.resource.v1alpha1.ResourceClass"
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha2.ResourceClass"
             }
           },
           "401": {
@@ -79072,23 +83400,23 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       }
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/podschedulings": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/podschedulingcontexts": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of PodScheduling. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1NamespacedPodSchedulingList",
+        "description": "watch individual changes to a list of PodSchedulingContext. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchResourceV1alpha2NamespacedPodSchedulingContextList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79111,13 +83439,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79185,6 +83513,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79201,13 +83536,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/podschedulings/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/podschedulingcontexts/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind PodScheduling. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchResourceV1alpha1NamespacedPodScheduling",
+        "description": "watch changes to an object of kind PodSchedulingContext. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchResourceV1alpha2NamespacedPodSchedulingContext",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79230,13 +83565,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79276,7 +83611,7 @@
           "uniqueItems": true
         },
         {
-          "description": "name of the PodScheduling",
+          "description": "name of the PodSchedulingContext",
           "in": "path",
           "name": "name",
           "required": true,
@@ -79312,6 +83647,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79328,13 +83670,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/resourceclaims": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/resourceclaims": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of ResourceClaim. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1NamespacedResourceClaimList",
+        "operationId": "watchResourceV1alpha2NamespacedResourceClaimList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79357,13 +83699,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79431,6 +83773,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79447,13 +83796,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/resourceclaims/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/resourceclaims/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch changes to an object of kind ResourceClaim. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchResourceV1alpha1NamespacedResourceClaim",
+        "operationId": "watchResourceV1alpha2NamespacedResourceClaim",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79476,13 +83825,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79558,6 +83907,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79574,13 +83930,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/resourceclaimtemplates": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/resourceclaimtemplates": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of ResourceClaimTemplate. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1NamespacedResourceClaimTemplateList",
+        "operationId": "watchResourceV1alpha2NamespacedResourceClaimTemplateList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79603,13 +83959,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79677,6 +84033,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79693,13 +84056,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/namespaces/{namespace}/resourceclaimtemplates/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/watch/namespaces/{namespace}/resourceclaimtemplates/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch changes to an object of kind ResourceClaimTemplate. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchResourceV1alpha1NamespacedResourceClaimTemplate",
+        "operationId": "watchResourceV1alpha2NamespacedResourceClaimTemplate",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79722,13 +84085,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79804,6 +84167,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79820,13 +84190,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/podschedulings": {
+    "/apis/resource.k8s.io/v1alpha2/watch/podschedulingcontexts": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of PodScheduling. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1PodSchedulingListForAllNamespaces",
+        "description": "watch individual changes to a list of PodSchedulingContext. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchResourceV1alpha2PodSchedulingContextListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79849,13 +84219,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
-          "kind": "PodScheduling",
-          "version": "v1alpha1"
+          "kind": "PodSchedulingContext",
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -79915,6 +84285,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -79931,13 +84308,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/resourceclaims": {
+    "/apis/resource.k8s.io/v1alpha2/watch/resourceclaims": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of ResourceClaim. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1ResourceClaimListForAllNamespaces",
+        "operationId": "watchResourceV1alpha2ResourceClaimListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -79960,13 +84337,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaim",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -80026,6 +84403,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -80042,13 +84426,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/resourceclaimtemplates": {
+    "/apis/resource.k8s.io/v1alpha2/watch/resourceclaimtemplates": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of ResourceClaimTemplate. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1ResourceClaimTemplateListForAllNamespaces",
+        "operationId": "watchResourceV1alpha2ResourceClaimTemplateListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
@@ -80071,13 +84455,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClaimTemplate",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -80137,6 +84521,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -80153,13 +84544,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/resourceclasses": {
+    "/apis/resource.k8s.io/v1alpha2/watch/resourceclasses": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of ResourceClass. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchResourceV1alpha1ResourceClassList",
+        "operationId": "watchResourceV1alpha2ResourceClassList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -80182,13 +84573,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -80248,6 +84639,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -80264,13 +84662,13 @@
         }
       ]
     },
-    "/apis/resource.k8s.io/v1alpha1/watch/resourceclasses/{name}": {
+    "/apis/resource.k8s.io/v1alpha2/watch/resourceclasses/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch changes to an object of kind ResourceClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchResourceV1alpha1ResourceClass",
+        "operationId": "watchResourceV1alpha2ResourceClass",
         "produces": [
           "application/json",
           "application/yaml",
@@ -80293,13 +84691,13 @@
           "https"
         ],
         "tags": [
-          "resource_v1alpha1"
+          "resource_v1alpha2"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "resource.k8s.io",
           "kind": "ResourceClass",
-          "version": "v1alpha1"
+          "version": "v1alpha2"
         }
       },
       "parameters": [
@@ -80367,6 +84765,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -80534,6 +84939,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -80627,6 +85039,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -80712,7 +85131,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -80925,7 +85344,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -81004,7 +85423,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -81142,6 +85561,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -81261,6 +85687,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -81428,6 +85861,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -81521,6 +85961,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -81606,7 +86053,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -81819,7 +86266,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -81898,7 +86345,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -82026,6 +86473,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -82119,6 +86573,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -82204,7 +86665,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -82417,7 +86878,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -82496,7 +86957,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -82634,6 +87095,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -82735,6 +87203,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -82828,6 +87303,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -82921,7 +87403,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83142,7 +87624,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83221,7 +87703,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83349,6 +87831,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -83442,6 +87931,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -83527,7 +88023,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83740,7 +88236,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83819,7 +88315,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -83947,6 +88443,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -84040,6 +88543,13 @@
             "type": "string",
             "uniqueItems": true
           },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "type": "boolean",
+            "uniqueItems": true
+          },
           {
             "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
             "in": "query",
@@ -84125,7 +88635,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -84338,7 +88848,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -84417,7 +88927,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -84546,7 +89056,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -84625,7 +89135,7 @@
             "uniqueItems": true
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
             "in": "query",
             "name": "fieldValidation",
             "type": "string",
@@ -84763,6 +89273,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -84882,6 +89399,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -84993,6 +89517,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85112,6 +89643,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85223,6 +89761,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85342,6 +89887,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85469,6 +90021,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85580,6 +90139,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85699,6 +90265,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85810,6 +90383,13 @@
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "type": "boolean",
+          "uniqueItems": true
+        },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
           "in": "query",
@@ -85930,1119 +90510,11 @@
           "uniqueItems": true
         },
         {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
           "in": "query",
-          "name": "timeoutSeconds",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
+          "name": "sendInitialEvents",
           "type": "boolean",
           "uniqueItems": true
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1beta1/": {
-      "get": {
-        "consumes": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "description": "get available resources",
-        "operationId": "getStorageV1beta1APIResources",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ]
-      }
-    },
-    "/apis/storage.k8s.io/v1beta1/csistoragecapacities": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "list or watch objects of kind CSIStorageCapacity",
-        "operationId": "listStorageV1beta1CSIStorageCapacityForAllNamespaces",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "type": "boolean",
-          "uniqueItems": true
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "type": "boolean",
-          "uniqueItems": true
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacities": {
-      "delete": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "delete collection of CSIStorageCapacity",
-        "operationId": "deleteStorageV1beta1CollectionNamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-            }
-          },
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "type": "integer",
-            "uniqueItems": true
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "type": "integer",
-            "uniqueItems": true
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "type": "boolean",
-            "uniqueItems": true
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "type": "integer",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "deletecollection",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "list or watch objects of kind CSIStorageCapacity",
-        "operationId": "listStorageV1beta1NamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-            "in": "query",
-            "name": "allowWatchBookmarks",
-            "type": "boolean",
-            "uniqueItems": true
-          },
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "type": "integer",
-            "uniqueItems": true
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "type": "integer",
-            "uniqueItems": true
-          },
-          {
-            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-            "in": "query",
-            "name": "watch",
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        }
-      ],
-      "post": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "create a CSIStorageCapacity",
-        "operationId": "createStorageV1beta1NamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "post",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      }
-    },
-    "/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacities/{name}": {
-      "delete": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "delete a CSIStorageCapacity",
-        "operationId": "deleteStorageV1beta1NamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "type": "integer",
-            "uniqueItems": true
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "type": "boolean",
-            "uniqueItems": true
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "delete",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "read the specified CSIStorageCapacity",
-        "operationId": "readStorageV1beta1NamespacedCSIStorageCapacity",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the CSIStorageCapacity",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        }
-      ],
-      "patch": {
-        "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml"
-        ],
-        "description": "partially update the specified CSIStorageCapacity",
-        "operationId": "patchStorageV1beta1NamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "put": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "replace the specified CSIStorageCapacity",
-        "operationId": "replaceStorageV1beta1NamespacedCSIStorageCapacity",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      }
-    },
-    "/apis/storage.k8s.io/v1beta1/watch/csistoragecapacities": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1beta1CSIStorageCapacityListForAllNamespaces",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "type": "boolean",
-          "uniqueItems": true
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "type": "boolean",
-          "uniqueItems": true
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1beta1/watch/namespaces/{namespace}/csistoragecapacities": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1beta1NamespacedCSIStorageCapacityList",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "type": "boolean",
-          "uniqueItems": true
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "type": "boolean",
-          "uniqueItems": true
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1beta1/watch/namespaces/{namespace}/csistoragecapacities/{name}": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1beta1NamespacedCSIStorageCapacity",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1beta1"
-        ],
-        "x-kubernetes-action": "watch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1beta1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "type": "boolean",
-          "uniqueItems": true
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "type": "integer",
-          "uniqueItems": true
-        },
-        {
-          "description": "name of the CSIStorageCapacity",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "If 'true', then the output is pretty printed.",
-          "in": "query",
-          "name": "pretty",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "type": "string",
-          "uniqueItems": true
         },
         {
           "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
diff --git a/api-ref-assets/config/fields.yaml b/api-ref-assets/config/fields.yaml
index 60e76f6c299..4f78cffcf7a 100644
--- a/api-ref-assets/config/fields.yaml
+++ b/api-ref-assets/config/fields.yaml
@@ -99,6 +99,7 @@
     - initContainerStatuses
     - containerStatuses
     - ephemeralContainerStatuses
+    - resize
 
 - definition: io.k8s.api.core.v1.Container
   field_categories:
@@ -127,6 +128,7 @@
   - name: Resources
     fields:
     - resources
+    - resizePolicy
   - name: Lifecycle
     fields:
     - lifecycle
@@ -219,6 +221,9 @@
     fields:
     - volumeMounts
     - volumeDevices
+  - name: Resources
+    fields:
+    - resizePolicy
   - name: Lifecycle
     fields:
     - terminationMessagePath
diff --git a/api-ref-assets/config/toc.yaml b/api-ref-assets/config/toc.yaml
index 0c720538739..77bd3cbe9df 100644
--- a/api-ref-assets/config/toc.yaml
+++ b/api-ref-assets/config/toc.yaml
@@ -66,18 +66,18 @@ parts:
   - name: PriorityClass
     group: scheduling.k8s.io
     version: v1
-  - name: PodScheduling
+  - name: PodSchedulingContext
     group: resource.k8s.io
-    version: v1alpha1
+    version: v1alpha2
   - name: ResourceClaim
     group: resource.k8s.io
-    version: v1alpha1
+    version: v1alpha2
   - name: ResourceClaimTemplate
     group: resource.k8s.io
-    version: v1alpha1
+    version: v1alpha2
   - name: ResourceClass
     group: resource.k8s.io
-    version: v1alpha1
+    version: v1alpha2
 - name: Service Resources
   chapters:
   - name: Service
@@ -148,6 +148,12 @@ parts:
   - name: CertificateSigningRequest
     group: certificates.k8s.io
     version: v1
+  - name: ClusterTrustBundle
+    group: certificates.k8s.io
+    version: v1alpha1
+  - name: SelfSubjectReview
+    group: authentication.k8s.io
+    version: v1beta1
 - name: Authorization Resources
   chapters:
   - name: LocalSubjectAccessReview
@@ -191,6 +197,9 @@ parts:
   - name: PodDisruptionBudget
     group: policy
     version: v1
+  - name: IPAddress
+    group: networking.k8s.io
+    version: v1alpha1
 - name: Extend Resources
   chapters:
   - name: CustomResourceDefinition
diff --git a/content/en/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md b/content/en/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md
index 6d262358596..e462d8ad876 100644
--- a/content/en/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md
@@ -404,6 +404,11 @@ GET /apis/certificates.k8s.io/v1/certificatesigningrequests
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -899,6 +904,11 @@ DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1alpha1.md b/content/en/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1alpha1.md
new file mode 100644
index 00000000000..97449346323
--- /dev/null
+++ b/content/en/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1alpha1.md
@@ -0,0 +1,506 @@
+---
+api_metadata:
+  apiVersion: "certificates.k8s.io/v1alpha1"
+  import: "k8s.io/api/certificates/v1alpha1"
+  kind: "ClusterTrustBundle"
+content_type: "api_reference"
+description: "ClusterTrustBundle is a cluster-scoped container for X."
+title: "ClusterTrustBundle v1alpha1"
+weight: 5
+auto_generated: true
+---
+
+
+
+`apiVersion: certificates.k8s.io/v1alpha1`
+
+`import "k8s.io/api/certificates/v1alpha1"`
+
+
+## ClusterTrustBundle {#ClusterTrustBundle}
+
+ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).
+
+ClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection.  All service accounts have read access to ClusterTrustBundles by default.  Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.
+
+It can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.
+
+

+
+- **apiVersion**: certificates.k8s.io/v1alpha1
+
+
+- **kind**: ClusterTrustBundle
+
+
+- **metadata** (}}">ObjectMeta)
+
+  metadata contains the object metadata.
+
+- **spec** (}}">ClusterTrustBundleSpec), required
+
+  spec contains the signer (if any) and trust anchors.
+
+
+
+
+
+## ClusterTrustBundleSpec {#ClusterTrustBundleSpec}
+
+ClusterTrustBundleSpec contains the signer and trust anchors.
+
+

+
+- **trustBundle** (string), required
+
+  trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
+  
+  The data must consist only of PEM certificate blocks that parse as valid X.509 certificates.  Each certificate must include a basic constraints extension with the CA bit set.  The API server will reject objects that contain duplicate certificates, or that use PEM block headers.
+  
+  Users of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.
+
+- **signerName** (string)
+
+  signerName indicates the associated signer, if any.
+  
+  In order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=\ verb=attest.
+  
+  If signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.
+  
+  If signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.
+  
+  List/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.
+
+
+
+
+
+## ClusterTrustBundleList {#ClusterTrustBundleList}
+
+ClusterTrustBundleList is a collection of ClusterTrustBundle objects
+
+

+
+- **apiVersion**: certificates.k8s.io/v1alpha1
+
+
+- **kind**: ClusterTrustBundleList
+
+
+- **metadata** (}}">ListMeta)
+
+  metadata contains the list metadata.
+
+- **items** ([]}}">ClusterTrustBundle), required
+
+  items is a collection of ClusterTrustBundle objects
+
+
+
+
+
+## Operations {#Operations}
+
+
+
+

+
+
+
+
+
+
+### `get` read the specified ClusterTrustBundle
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1alpha1/clustertrustbundles/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ClusterTrustBundle
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ClusterTrustBundle): OK
+
+401: Unauthorized
+
+
+### `list` list or watch objects of kind ClusterTrustBundle
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1alpha1/clustertrustbundles
+
+#### Parameters
+
+
+- **allowWatchBookmarks** (*in query*): boolean
+
+  }}">allowWatchBookmarks
+
+
+- **continue** (*in query*): string
+
+  }}">continue
+
+
+- **fieldSelector** (*in query*): string
+
+  }}">fieldSelector
+
+
+- **labelSelector** (*in query*): string
+
+  }}">labelSelector
+
+
+- **limit** (*in query*): integer
+
+  }}">limit
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **resourceVersion** (*in query*): string
+
+  }}">resourceVersion
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  }}">resourceVersionMatch
+
+
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  }}">timeoutSeconds
+
+
+- **watch** (*in query*): boolean
+
+  }}">watch
+
+
+
+#### Response
+
+
+200 (}}">ClusterTrustBundleList): OK
+
+401: Unauthorized
+
+
+### `create` create a ClusterTrustBundle
+
+#### HTTP Request
+
+POST /apis/certificates.k8s.io/v1alpha1/clustertrustbundles
+
+#### Parameters
+
+
+- **body**: }}">ClusterTrustBundle, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ClusterTrustBundle): OK
+
+201 (}}">ClusterTrustBundle): Created
+
+202 (}}">ClusterTrustBundle): Accepted
+
+401: Unauthorized
+
+
+### `update` replace the specified ClusterTrustBundle
+
+#### HTTP Request
+
+PUT /apis/certificates.k8s.io/v1alpha1/clustertrustbundles/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ClusterTrustBundle
+
+
+- **body**: }}">ClusterTrustBundle, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ClusterTrustBundle): OK
+
+201 (}}">ClusterTrustBundle): Created
+
+401: Unauthorized
+
+
+### `patch` partially update the specified ClusterTrustBundle
+
+#### HTTP Request
+
+PATCH /apis/certificates.k8s.io/v1alpha1/clustertrustbundles/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ClusterTrustBundle
+
+
+- **body**: }}">Patch, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **force** (*in query*): boolean
+
+  }}">force
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ClusterTrustBundle): OK
+
+201 (}}">ClusterTrustBundle): Created
+
+401: Unauthorized
+
+
+### `delete` delete a ClusterTrustBundle
+
+#### HTTP Request
+
+DELETE /apis/certificates.k8s.io/v1alpha1/clustertrustbundles/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ClusterTrustBundle
+
+
+- **body**: }}">DeleteOptions
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  }}">gracePeriodSeconds
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **propagationPolicy** (*in query*): string
+
+  }}">propagationPolicy
+
+
+
+#### Response
+
+
+200 (}}">Status): OK
+
+202 (}}">Status): Accepted
+
+401: Unauthorized
+
+
+### `deletecollection` delete collection of ClusterTrustBundle
+
+#### HTTP Request
+
+DELETE /apis/certificates.k8s.io/v1alpha1/clustertrustbundles
+
+#### Parameters
+
+
+- **body**: }}">DeleteOptions
+
+  
+
+
+- **continue** (*in query*): string
+
+  }}">continue
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldSelector** (*in query*): string
+
+  }}">fieldSelector
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  }}">gracePeriodSeconds
+
+
+- **labelSelector** (*in query*): string
+
+  }}">labelSelector
+
+
+- **limit** (*in query*): integer
+
+  }}">limit
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **propagationPolicy** (*in query*): string
+
+  }}">propagationPolicy
+
+
+- **resourceVersion** (*in query*): string
+
+  }}">resourceVersion
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  }}">resourceVersionMatch
+
+
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  }}">timeoutSeconds
+
+
+
+#### Response
+
+
+200 (}}">Status): OK
+
+401: Unauthorized
+
diff --git a/content/en/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md b/content/en/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md
new file mode 100644
index 00000000000..064d3f8f027
--- /dev/null
+++ b/content/en/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md
@@ -0,0 +1,142 @@
+---
+api_metadata:
+  apiVersion: "authentication.k8s.io/v1beta1"
+  import: "k8s.io/api/authentication/v1beta1"
+  kind: "SelfSubjectReview"
+content_type: "api_reference"
+description: "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request."
+title: "SelfSubjectReview v1beta1"
+weight: 6
+auto_generated: true
+---
+
+
+
+`apiVersion: authentication.k8s.io/v1beta1`
+
+`import "k8s.io/api/authentication/v1beta1"`
+
+
+## SelfSubjectReview {#SelfSubjectReview}
+
+SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
+
+

+
+- **apiVersion**: authentication.k8s.io/v1beta1
+
+
+- **kind**: SelfSubjectReview
+
+
+- **metadata** (}}">ObjectMeta)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **status** (}}">SelfSubjectReviewStatus)
+
+  Status is filled in by the server with the user attributes.
+
+
+
+
+
+## SelfSubjectReviewStatus {#SelfSubjectReviewStatus}
+
+SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
+
+

+
+- **userInfo** (UserInfo)
+
+  User attributes of the user making this request.
+
+  
+  *UserInfo holds the information about the user needed to implement the user.Info interface.*
+
+  - **userInfo.extra** (map[string][]string)
+
+    Any additional information provided by the authenticator.
+
+  - **userInfo.groups** ([]string)
+
+    The names of groups this user is a part of.
+
+  - **userInfo.uid** (string)
+
+    A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
+
+  - **userInfo.username** (string)
+
+    The name that uniquely identifies this user among all active users.
+
+
+
+
+
+## Operations {#Operations}
+
+
+
+

+
+
+
+
+
+
+### `create` create a SelfSubjectReview
+
+#### HTTP Request
+
+POST /apis/authentication.k8s.io/v1beta1/selfsubjectreviews
+
+#### Parameters
+
+
+- **body**: }}">SelfSubjectReview, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">SelfSubjectReview): OK
+
+201 (}}">SelfSubjectReview): Created
+
+202 (}}">SelfSubjectReview): Accepted
+
+401: Unauthorized
+
diff --git a/content/en/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md b/content/en/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md
index f68e674c67e..589f0b923c7 100644
--- a/content/en/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md
@@ -182,6 +182,11 @@ GET /api/v1/namespaces/{namespace}/serviceaccounts
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -250,6 +255,11 @@ GET /api/v1/serviceaccounts
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -560,6 +570,11 @@ DELETE /api/v1/namespaces/{namespace}/serviceaccounts
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md b/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
index a99b970be9b..f84ba0fcf6c 100644
--- a/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
@@ -200,6 +200,11 @@ GET /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -485,6 +490,11 @@ DELETE /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md b/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
index 387737af3b5..b7e87bf0cca 100644
--- a/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
@@ -196,6 +196,11 @@ GET /apis/rbac.authorization.k8s.io/v1/clusterroles
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -481,6 +486,11 @@ DELETE /apis/rbac.authorization.k8s.io/v1/clusterroles
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md b/content/en/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
index 6f2ad19fa6c..75d4d5f0f84 100644
--- a/content/en/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
@@ -210,6 +210,11 @@ GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -278,6 +283,11 @@ GET /apis/rbac.authorization.k8s.io/v1/rolebindings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -588,6 +598,11 @@ DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authorization-resources/role-v1.md b/content/en/docs/reference/kubernetes-api/authorization-resources/role-v1.md
index ab854e246a8..6b378be7caf 100644
--- a/content/en/docs/reference/kubernetes-api/authorization-resources/role-v1.md
+++ b/content/en/docs/reference/kubernetes-api/authorization-resources/role-v1.md
@@ -195,6 +195,11 @@ GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -263,6 +268,11 @@ GET /apis/rbac.authorization.k8s.io/v1/roles
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -573,6 +583,11 @@ DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md b/content/en/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
index ace01dcaf55..a8ed8464f21 100644
--- a/content/en/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
@@ -28,7 +28,7 @@ guide. You can file document formatting bugs against the
 
 ## SelfSubjectReview {#SelfSubjectReview}
 
-SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.
+SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
 
 

 
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md
index 81a7620d084..59df5a5e0e6 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md
@@ -293,6 +293,11 @@ GET /apis/apiregistration.k8s.io/v1/apiservices
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -683,6 +688,11 @@ DELETE /apis/apiregistration.k8s.io/v1/apiservices
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
index 82f8eb92288..4fdf307e974 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
@@ -44,7 +44,7 @@ ClusterCIDR represents a single configuration for per-Node Pod CIDR allocations
 
 - **spec** (}}">ClusterCIDRSpec)
 
-  Spec is the desired state of the ClusterCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  spec is the desired state of the ClusterCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 
@@ -58,19 +58,19 @@ ClusterCIDRSpec defines the desired state of ClusterCIDR.
 
 - **perNodeHostBits** (int32), required
 
-  PerNodeHostBits defines the number of host bits to be configured per node. A subnet mask determines how much of the address is used for network bits and host bits. For example an IPv4 address of 192.168.0.0/24, splits the address into 24 bits for the network portion and 8 bits for the host portion. To allocate 256 IPs, set this field to 8 (a /24 mask for IPv4 or a /120 for IPv6). Minimum value is 4 (16 IPs). This field is immutable.
+  perNodeHostBits defines the number of host bits to be configured per node. A subnet mask determines how much of the address is used for network bits and host bits. For example an IPv4 address of 192.168.0.0/24, splits the address into 24 bits for the network portion and 8 bits for the host portion. To allocate 256 IPs, set this field to 8 (a /24 mask for IPv4 or a /120 for IPv6). Minimum value is 4 (16 IPs). This field is immutable.
 
 - **ipv4** (string)
 
-  IPv4 defines an IPv4 IP block in CIDR notation(e.g. "10.0.0.0/8"). At least one of IPv4 and IPv6 must be specified. This field is immutable.
+  ipv4 defines an IPv4 IP block in CIDR notation(e.g. "10.0.0.0/8"). At least one of ipv4 and ipv6 must be specified. This field is immutable.
 
 - **ipv6** (string)
 
-  IPv6 defines an IPv6 IP block in CIDR notation(e.g. "2001:db8::/64"). At least one of IPv4 and IPv6 must be specified. This field is immutable.
+  ipv6 defines an IPv6 IP block in CIDR notation(e.g. "2001:db8::/64"). At least one of ipv4 and ipv6 must be specified. This field is immutable.
 
 - **nodeSelector** (NodeSelector)
 
-  NodeSelector defines which nodes the config is applicable to. An empty or nil NodeSelector selects all nodes. This field is immutable.
+  nodeSelector defines which nodes the config is applicable to. An empty or nil nodeSelector selects all nodes. This field is immutable.
 
   
   *A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.*
@@ -112,7 +112,7 @@ ClusterCIDRList contains a list of ClusterCIDR.
 
 - **items** ([]}}">ClusterCIDR), required
 
-  Items is the list of ClusterCIDRs.
+  items is the list of ClusterCIDRs.
 
 
 
@@ -206,6 +206,11 @@ GET /apis/networking.k8s.io/v1alpha1/clustercidrs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -491,6 +496,11 @@ DELETE /apis/networking.k8s.io/v1alpha1/clustercidrs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/component-status-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/component-status-v1.md
index 0542fedfbd7..f1bcf3b0654 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/component-status-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/component-status-v1.md
@@ -183,6 +183,11 @@ GET /api/v1/componentstatuses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/event-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/event-v1.md
index 20ed36b1abd..fcdec600ee7 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/event-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/event-v1.md
@@ -258,6 +258,11 @@ GET /apis/events.k8s.io/v1/namespaces/{namespace}/events
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -326,6 +331,11 @@ GET /apis/events.k8s.io/v1/events
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -636,6 +646,11 @@ DELETE /apis/events.k8s.io/v1/namespaces/{namespace}/events
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/flow-schema-v1beta3.md b/content/en/docs/reference/kubernetes-api/cluster-resources/flow-schema-v1beta3.md
index e325b3d7777..94957e33ba2 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/flow-schema-v1beta3.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/flow-schema-v1beta3.md
@@ -397,6 +397,11 @@ GET /apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -787,6 +792,11 @@ DELETE /apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/lease-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
index b33e8ee19a7..c88ee6d7e4d 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
@@ -44,7 +44,7 @@ Lease defines a lease concept.
 
 - **spec** (}}">LeaseSpec)
 
-  Specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 
@@ -69,7 +69,7 @@ LeaseSpec is a specification of a Lease.
 
 - **leaseDurationSeconds** (int32)
 
-  leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.
+  leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed renewTime.
 
 - **leaseTransitions** (int32)
 
@@ -104,7 +104,7 @@ LeaseList is a list of Lease objects.
 
 - **items** ([]}}">Lease), required
 
-  Items is a list of schema objects.
+  items is a list of schema objects.
 
 
 
@@ -208,6 +208,11 @@ GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -276,6 +281,11 @@ GET /apis/coordination.k8s.io/v1/leases
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -586,6 +596,11 @@ DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md
index 0871c397d3a..6388d7126e4 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md
@@ -106,8 +106,6 @@ NamespaceStatus is information about the current status of a Namespace.
 - **phase** (string)
 
   Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
-  
-  
 
 
 
@@ -253,6 +251,11 @@ GET /api/v1/namespaces
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/node-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/node-v1.md
index a6317d1dc98..0a73ea2cb2d 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/node-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/node-v1.md
@@ -120,8 +120,6 @@ NodeSpec describes the attributes that a node is created with.
   - **taints.effect** (string), required
 
     Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
-    
-    
 
   - **taints.key** (string), required
 
@@ -156,7 +154,7 @@ NodeStatus is information about the current status of a node.
 
   *Patch strategy: merge on key `type`*
   
-  List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example.
+  List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).
 
   
   *NodeAddress contains information for the node's address.*
@@ -412,8 +410,6 @@ NodeStatus is information about the current status of a node.
 - **phase** (string)
 
   NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.
-  
-  
 
 - **volumesAttached** ([]AttachedVolume)
 
@@ -578,6 +574,11 @@ GET /api/v1/nodes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -968,6 +969,11 @@ DELETE /api/v1/nodes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/priority-level-configuration-v1beta3.md b/content/en/docs/reference/kubernetes-api/cluster-resources/priority-level-configuration-v1beta3.md
index 5a17134f65d..420699dfaf0 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/priority-level-configuration-v1beta3.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/priority-level-configuration-v1beta3.md
@@ -313,6 +313,11 @@ GET /apis/flowcontrol.apiserver.k8s.io/v1beta3/prioritylevelconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -703,6 +708,11 @@ DELETE /apis/flowcontrol.apiserver.k8s.io/v1beta3/prioritylevelconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1.md b/content/en/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1.md
index 4f8bb7571de..0fade3be57e 100644
--- a/content/en/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1.md
+++ b/content/en/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1.md
@@ -44,11 +44,11 @@ RuntimeClass defines a class of container runtime supported in the cluster. The
 
 - **handler** (string), required
 
-  Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.
+  handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.
 
 - **overhead** (Overhead)
 
-  Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see
+  overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see
    https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
 
   
@@ -56,11 +56,11 @@ RuntimeClass defines a class of container runtime supported in the cluster. The
 
   - **overhead.podFixed** (map[string]}}">Quantity)
 
-    PodFixed represents the fixed resource overhead associated with running a pod.
+    podFixed represents the fixed resource overhead associated with running a pod.
 
 - **scheduling** (Scheduling)
 
-  Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.
+  scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.
 
   
   *Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.*
@@ -85,8 +85,6 @@ RuntimeClass defines a class of container runtime supported in the cluster. The
     - **scheduling.tolerations.operator** (string)
 
       Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
-      
-      
 
     - **scheduling.tolerations.value** (string)
 
@@ -95,8 +93,6 @@ RuntimeClass defines a class of container runtime supported in the cluster. The
     - **scheduling.tolerations.effect** (string)
 
       Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
-      
-      
 
     - **scheduling.tolerations.tolerationSeconds** (int64)
 
@@ -124,7 +120,7 @@ RuntimeClassList is a list of RuntimeClass objects.
 
 - **items** ([]}}">RuntimeClass), required
 
-  Items is a list of schema objects.
+  items is a list of schema objects.
 
 
 
@@ -218,6 +214,11 @@ GET /apis/node.k8s.io/v1/runtimeclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -503,6 +504,11 @@ DELETE /apis/node.k8s.io/v1/runtimeclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md b/content/en/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
index 4cbdb7881d8..33af2e88e30 100644
--- a/content/en/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
+++ b/content/en/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
@@ -36,9 +36,7 @@ A node selector requirement is a selector that contains values, a key, and an op
 
 - **operator** (string), required
 
-  Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist, Gt, and Lt.
-  
-  
+  Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
 
 - **values** ([]string)
 
diff --git a/content/en/docs/reference/kubernetes-api/common-definitions/object-meta.md b/content/en/docs/reference/kubernetes-api/common-definitions/object-meta.md
index 199d4ff7d70..9386baeb83e 100644
--- a/content/en/docs/reference/kubernetes-api/common-definitions/object-meta.md
+++ b/content/en/docs/reference/kubernetes-api/common-definitions/object-meta.md
@@ -32,7 +32,7 @@ ObjectMeta is metadata that all persisted resources must have, which includes al
 
 - **name** (string)
 
-  Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names
+  Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 
 - **generateName** (string)
 
@@ -46,15 +46,15 @@ ObjectMeta is metadata that all persisted resources must have, which includes al
 
   Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
   
-  Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces
+  Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
 
 - **labels** (map[string]string)
 
-  Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
+  Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 
 - **annotations** (map[string]string)
 
-  Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
+  Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
 
 
 
@@ -129,11 +129,11 @@ ObjectMeta is metadata that all persisted resources must have, which includes al
 
   - **ownerReferences.name** (string), required
 
-    Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names
+    Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 
   - **ownerReferences.uid** (string), required
 
-    UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+    UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 
   - **ownerReferences.blockOwnerDeletion** (boolean)
 
@@ -186,7 +186,7 @@ ObjectMeta is metadata that all persisted resources must have, which includes al
 
   UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
   
-  Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+  Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 
 
 
diff --git a/content/en/docs/reference/kubernetes-api/common-definitions/status.md b/content/en/docs/reference/kubernetes-api/common-definitions/status.md
index d40a22d6dae..9688eebe5ff 100644
--- a/content/en/docs/reference/kubernetes-api/common-definitions/status.md
+++ b/content/en/docs/reference/kubernetes-api/common-definitions/status.md
@@ -86,7 +86,7 @@ Status is a return value for calls that don't return other objects.
 
   - **details.uid** (string)
 
-    UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+    UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 
 - **kind** (string)
 
diff --git a/content/en/docs/reference/kubernetes-api/common-parameters/common-parameters.md b/content/en/docs/reference/kubernetes-api/common-parameters/common-parameters.md
index 1b290a716b7..95a8f5dd37c 100644
--- a/content/en/docs/reference/kubernetes-api/common-parameters/common-parameters.md
+++ b/content/en/docs/reference/kubernetes-api/common-parameters/common-parameters.md
@@ -80,7 +80,7 @@ A selector to restrict the list of returned objects by their fields. Defaults to
 
 ## fieldValidation {#fieldValidation}
 
-fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
+fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
 
 

 
@@ -184,6 +184,28 @@ Defaults to unset
 
 
 
+## sendInitialEvents {#sendInitialEvents}
+
+`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic "Bookmark" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.
+
+When `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan
+  is interpreted as "data at least as new as the provided `resourceVersion`"
+  and the bookmark event is send when the state is synced
+  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.
+  If `resourceVersion` is unset, this is interpreted as "consistent read" and the
+  bookmark event is send when the state is synced at least to the moment
+  when request started being processed.
+- `resourceVersionMatch` set to any other value or unset
+  Invalid error is returned.
+
+Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward compatibility reasons) and to false otherwise.
+
+

+
+
+
+
+
 ## timeoutSeconds {#timeoutSeconds}
 
 Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md
index c0619358ab2..78318e2a089 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md
@@ -180,6 +180,11 @@ GET /api/v1/namespaces/{namespace}/configmaps
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -248,6 +253,11 @@ GET /api/v1/configmaps
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -558,6 +568,11 @@ DELETE /api/v1/namespaces/{namespace}/configmaps
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
index 911ef8e77e5..8f331c62bd0 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
@@ -44,7 +44,7 @@ CSIDriver captures information about a Container Storage Interface (CSI) volume
 
 - **spec** (}}">CSIDriverSpec), required
 
-  Specification of the CSI Driver.
+  spec represents the specification of the CSI Driver.
 
 
 
@@ -64,7 +64,7 @@ CSIDriverSpec is the specification of a CSIDriver.
 
 - **fsGroupPolicy** (string)
 
-  Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.
+  fsGroupPolicy defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.
   
   This field is immutable.
   
@@ -72,7 +72,11 @@ CSIDriverSpec is the specification of a CSIDriver.
 
 - **podInfoOnMount** (boolean)
 
-  If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+  podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations, if set to true. If set to false, pod information will not be passed on mount. Default is false.
+  
+  The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.
+  
+  The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
                                   defined by a CSIVolumeSource, otherwise "false"
   
   "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.
@@ -81,13 +85,13 @@ CSIDriverSpec is the specification of a CSIDriver.
 
 - **requiresRepublish** (boolean)
 
-  RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.
+  requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.
   
   Note: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.
 
 - **seLinuxMount** (boolean)
 
-  SELinuxMount specifies if the CSI driver supports "-o context" mount option.
+  seLinuxMount specifies if the CSI driver supports "-o context" mount option.
   
   When "true", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.
   
@@ -97,7 +101,7 @@ CSIDriverSpec is the specification of a CSIDriver.
 
 - **storageCapacity** (boolean)
 
-  If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.
+  storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.
   
   The check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.
   
@@ -109,7 +113,7 @@ CSIDriverSpec is the specification of a CSIDriver.
 
   *Atomic: will be replaced during a merge*
   
-  TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/serviceAccount.tokens": {
+  tokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/serviceAccount.tokens": {
     "\": {
       "token": \,
       "expirationTimestamp": \,
@@ -124,19 +128,23 @@ CSIDriverSpec is the specification of a CSIDriver.
 
   - **tokenRequests.audience** (string), required
 
-    Audience is the intended audience of the token in "TokenRequestSpec". It will default to the audiences of kube apiserver.
+    audience is the intended audience of the token in "TokenRequestSpec". It will default to the audiences of kube apiserver.
 
   - **tokenRequests.expirationSeconds** (int64)
 
-    ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
+    expirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
 
 - **volumeLifecycleModes** ([]string)
 
   *Set: unique values will be kept during a merge*
   
-  volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.
+  volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
   
-  This field is immutable.
+  The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.
+  
+  For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.
+  
+  This field is beta. This field is immutable.
 
 
 
@@ -254,6 +262,11 @@ GET /apis/storage.k8s.io/v1/csidrivers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -539,6 +552,11 @@ DELETE /apis/storage.k8s.io/v1/csidrivers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md
index cfaf156fa51..2315e13a76d 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md
@@ -40,7 +40,7 @@ CSINode holds information about all CSI drivers installed on a node. CSI drivers
 
 - **metadata** (}}">ObjectMeta)
 
-  metadata.name must be the Kubernetes node name.
+  Standard object's metadata. metadata.name must be the Kubernetes node name.
 
 - **spec** (}}">CSINodeSpec), required
 
@@ -67,7 +67,7 @@ CSINodeSpec holds information about the specification of all CSI drivers install
 
   - **drivers.name** (string), required
 
-    This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.
+    name represents the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.
 
   - **drivers.nodeID** (string), required
 
@@ -82,7 +82,7 @@ CSINodeSpec holds information about the specification of all CSI drivers install
 
     - **drivers.allocatable.count** (int32)
 
-      Maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.
+      count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.
 
   - **drivers.topologyKeys** ([]string)
 
@@ -204,6 +204,11 @@ GET /apis/storage.k8s.io/v1/csinodes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -489,6 +494,11 @@ DELETE /apis/storage.k8s.io/v1/csinodes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md
index cf4df4befe4..a1414630a81 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md
@@ -48,7 +48,7 @@ They are consumed by the kube-scheduler when a CSI driver opts into capacity-awa
 
 - **metadata** (}}">ObjectMeta)
 
-  Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-\, a generated name, or a reverse-domain name which ends with the unique CSI driver name.
+  Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-\, a generated name, or a reverse-domain name which ends with the unique CSI driver name.
   
   Objects are namespaced.
   
@@ -56,23 +56,23 @@ They are consumed by the kube-scheduler when a CSI driver opts into capacity-awa
 
 - **storageClassName** (string), required
 
-  The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.
+  storageClassName represents the name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.
 
 - **capacity** (}}">Quantity)
 
-  Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+  capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
   
   The semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.
 
 - **maximumVolumeSize** (}}">Quantity)
 
-  MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+  maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
   
   This is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.
 
 - **nodeTopology** (}}">LabelSelector)
 
-  NodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.
+  nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.
 
 
 
@@ -98,7 +98,7 @@ CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
 
   *Map: unique values on key name will be kept during a merge*
   
-  Items is the list of CSIStorageCapacity objects.
+  items is the list of CSIStorageCapacity objects.
 
 
 
@@ -202,6 +202,11 @@ GET /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -270,6 +275,11 @@ GET /apis/storage.k8s.io/v1/csistoragecapacities
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -580,6 +590,11 @@ DELETE /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
index 3d6a889221f..4fc8f3aa65b 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
@@ -77,13 +77,13 @@ PersistentVolumeClaimSpec describes the common attributes of storage devices and
 
   - **resources.claims** ([]ResourceClaim)
 
-    *Set: unique values will be kept during a merge*
+    *Map: unique values on key name will be kept during a merge*
     
     Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
     
     This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
     
-    This field is immutable.
+    This field is immutable. It can only be set for containers.
 
     
     *ResourceClaim references one entry in PodSpec.ResourceClaims.*
@@ -98,7 +98,7 @@ PersistentVolumeClaimSpec describes the common attributes of storage devices and
 
   - **resources.requests** (map[string]}}">Quantity)
 
-    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 - **volumeName** (string)
 
@@ -178,7 +178,7 @@ PersistentVolumeClaimStatus is the current status of a persistent volume claim.
   conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
 
   
-  *PersistentVolumeClaimCondition contails details about state of pvc*
+  *PersistentVolumeClaimCondition contains details about state of pvc*
 
   - **conditions.status** (string), required
 
@@ -211,8 +211,6 @@ PersistentVolumeClaimStatus is the current status of a persistent volume claim.
 - **phase** (string)
 
   phase represents the current phase of PersistentVolumeClaim.
-  
-  
 
 - **resizeStatus** (string)
 
@@ -377,6 +375,11 @@ GET /api/v1/namespaces/{namespace}/persistentvolumeclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -445,6 +448,11 @@ GET /api/v1/persistentvolumeclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -870,6 +878,11 @@ DELETE /api/v1/namespaces/{namespace}/persistentvolumeclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
index 0aa9021a429..3c300883401 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
@@ -108,8 +108,6 @@ PersistentVolumeSpec is the specification of a persistent volume.
 - **persistentVolumeReclaimPolicy** (string)
 
   persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
-  
-  
 
 - **storageClassName** (string)
 
@@ -329,7 +327,7 @@ PersistentVolumeSpec is the specification of a persistent volume.
 
   - **csi.controllerExpandSecretRef** (SecretReference)
 
-    controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an beta field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+    controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
 
     
     *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
@@ -363,7 +361,7 @@ PersistentVolumeSpec is the specification of a persistent volume.
 
   - **csi.nodeExpandSecretRef** (SecretReference)
 
-    nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This is an alpha field and requires enabling CSINodeExpandSecret feature gate. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+    nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This is a beta field which is enabled default by CSINodeExpandSecret feature gate. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.
 
     
     *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
@@ -519,6 +517,29 @@ PersistentVolumeSpec is the specification of a persistent volume.
 
     readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 
+- **glusterfs** (GlusterfsPersistentVolumeSource)
+
+  glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+
+  
+  *Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.*
+
+  - **glusterfs.endpoints** (string), required
+
+    endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.path** (string), required
+
+    path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.endpointsNamespace** (string)
+
+    endpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.readOnly** (boolean)
+
+    readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
 - **iscsi** (ISCSIPersistentVolumeSource)
 
   iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.
@@ -838,8 +859,6 @@ PersistentVolumeStatus is the current status of a persistent volume.
 - **phase** (string)
 
   phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
-  
-  
 
 - **reason** (string)
 
@@ -989,6 +1008,11 @@ GET /api/v1/persistentvolumes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -1379,6 +1403,11 @@ DELETE /api/v1/persistentvolumes
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md
index 5310484d56c..3bc2a6b6505 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md
@@ -184,6 +184,11 @@ GET /api/v1/namespaces/{namespace}/secrets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -252,6 +257,11 @@ GET /api/v1/secrets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -562,6 +572,11 @@ DELETE /api/v1/namespaces/{namespace}/secrets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md
index 6c9126f4c6b..9998f631b34 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md
@@ -46,17 +46,17 @@ StorageClasses are non-namespaced; the name of the storage class according to et
 
 - **provisioner** (string), required
 
-  Provisioner indicates the type of the provisioner.
+  provisioner indicates the type of the provisioner.
 
 - **allowVolumeExpansion** (boolean)
 
-  AllowVolumeExpansion shows whether the storage class allow volume expand
+  allowVolumeExpansion shows whether the storage class allow volume expand.
 
 - **allowedTopologies** ([]TopologySelectorTerm)
 
   *Atomic: will be replaced during a merge*
   
-  Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.
+  allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.
 
   
   *A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.*
@@ -78,19 +78,19 @@ StorageClasses are non-namespaced; the name of the storage class according to et
 
 - **mountOptions** ([]string)
 
-  Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.
+  mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.
 
 - **parameters** (map[string]string)
 
-  Parameters holds the parameters for the provisioner that should create volumes of this storage class.
+  parameters holds the parameters for the provisioner that should create volumes of this storage class.
 
 - **reclaimPolicy** (string)
 
-  Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
+  reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. Defaults to Delete.
 
 - **volumeBindingMode** (string)
 
-  VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.
+  volumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.
 
 
 
@@ -114,7 +114,7 @@ StorageClassList is a collection of storage classes.
 
 - **items** ([]}}">StorageClass), required
 
-  Items is the list of StorageClasses
+  items is the list of StorageClasses
 
 
 
@@ -208,6 +208,11 @@ GET /apis/storage.k8s.io/v1/storageclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -493,6 +498,11 @@ DELETE /apis/storage.k8s.io/v1/storageclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md
index a0ac08f96b4..bc8d3629dcb 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md
@@ -46,11 +46,11 @@ VolumeAttachment objects are non-namespaced.
 
 - **spec** (}}">VolumeAttachmentSpec), required
 
-  Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.
+  spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.
 
 - **status** (}}">VolumeAttachmentStatus)
 
-  Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.
+  status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.
 
 
 
@@ -64,15 +64,15 @@ VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 
 - **attacher** (string), required
 
-  Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().
+  attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().
 
 - **nodeName** (string), required
 
-  The node that the volume should be attached to.
+  nodeName represents the node that the volume should be attached to.
 
 - **source** (VolumeAttachmentSource), required
 
-  Source represents the volume that should be attached.
+  source represents the volume that should be attached.
 
   
   *VolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.*
@@ -83,7 +83,7 @@ VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 
   - **source.persistentVolumeName** (string)
 
-    Name of the persistent volume to attach.
+    persistentVolumeName represents the name of the persistent volume to attach.
 
 
 
@@ -97,44 +97,44 @@ VolumeAttachmentStatus is the status of a VolumeAttachment request.
 
 - **attached** (boolean), required
 
-  Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+  attached indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
 
 - **attachError** (VolumeError)
 
-  The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+  attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
 
   
   *VolumeError captures an error encountered during a volume operation.*
 
   - **attachError.message** (string)
 
-    String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
+    message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
 
   - **attachError.time** (Time)
 
-    Time the error was encountered.
+    time represents the time the error was encountered.
 
     
     *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
 
 - **attachmentMetadata** (map[string]string)
 
-  Upon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+  attachmentMetadata is populated with any information returned by the attach operation, upon successful attach, that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
 
 - **detachError** (VolumeError)
 
-  The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.
+  detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.
 
   
   *VolumeError captures an error encountered during a volume operation.*
 
   - **detachError.message** (string)
 
-    String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
+    message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
 
   - **detachError.time** (Time)
 
-    Time the error was encountered.
+    time represents the time the error was encountered.
 
     
     *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
@@ -161,7 +161,7 @@ VolumeAttachmentList is a collection of VolumeAttachment objects.
 
 - **items** ([]}}">VolumeAttachment), required
 
-  Items is the list of VolumeAttachments
+  items is the list of VolumeAttachments
 
 
 
@@ -283,6 +283,11 @@ GET /apis/storage.k8s.io/v1/volumeattachments
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -673,6 +678,11 @@ DELETE /apis/storage.k8s.io/v1/volumeattachments
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume.md b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
index 1586c8cdd4b..b81f55944d5 100644
--- a/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
+++ b/content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
@@ -230,7 +230,7 @@ Volume represents a named volume in a pod that may be accessed by any container
 
   - **emptyDir.sizeLimit** (}}">Quantity)
 
-    sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir
+    sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
 
 - **hostPath** (HostPathVolumeSource)
 
@@ -541,6 +541,25 @@ Volume represents a named volume in a pod that may be accessed by any container
 
     readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 
+- **glusterfs** (GlusterfsVolumeSource)
+
+  glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+
+  
+  *Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.*
+
+  - **glusterfs.endpoints** (string), required
+
+    endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.path** (string), required
+
+    path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.readOnly** (boolean)
+
+    readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
 - **iscsi** (ISCSIVolumeSource)
 
   iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md
diff --git a/content/en/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1.md b/content/en/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1.md
index 945538d7671..a40e0f70f07 100644
--- a/content/en/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1.md
+++ b/content/en/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1.md
@@ -210,12 +210,12 @@ CustomResourceDefinitionSpec describes how a user wants their resource to appear
 
   - **conversion.strategy** (string), required
 
-    strategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
+    strategy specifies how custom resources are converted between versions. Allowed values are: - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
       is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
 
   - **conversion.webhook** (WebhookConversion)
 
-    webhook describes how to call the conversion webhook. Required when `strategy` is set to `Webhook`.
+    webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
 
     
     *WebhookConversion describes how to call a conversion webhook*
@@ -533,6 +533,10 @@ JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-sc
 
     Message represents the message displayed when validation fails. The message is required if the Rule contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host"
 
+  - **x-kubernetes-validations.messageExpression** (string)
+
+    MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a rule, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the rule; the only difference is the return type. Example: "x must be less than max ("+string(self.max)+")"
+
 
 
 
@@ -756,6 +760,11 @@ GET /apis/apiextensions.k8s.io/v1/customresourcedefinitions
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -1146,6 +1155,11 @@ DELETE /apis/apiextensions.k8s.io/v1/customresourcedefinitions
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md b/content/en/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
index fba255e7f76..41cc4de3422 100644
--- a/content/en/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
+++ b/content/en/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
@@ -117,6 +117,44 @@ MutatingWebhookConfiguration describes the configuration of and admission webhoo
 
     FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
 
+  - **webhooks.matchConditions** ([]MatchCondition)
+
+    *Patch strategy: merge on key `name`*
+    
+    *Map: unique values on key name will be kept during a merge*
+    
+    MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
+    
+    The exact matching logic is (in order):
+      1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+      2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+      3. If any matchCondition evaluates to an error (but none are FALSE):
+         - If failurePolicy=Fail, reject the request
+         - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+    
+    This is an alpha feature and managed by the AdmissionWebhookMatchConditions feature gate.
+
+    
+    *MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.*
+
+    - **webhooks.matchConditions.expression** (string), required
+
+      Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+      
+      'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+        See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+      'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+        request resource.
+      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+      
+      Required.
+
+    - **webhooks.matchConditions.name** (string), required
+
+      Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+      
+      Required.
+
   - **webhooks.matchPolicy** (string)
 
     matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
@@ -336,6 +374,11 @@ GET /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -621,6 +664,11 @@ DELETE /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1.md b/content/en/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1.md
index 36e0feb4a6e..a6d3d72d3e4 100644
--- a/content/en/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/extend-resources/validating-admission-policy-v1alpha1.md
@@ -49,50 +49,82 @@ ValidatingAdmissionPolicy describes the definition of an admission validation po
   
   *ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.*
 
-  - **spec.validations** ([]Validation), required
+  - **spec.auditAnnotations** ([]AuditAnnotation)
 
     *Atomic: will be replaced during a merge*
     
-    Validations contain CEL expressions which is used to apply the validation. A minimum of one validation is required for a policy definition. Required.
+    auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.
 
-    
-    *Validation specifies the CEL expression which is used to apply the validation.*
+    
+    *AuditAnnotation describes how to produce an audit annotation for an API request.*
 
-    - **spec.validations.expression** (string), required
+    - **spec.auditAnnotations.key** (string), required
 
-      Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the Admission request/response, organized into CEL variables as well as some other useful variables:
+      key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
       
-      'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+      The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".
       
-      The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.
+      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
       
-      Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
-      	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
-      	  "import", "let", "loop", "package", "namespace", "return".
-      Examples:
-        - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
-        - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
-        - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
-      
-      Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
-        - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
-          non-intersecting elements in `Y` are appended, retaining their partial order.
-        - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
-          are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
-          non-intersecting keys are appended, retaining their partial order.
       Required.
 
-    - **spec.validations.message** (string)
+    - **spec.auditAnnotations.valueExpression** (string), required
 
-      Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is "failed Expression: {Expression}".
-
-    - **spec.validations.reason** (string)
-
-      Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". If not set, StatusReasonInvalid is used in the response to the client.
+      valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
+      
+      If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
+      
+      Required.
 
   - **spec.failurePolicy** (string)
 
-    FailurePolicy defines how to handle failures for the admission policy. Failures can occur from invalid or mis-configured policy definitions or bindings. A policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource. Allowed values are Ignore or Fail. Defaults to Fail.
+    failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.
+    
+    A policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+    
+    failurePolicy does not define how validations that evaluate to false are handled.
+    
+    When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.
+    
+    Allowed values are Ignore or Fail. Defaults to Fail.
+
+  - **spec.matchConditions** ([]MatchCondition)
+
+    *Patch strategy: merge on key `name`*
+    
+    *Map: unique values on key name will be kept during a merge*
+    
+    MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
+    
+    If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.
+    
+    The exact matching logic is (in order):
+      1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+      2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+      3. If any matchCondition evaluates to an error (but none are FALSE):
+         - If failurePolicy=Fail, reject the request
+         - If failurePolicy=Ignore, the policy is skipped
+
+    
+    **
+
+    - **spec.matchConditions.expression** (string), required
+
+      Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+      
+      'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+        See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+      'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+        request resource.
+      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+      
+      Required.
+
+    - **spec.matchConditions.name** (string), required
+
+      Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+      
+      Required.
 
   - **spec.matchConstraints** (MatchResources)
 
@@ -262,6 +294,125 @@ ValidatingAdmissionPolicy describes the definition of an admission validation po
 
       Kind is the API kind the resources belong to. Required.
 
+  - **spec.validations** ([]Validation)
+
+    *Atomic: will be replaced during a merge*
+    
+    Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.
+
+    
+    *Validation specifies the CEL expression which is used to apply the validation.*
+
+    - **spec.validations.expression** (string), required
+
+      Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+      
+      - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+        See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+      - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+        request resource.
+      
+      The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.
+      
+      Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+      	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+      	  "import", "let", "loop", "package", "namespace", "return".
+      Examples:
+        - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+        - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+        - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+      
+      Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+        - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+          non-intersecting elements in `Y` are appended, retaining their partial order.
+        - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+          are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+          non-intersecting keys are appended, retaining their partial order.
+      Required.
+
+    - **spec.validations.message** (string)
+
+      Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is "failed Expression: {Expression}".
+
+    - **spec.validations.messageExpression** (string)
+
+      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: "object.x must be less than max ("+string(params.max)+")"
+
+    - **spec.validations.reason** (string)
+
+      Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". If not set, StatusReasonInvalid is used in the response to the client.
+
+- **status** (ValidatingAdmissionPolicyStatus)
+
+  The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.
+
+  
+  *ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.*
+
+  - **status.conditions** ([]Condition)
+
+    *Map: unique values on key type will be kept during a merge*
+    
+    The conditions represent the latest available observations of a policy's current state.
+
+    
+    *Condition contains details for one aspect of the current state of this API Resource.*
+
+    - **status.conditions.lastTransitionTime** (Time), required
+
+      lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+
+      
+      *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+
+    - **status.conditions.message** (string), required
+
+      message is a human readable message indicating details about the transition. This may be an empty string.
+
+    - **status.conditions.reason** (string), required
+
+      reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+
+    - **status.conditions.status** (string), required
+
+      status of the condition, one of True, False, Unknown.
+
+    - **status.conditions.type** (string), required
+
+      type of condition in CamelCase or in foo.example.com/CamelCase.
+
+    - **status.conditions.observedGeneration** (int64)
+
+      observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+
+  - **status.observedGeneration** (int64)
+
+    The generation observed by the controller.
+
+  - **status.typeChecking** (TypeChecking)
+
+    The results of type checking for each expression. Presence of this field indicates the completion of the type checking.
+
+    
+    *TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy*
+
+    - **status.typeChecking.expressionWarnings** ([]ExpressionWarning)
+
+      *Atomic: will be replaced during a merge*
+      
+      The type checking warnings for each expression.
+
+      
+      *ExpressionWarning is a warning information that targets a specific expression.*
+
+      - **status.typeChecking.expressionWarnings.fieldRef** (string), required
+
+        The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"
+
+      - **status.typeChecking.expressionWarnings.warning** (string), required
+
+        The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.
+
 
 
 
@@ -489,6 +640,30 @@ ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with parame
 
     PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.
 
+  - **spec.validationActions** ([]string)
+
+    *Set: unique values will be kept during a merge*
+    
+    validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.
+    
+    Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+    
+    validationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.
+    
+    The supported actions values are:
+    
+    "Deny" specifies that a validation failure results in a denied request.
+    
+    "Warn" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.
+    
+    "Audit" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `"validation.policy.admission.k8s.io/validation_failure": "[{"message": "Invalid value", {"policy": "policy.example.com", {"binding": "policybinding.example.com", {"expressionIndex": "1", {"validationActions": ["Audit"]}]"`
+    
+    Clients should expect to handle additional values by ignoring any values not recognized.
+    
+    "Deny" and "Warn" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.
+    
+    Required.
+
 
 
 
@@ -524,6 +699,34 @@ GET /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{nam
 
 
 
+#### Response
+
+
+200 (}}">ValidatingAdmissionPolicy): OK
+
+401: Unauthorized
+
+
+### `get` read status of the specified ValidatingAdmissionPolicy
+
+#### HTTP Request
+
+GET /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{name}/status
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ValidatingAdmissionPolicy
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
 #### Response
 
 
@@ -581,6 +784,11 @@ GET /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -666,6 +874,56 @@ PUT /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{nam
   
 
 
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ValidatingAdmissionPolicy): OK
+
+201 (}}">ValidatingAdmissionPolicy): Created
+
+401: Unauthorized
+
+
+### `update` replace status of the specified ValidatingAdmissionPolicy
+
+#### HTTP Request
+
+PUT /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{name}/status
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ValidatingAdmissionPolicy
+
+
+- **body**: }}">ValidatingAdmissionPolicy, required
+
+  
+
+
 - **dryRun** (*in query*): string
 
   }}">dryRun
@@ -716,6 +974,61 @@ PATCH /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{n
   
 
 
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **force** (*in query*): boolean
+
+  }}">force
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">ValidatingAdmissionPolicy): OK
+
+201 (}}">ValidatingAdmissionPolicy): Created
+
+401: Unauthorized
+
+
+### `patch` partially update status of the specified ValidatingAdmissionPolicy
+
+#### HTTP Request
+
+PATCH /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies/{name}/status
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the ValidatingAdmissionPolicy
+
+
+- **body**: }}">Patch, required
+
+  
+
+
 - **dryRun** (*in query*): string
 
   }}">dryRun
@@ -866,6 +1179,11 @@ DELETE /apis/admissionregistration.k8s.io/v1alpha1/validatingadmissionpolicies
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1.md b/content/en/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1.md
index d41aa10efeb..6821958013b 100644
--- a/content/en/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1.md
+++ b/content/en/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1.md
@@ -117,6 +117,44 @@ ValidatingWebhookConfiguration describes the configuration of and admission webh
 
     FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
 
+  - **webhooks.matchConditions** ([]MatchCondition)
+
+    *Patch strategy: merge on key `name`*
+    
+    *Map: unique values on key name will be kept during a merge*
+    
+    MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
+    
+    The exact matching logic is (in order):
+      1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+      2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+      3. If any matchCondition evaluates to an error (but none are FALSE):
+         - If failurePolicy=Fail, reject the request
+         - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+    
+    This is an alpha feature and managed by the AdmissionWebhookMatchConditions feature gate.
+
+    
+    *MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.*
+
+    - **webhooks.matchConditions.expression** (string), required
+
+      Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+      
+      'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+        See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+      'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+        request resource.
+      Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+      
+      Required.
+
+    - **webhooks.matchConditions.name** (string), required
+
+      Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+      
+      Required.
+
   - **webhooks.matchPolicy** (string)
 
     matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
@@ -326,6 +364,11 @@ GET /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -611,6 +654,11 @@ DELETE /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/policy-resources/ip-address-v1alpha1.md b/content/en/docs/reference/kubernetes-api/policy-resources/ip-address-v1alpha1.md
new file mode 100644
index 00000000000..4828acb88c2
--- /dev/null
+++ b/content/en/docs/reference/kubernetes-api/policy-resources/ip-address-v1alpha1.md
@@ -0,0 +1,509 @@
+---
+api_metadata:
+  apiVersion: "networking.k8s.io/v1alpha1"
+  import: "k8s.io/api/networking/v1alpha1"
+  kind: "IPAddress"
+content_type: "api_reference"
+description: "IPAddress represents a single IP of a single IP Family."
+title: "IPAddress v1alpha1"
+weight: 5
+auto_generated: true
+---
+
+
+
+`apiVersion: networking.k8s.io/v1alpha1`
+
+`import "k8s.io/api/networking/v1alpha1"`
+
+
+## IPAddress {#IPAddress}
+
+IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1
+
+

+
+- **apiVersion**: networking.k8s.io/v1alpha1
+
+
+- **kind**: IPAddress
+
+
+- **metadata** (}}">ObjectMeta)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (}}">IPAddressSpec)
+
+  spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+
+
+
+
+
+## IPAddressSpec {#IPAddressSpec}
+
+IPAddressSpec describe the attributes in an IP Address.
+
+

+
+- **parentRef** (ParentReference)
+
+  ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object.
+
+  
+  *ParentReference describes a reference to a parent object.*
+
+  - **parentRef.group** (string)
+
+    Group is the group of the object being referenced.
+
+  - **parentRef.name** (string)
+
+    Name is the name of the object being referenced.
+
+  - **parentRef.namespace** (string)
+
+    Namespace is the namespace of the object being referenced.
+
+  - **parentRef.resource** (string)
+
+    Resource is the resource of the object being referenced.
+
+  - **parentRef.uid** (string)
+
+    UID is the uid of the object being referenced.
+
+
+
+
+
+## IPAddressList {#IPAddressList}
+
+IPAddressList contains a list of IPAddress.
+
+

+
+- **apiVersion**: networking.k8s.io/v1alpha1
+
+
+- **kind**: IPAddressList
+
+
+- **metadata** (}}">ListMeta)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]}}">IPAddress), required
+
+  items is the list of IPAddresses.
+
+
+
+
+
+## Operations {#Operations}
+
+
+
+

+
+
+
+
+
+
+### `get` read the specified IPAddress
+
+#### HTTP Request
+
+GET /apis/networking.k8s.io/v1alpha1/ipaddresses/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the IPAddress
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">IPAddress): OK
+
+401: Unauthorized
+
+
+### `list` list or watch objects of kind IPAddress
+
+#### HTTP Request
+
+GET /apis/networking.k8s.io/v1alpha1/ipaddresses
+
+#### Parameters
+
+
+- **allowWatchBookmarks** (*in query*): boolean
+
+  }}">allowWatchBookmarks
+
+
+- **continue** (*in query*): string
+
+  }}">continue
+
+
+- **fieldSelector** (*in query*): string
+
+  }}">fieldSelector
+
+
+- **labelSelector** (*in query*): string
+
+  }}">labelSelector
+
+
+- **limit** (*in query*): integer
+
+  }}">limit
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **resourceVersion** (*in query*): string
+
+  }}">resourceVersion
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  }}">resourceVersionMatch
+
+
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  }}">timeoutSeconds
+
+
+- **watch** (*in query*): boolean
+
+  }}">watch
+
+
+
+#### Response
+
+
+200 (}}">IPAddressList): OK
+
+401: Unauthorized
+
+
+### `create` create an IPAddress
+
+#### HTTP Request
+
+POST /apis/networking.k8s.io/v1alpha1/ipaddresses
+
+#### Parameters
+
+
+- **body**: }}">IPAddress, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">IPAddress): OK
+
+201 (}}">IPAddress): Created
+
+202 (}}">IPAddress): Accepted
+
+401: Unauthorized
+
+
+### `update` replace the specified IPAddress
+
+#### HTTP Request
+
+PUT /apis/networking.k8s.io/v1alpha1/ipaddresses/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the IPAddress
+
+
+- **body**: }}">IPAddress, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">IPAddress): OK
+
+201 (}}">IPAddress): Created
+
+401: Unauthorized
+
+
+### `patch` partially update the specified IPAddress
+
+#### HTTP Request
+
+PATCH /apis/networking.k8s.io/v1alpha1/ipaddresses/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the IPAddress
+
+
+- **body**: }}">Patch, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldManager** (*in query*): string
+
+  }}">fieldManager
+
+
+- **fieldValidation** (*in query*): string
+
+  }}">fieldValidation
+
+
+- **force** (*in query*): boolean
+
+  }}">force
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+
+#### Response
+
+
+200 (}}">IPAddress): OK
+
+201 (}}">IPAddress): Created
+
+401: Unauthorized
+
+
+### `delete` delete an IPAddress
+
+#### HTTP Request
+
+DELETE /apis/networking.k8s.io/v1alpha1/ipaddresses/{name}
+
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the IPAddress
+
+
+- **body**: }}">DeleteOptions
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  }}">gracePeriodSeconds
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **propagationPolicy** (*in query*): string
+
+  }}">propagationPolicy
+
+
+
+#### Response
+
+
+200 (}}">Status): OK
+
+202 (}}">Status): Accepted
+
+401: Unauthorized
+
+
+### `deletecollection` delete collection of IPAddress
+
+#### HTTP Request
+
+DELETE /apis/networking.k8s.io/v1alpha1/ipaddresses
+
+#### Parameters
+
+
+- **body**: }}">DeleteOptions
+
+  
+
+
+- **continue** (*in query*): string
+
+  }}">continue
+
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+
+- **fieldSelector** (*in query*): string
+
+  }}">fieldSelector
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  }}">gracePeriodSeconds
+
+
+- **labelSelector** (*in query*): string
+
+  }}">labelSelector
+
+
+- **limit** (*in query*): integer
+
+  }}">limit
+
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+
+- **propagationPolicy** (*in query*): string
+
+  }}">propagationPolicy
+
+
+- **resourceVersion** (*in query*): string
+
+  }}">resourceVersion
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  }}">resourceVersionMatch
+
+
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  }}">timeoutSeconds
+
+
+
+#### Response
+
+
+200 (}}">Status): OK
+
+401: Unauthorized
+
diff --git a/content/en/docs/reference/kubernetes-api/policy-resources/limit-range-v1.md b/content/en/docs/reference/kubernetes-api/policy-resources/limit-range-v1.md
index 3be570cfb0a..ef4355e4f27 100644
--- a/content/en/docs/reference/kubernetes-api/policy-resources/limit-range-v1.md
+++ b/content/en/docs/reference/kubernetes-api/policy-resources/limit-range-v1.md
@@ -213,6 +213,11 @@ GET /api/v1/namespaces/{namespace}/limitranges
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -281,6 +286,11 @@ GET /api/v1/limitranges
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -591,6 +601,11 @@ DELETE /api/v1/namespaces/{namespace}/limitranges
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md b/content/en/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
index 5a1b4f17ae6..01345b62583 100644
--- a/content/en/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
+++ b/content/en/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
@@ -44,11 +44,11 @@ NetworkPolicy describes what network traffic is allowed for a set of Pods
 
 - **spec** (}}">NetworkPolicySpec)
 
-  Specification of the desired behavior for this NetworkPolicy.
+  spec represents the specification of the desired behavior for this NetworkPolicy.
 
 - **status** (}}">NetworkPolicyStatus)
 
-  Status is the current state of the NetworkPolicy. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  status represents the current state of the NetworkPolicy. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 
@@ -62,137 +62,137 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
 
 - **podSelector** (}}">LabelSelector), required
 
-  Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
+  podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
 
 - **policyTypes** ([]string)
 
-  List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+  policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
 
 - **ingress** ([]NetworkPolicyIngressRule)
 
-  List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
+  ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
 
   
   *NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.*
 
   - **ingress.from** ([]NetworkPolicyPeer)
 
-    List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
+    from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
 
     
     *NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed*
 
     - **ingress.from.ipBlock** (IPBlock)
 
-      IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+      ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
 
       
       *IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
 
       - **ingress.from.ipBlock.cidr** (string), required
 
-        CIDR is a string representing the IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+        cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 
       - **ingress.from.ipBlock.except** ([]string)
 
-        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the CIDR range
+        except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
 
     - **ingress.from.namespaceSelector** (}}">LabelSelector)
 
-      Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
+      namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
       
-      If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
+      If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
     - **ingress.from.podSelector** (}}">LabelSelector)
 
-      This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
+      podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
       
-      If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
+      If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.
 
   - **ingress.ports** ([]NetworkPolicyPort)
 
-    List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+    ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
 
     
     *NetworkPolicyPort describes a port to allow traffic on*
 
     - **ingress.ports.port** (IntOrString)
 
-      The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+      port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
 
       
       *IntOrString is a type that can hold an int32 or a string.  When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type.  This allows you to have, for example, a JSON field that can accept a name or number.*
 
     - **ingress.ports.endPort** (int32)
 
-      If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+      endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
 
     - **ingress.ports.protocol** (string)
 
-      The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+      protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
 
 - **egress** ([]NetworkPolicyEgressRule)
 
-  List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
+  egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
 
   
   *NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8*
 
   - **egress.to** ([]NetworkPolicyPeer)
 
-    List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
+    to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
 
     
     *NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed*
 
     - **egress.to.ipBlock** (IPBlock)
 
-      IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+      ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
 
       
       *IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
 
       - **egress.to.ipBlock.cidr** (string), required
 
-        CIDR is a string representing the IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+        cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 
       - **egress.to.ipBlock.except** ([]string)
 
-        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the CIDR range
+        except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
 
     - **egress.to.namespaceSelector** (}}">LabelSelector)
 
-      Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
+      namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
       
-      If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
+      If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 
     - **egress.to.podSelector** (}}">LabelSelector)
 
-      This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
+      podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
       
-      If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
+      If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.
 
   - **egress.ports** ([]NetworkPolicyPort)
 
-    List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
+    ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
 
     
     *NetworkPolicyPort describes a port to allow traffic on*
 
     - **egress.ports.port** (IntOrString)
 
-      The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+      port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
 
       
       *IntOrString is a type that can hold an int32 or a string.  When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type.  This allows you to have, for example, a JSON field that can accept a name or number.*
 
     - **egress.ports.endPort** (int32)
 
-      If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
+      endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
 
     - **egress.ports.protocol** (string)
 
-      The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
+      protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
 
 
 
@@ -200,7 +200,7 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
 
 ## NetworkPolicyStatus {#NetworkPolicyStatus}
 
-NetworkPolicyStatus describe the current state of the NetworkPolicy.
+NetworkPolicyStatus describes the current state of the NetworkPolicy.
 
 

 
@@ -210,7 +210,7 @@ NetworkPolicyStatus describe the current state of the NetworkPolicy.
   
   *Map: unique values on key type will be kept during a merge*
   
-  Conditions holds an array of metav1.Condition that describe the state of the NetworkPolicy. Current service state
+  conditions holds an array of metav1.Condition that describe the state of the NetworkPolicy. Current service state
 
   
   *Condition contains details for one aspect of the current state of this API Resource.*
@@ -264,7 +264,7 @@ NetworkPolicyList is a list of NetworkPolicy objects.
 
 - **items** ([]}}">NetworkPolicy), required
 
-  Items is a list of schema objects.
+  items is a list of schema objects.
 
 
 
@@ -401,6 +401,11 @@ GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -469,6 +474,11 @@ GET /apis/networking.k8s.io/v1/networkpolicies
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -894,6 +904,11 @@ DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1.md b/content/en/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1.md
index 7fd6fc3551a..ece7b336b9f 100644
--- a/content/en/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1.md
+++ b/content/en/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1.md
@@ -90,7 +90,7 @@ PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
   
   Additional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.
   
-  This field is alpha-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (disabled by default).
+  This field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).
 
 
 
@@ -334,6 +334,11 @@ GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -402,6 +407,11 @@ GET /apis/policy/v1/poddisruptionbudgets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -827,6 +837,11 @@ DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/policy-resources/resource-quota-v1.md b/content/en/docs/reference/kubernetes-api/policy-resources/resource-quota-v1.md
index 4675db74751..887b89886b5 100644
--- a/content/en/docs/reference/kubernetes-api/policy-resources/resource-quota-v1.md
+++ b/content/en/docs/reference/kubernetes-api/policy-resources/resource-quota-v1.md
@@ -81,14 +81,10 @@ ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
     - **scopeSelector.matchExpressions.operator** (string), required
 
       Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.
-      
-      
 
     - **scopeSelector.matchExpressions.scopeName** (string), required
 
       The name of the scope that the selector applies to.
-      
-      
 
     - **scopeSelector.matchExpressions.values** ([]string)
 
@@ -275,6 +271,11 @@ GET /api/v1/namespaces/{namespace}/resourcequotas
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -343,6 +344,11 @@ GET /api/v1/resourcequotas
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -768,6 +774,11 @@ DELETE /api/v1/namespaces/{namespace}/resourcequotas
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md b/content/en/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
index d2f6164d71d..06b8f032696 100644
--- a/content/en/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
+++ b/content/en/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
@@ -45,8 +45,6 @@ EndpointSlice represents a subset of the endpoints that implement a service. For
 - **addressType** (string), required
 
   addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.
-  
-  
 
 - **endpoints** ([]Endpoint), required
 
@@ -72,7 +70,7 @@ EndpointSlice represents a subset of the endpoints that implement a service. For
 
     - **endpoints.conditions.ready** (boolean)
 
-      ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be "true" for terminating endpoints.
+      ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be "true" for terminating endpoints, except when the normal readiness behavior is being explicitly overridden, for example when the associated Service has set the publishNotReadyAddresses flag.
 
     - **endpoints.conditions.serving** (boolean)
 
@@ -133,19 +131,26 @@ EndpointSlice represents a subset of the endpoints that implement a service. For
 
   - **ports.port** (int32)
 
-    The port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.
+    port represents the port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.
 
   - **ports.protocol** (string)
 
-    The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.
+    protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.
 
   - **ports.name** (string)
 
-    The name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.
+    name represents the name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.
 
   - **ports.appProtocol** (string)
 
-    The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+    The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:
+    
+    * Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).
+    
+    * Kubernetes-defined prefixed names:
+      * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
+    
+    * Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.
 
 
 
@@ -169,7 +174,7 @@ EndpointSliceList represents a list of endpoint slices
 
 - **items** ([]}}">EndpointSlice), required
 
-  List of endpoint slices
+  items is the list of endpoint slices
 
 
 
@@ -273,6 +278,11 @@ GET /apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -341,6 +351,11 @@ GET /apis/discovery.k8s.io/v1/endpointslices
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -651,6 +666,11 @@ DELETE /apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/service-resources/endpoints-v1.md b/content/en/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
index 8267741ea71..403dc9d535c 100644
--- a/content/en/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
+++ b/content/en/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
@@ -80,7 +80,7 @@ Endpoints is a collection of endpoints that implement the actual service. Exampl
 
     - **subsets.addresses.ip** (string), required
 
-      The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24). IPv6 is also accepted but not fully supported on all platforms. Also, certain kubernetes components, like kube-proxy, are not IPv6 ready.
+      The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).
 
     - **subsets.addresses.hostname** (string)
 
@@ -103,7 +103,7 @@ Endpoints is a collection of endpoints that implement the actual service. Exampl
 
     - **subsets.notReadyAddresses.ip** (string), required
 
-      The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24). IPv6 is also accepted but not fully supported on all platforms. Also, certain kubernetes components, like kube-proxy, are not IPv6 ready.
+      The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).
 
     - **subsets.notReadyAddresses.hostname** (string)
 
@@ -131,8 +131,6 @@ Endpoints is a collection of endpoints that implement the actual service. Exampl
     - **subsets.ports.protocol** (string)
 
       The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.
-      
-      
 
     - **subsets.ports.name** (string)
 
@@ -140,7 +138,14 @@ Endpoints is a collection of endpoints that implement the actual service. Exampl
 
     - **subsets.ports.appProtocol** (string)
 
-      The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+      The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:
+      
+      * Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).
+      
+      * Kubernetes-defined prefixed names:
+        * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
+      
+      * Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.
 
 
 
@@ -268,6 +273,11 @@ GET /api/v1/namespaces/{namespace}/endpoints
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -336,6 +346,11 @@ GET /api/v1/endpoints
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -646,6 +661,11 @@ DELETE /api/v1/namespaces/{namespace}/endpoints
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/service-resources/ingress-class-v1.md b/content/en/docs/reference/kubernetes-api/service-resources/ingress-class-v1.md
index 009a5b7f9ef..db6654f2f30 100644
--- a/content/en/docs/reference/kubernetes-api/service-resources/ingress-class-v1.md
+++ b/content/en/docs/reference/kubernetes-api/service-resources/ingress-class-v1.md
@@ -44,7 +44,7 @@ IngressClass represents the class of the Ingress, referenced by the Ingress Spec
 
 - **spec** (}}">IngressClassSpec)
 
-  Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 
@@ -58,34 +58,34 @@ IngressClassSpec provides information about the class of an Ingress.
 
 - **controller** (string)
 
-  Controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different Parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.
+  controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.
 
 - **parameters** (IngressClassParametersReference)
 
-  Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.
+  parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.
 
   
   *IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.*
 
   - **parameters.kind** (string), required
 
-    Kind is the type of resource being referenced.
+    kind is the type of resource being referenced.
 
   - **parameters.name** (string), required
 
-    Name is the name of resource being referenced.
+    name is the name of resource being referenced.
 
   - **parameters.apiGroup** (string)
 
-    APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
+    apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
 
   - **parameters.namespace** (string)
 
-    Namespace is the namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".
+    namespace is the namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".
 
   - **parameters.scope** (string)
 
-    Scope represents if this refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace".
+    scope represents if this refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace".
 
 
 
@@ -109,7 +109,7 @@ IngressClassList is a collection of IngressClasses.
 
 - **items** ([]}}">IngressClass), required
 
-  Items is the list of IngressClasses.
+  items is the list of IngressClasses.
 
 
 
@@ -203,6 +203,11 @@ GET /apis/networking.k8s.io/v1/ingressclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -488,6 +493,11 @@ DELETE /apis/networking.k8s.io/v1/ingressclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/service-resources/ingress-v1.md b/content/en/docs/reference/kubernetes-api/service-resources/ingress-v1.md
index d6c7290bac4..354cfa6ba60 100644
--- a/content/en/docs/reference/kubernetes-api/service-resources/ingress-v1.md
+++ b/content/en/docs/reference/kubernetes-api/service-resources/ingress-v1.md
@@ -44,11 +44,11 @@ Ingress is a collection of rules that allow inbound connections to reach the end
 
 - **spec** (}}">IngressSpec)
 
-  Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 - **status** (}}">IngressStatus)
 
-  Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 
@@ -62,31 +62,31 @@ IngressSpec describes the Ingress the user wishes to exist.
 
 - **defaultBackend** (}}">IngressBackend)
 
-  DefaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.
+  defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.
 
 - **ingressClassName** (string)
 
-  IngressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.
+  ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.
 
 - **rules** ([]IngressRule)
 
   *Atomic: will be replaced during a merge*
   
-  A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.
+  rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.
 
   
   *IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.*
 
   - **rules.host** (string)
 
-    Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+    host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
        the IP in the Spec of the parent Ingress.
     2. The `:` delimiter is not respected because ports are not allowed.
     	  Currently the port of an Ingress is implicitly :80 for http and
     	  :443 for https.
     Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
     
-    Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.
+    host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.
 
   - **rules.http** (HTTPIngressRuleValue)
 
@@ -98,18 +98,18 @@ IngressSpec describes the Ingress the user wishes to exist.
 
       *Atomic: will be replaced during a merge*
       
-      A collection of paths that map requests to backends.
+      paths is a collection of paths that map requests to backends.
 
       
       *HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.*
 
       - **rules.http.paths.backend** (}}">IngressBackend), required
 
-        Backend defines the referenced service endpoint to which the traffic will be forwarded to.
+        backend defines the referenced service endpoint to which the traffic will be forwarded to.
 
       - **rules.http.paths.pathType** (string), required
 
-        PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+        pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
           done on a path element by element basis. A path element refers is the
           list of labels in the path split by the '/' separator. A request is a
           match for path p if every p is an element-wise prefix of p of the
@@ -123,26 +123,26 @@ IngressSpec describes the Ingress the user wishes to exist.
 
       - **rules.http.paths.path** (string)
 
-        Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value "Exact" or "Prefix".
+        path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value "Exact" or "Prefix".
 
 - **tls** ([]IngressTLS)
 
   *Atomic: will be replaced during a merge*
   
-  TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.
+  tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.
 
   
-  *IngressTLS describes the transport layer security associated with an Ingress.*
+  *IngressTLS describes the transport layer security associated with an ingress.*
 
   - **tls.hosts** ([]string)
 
     *Atomic: will be replaced during a merge*
     
-    Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
+    hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
 
   - **tls.secretName** (string)
 
-    SecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
+    secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the "Host" header is used for routing.
 
 
 
@@ -156,33 +156,33 @@ IngressBackend describes all endpoints for a given service and port.
 
 - **resource** (}}">TypedLocalObjectReference)
 
-  Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with "Service".
+  resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with "Service".
 
 - **service** (IngressServiceBackend)
 
-  Service references a Service as a Backend. This is a mutually exclusive setting with "Resource".
+  service references a service as a backend. This is a mutually exclusive setting with "Resource".
 
   
   *IngressServiceBackend references a Kubernetes Service as a Backend.*
 
   - **service.name** (string), required
 
-    Name is the referenced service. The service must exist in the same namespace as the Ingress object.
+    name is the referenced service. The service must exist in the same namespace as the Ingress object.
 
   - **service.port** (ServiceBackendPort)
 
-    Port of the referenced service. A port name or port number is required for a IngressServiceBackend.
+    port of the referenced service. A port name or port number is required for a IngressServiceBackend.
 
     
     *ServiceBackendPort is the service port being referenced.*
 
     - **service.port.name** (string)
 
-      Name is the name of the port on the Service. This is a mutually exclusive setting with "Number".
+      name is the name of the port on the Service. This is a mutually exclusive setting with "Number".
 
     - **service.port.number** (int32)
 
-      Number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with "Name".
+      number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with "Name".
 
 
 
@@ -196,48 +196,46 @@ IngressStatus describe the current state of the Ingress.
 
 - **loadBalancer** (IngressLoadBalancerStatus)
 
-  LoadBalancer contains the current status of the load-balancer.
+  loadBalancer contains the current status of the load-balancer.
 
   
   *IngressLoadBalancerStatus represents the status of a load-balancer.*
 
   - **loadBalancer.ingress** ([]IngressLoadBalancerIngress)
 
-    Ingress is a list containing ingress points for the load-balancer.
+    ingress is a list containing ingress points for the load-balancer.
 
     
     *IngressLoadBalancerIngress represents the status of a load-balancer ingress point.*
 
     - **loadBalancer.ingress.hostname** (string)
 
-      Hostname is set for load-balancer ingress points that are DNS based.
+      hostname is set for load-balancer ingress points that are DNS based.
 
     - **loadBalancer.ingress.ip** (string)
 
-      IP is set for load-balancer ingress points that are IP based.
+      ip is set for load-balancer ingress points that are IP based.
 
     - **loadBalancer.ingress.ports** ([]IngressPortStatus)
 
       *Atomic: will be replaced during a merge*
       
-      Ports provides information about the ports exposed by this LoadBalancer.
+      ports provides information about the ports exposed by this LoadBalancer.
 
       
       *IngressPortStatus represents the error condition of a service port*
 
       - **loadBalancer.ingress.ports.port** (int32), required
 
-        Port is the port number of the ingress port.
+        port is the port number of the ingress port.
 
       - **loadBalancer.ingress.ports.protocol** (string), required
 
-        Protocol is the protocol of the ingress port. The supported values are: "TCP", "UDP", "SCTP"
-        
-        
+        protocol is the protocol of the ingress port. The supported values are: "TCP", "UDP", "SCTP"
 
       - **loadBalancer.ingress.ports.error** (string)
 
-        Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use
+        error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use
           CamelCase names
         - cloud provider specific error values must have names that comply with the
           format foo.example.com/CamelCase.
@@ -254,7 +252,7 @@ IngressList is a collection of Ingress.
 
 - **items** ([]}}">Ingress), required
 
-  Items is the list of Ingress.
+  items is the list of Ingress.
 
 - **apiVersion** (string)
 
@@ -403,6 +401,11 @@ GET /apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -471,6 +474,11 @@ GET /apis/networking.k8s.io/v1/ingresses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -896,6 +904,11 @@ DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/service-resources/service-v1.md b/content/en/docs/reference/kubernetes-api/service-resources/service-v1.md
index e98d49081c2..8159685fc44 100644
--- a/content/en/docs/reference/kubernetes-api/service-resources/service-v1.md
+++ b/content/en/docs/reference/kubernetes-api/service-resources/service-v1.md
@@ -89,8 +89,6 @@ ServiceSpec describes the attributes that a user creates on a service.
   - **ports.protocol** (string)
 
     The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.
-    
-    
 
   - **ports.name** (string)
 
@@ -107,8 +105,6 @@ ServiceSpec describes the attributes that a user creates on a service.
 - **type** (string)
 
   type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. "ClusterIP" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is "None", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. "NodePort" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. "LoadBalancer" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. "ExternalName" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-  
-  
 
 - **ipFamilies** ([]string)
 
@@ -141,8 +137,6 @@ ServiceSpec describes the attributes that a user creates on a service.
 - **sessionAffinity** (string)
 
   Supports "ClientIP" and "None". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
-  
-  
 
 - **loadBalancerIP** (string)
 
@@ -163,8 +157,6 @@ ServiceSpec describes the attributes that a user creates on a service.
 - **externalTrafficPolicy** (string)
 
   externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get "Cluster" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.
-  
-  
 
 - **internalTrafficPolicy** (string)
 
@@ -286,8 +278,6 @@ ServiceStatus represents the current status of a service.
       - **loadBalancer.ingress.ports.protocol** (string), required
 
         Protocol is the protocol of the service port of which status is recorded here The supported values are: "TCP", "UDP", "SCTP"
-        
-        
 
       - **loadBalancer.ingress.ports.error** (string)
 
@@ -455,6 +445,11 @@ GET /api/v1/namespaces/{namespace}/services
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -523,6 +518,11 @@ GET /api/v1/services
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -948,6 +948,11 @@ DELETE /api/v1/namespaces/{namespace}/services
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
index 5a23855cf25..39a4c73b635 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
@@ -216,6 +216,11 @@ GET /apis/apps/v1/namespaces/{namespace}/controllerrevisions
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -284,6 +289,11 @@ GET /apis/apps/v1/controllerrevisions
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -594,6 +604,11 @@ DELETE /apis/apps/v1/namespaces/{namespace}/controllerrevisions
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/cron-job-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/cron-job-v1.md
index 9148da431f4..8222897d123 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/cron-job-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/cron-job-v1.md
@@ -81,13 +81,13 @@ CronJobSpec describes how the job execution will look like and when it will actu
 
 - **timeZone** (string)
 
-  The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones This is beta field and must be enabled via the `CronJobTimeZone` feature gate.
+  The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
 
 - **concurrencyPolicy** (string)
 
-  Specifies how to treat concurrent executions of a Job. Valid values are: - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one
-  
+  Specifies how to treat concurrent executions of a Job. Valid values are:
   
+  - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one
 
 - **startingDeadlineSeconds** (int64)
 
@@ -294,6 +294,11 @@ GET /apis/batch/v1/namespaces/{namespace}/cronjobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -362,6 +367,11 @@ GET /apis/batch/v1/cronjobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -787,6 +797,11 @@ DELETE /apis/batch/v1/namespaces/{namespace}/cronjobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/daemon-set-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/daemon-set-v1.md
index 6176734a8bb..923e9074f05 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/daemon-set-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/daemon-set-v1.md
@@ -66,7 +66,7 @@ DaemonSetSpec is the specification of a daemon set.
 
 - **template** (}}">PodTemplateSpec), required
 
-  An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is "Always". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
 
 - **minReadySeconds** (int32)
 
@@ -82,8 +82,6 @@ DaemonSetSpec is the specification of a daemon set.
   - **updateStrategy.type** (string)
 
     Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
-    
-    
 
   - **updateStrategy.rollingUpdate** (RollingUpdateDaemonSet)
 
@@ -347,6 +345,11 @@ GET /apis/apps/v1/namespaces/{namespace}/daemonsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -415,6 +418,11 @@ GET /apis/apps/v1/daemonsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -840,6 +848,11 @@ DELETE /apis/apps/v1/namespaces/{namespace}/daemonsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/deployment-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/deployment-v1.md
index 1a409e11e7d..3ea68446fe0 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/deployment-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/deployment-v1.md
@@ -66,7 +66,7 @@ DeploymentSpec is the specification of the desired behavior of the Deployment.
 
 - **template** (}}">PodTemplateSpec), required
 
-  Template describes the pods that will be created.
+  Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is "Always".
 
 - **replicas** (int32)
 
@@ -88,8 +88,6 @@ DeploymentSpec is the specification of the desired behavior of the Deployment.
   - **strategy.type** (string)
 
     Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
-    
-    
 
   - **strategy.rollingUpdate** (RollingUpdateDeployment)
 
@@ -360,6 +358,11 @@ GET /apis/apps/v1/namespaces/{namespace}/deployments
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -428,6 +431,11 @@ GET /apis/apps/v1/deployments
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -853,6 +861,11 @@ DELETE /apis/apps/v1/namespaces/{namespace}/deployments
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1.md
index b815969cfc1..699719e21f0 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1.md
@@ -44,11 +44,11 @@ configuration of a horizontal pod autoscaler.
 
 - **spec** (}}">HorizontalPodAutoscalerSpec)
 
-  behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+  spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
 
 - **status** (}}">HorizontalPodAutoscalerStatus)
 
-  current information about the autoscaler.
+  status is the current information about the autoscaler.
 
 
 
@@ -62,7 +62,7 @@ specification of a horizontal pod autoscaler.
 
 - **maxReplicas** (int32), required
 
-  upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+  maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
 
 - **scaleTargetRef** (CrossVersionObjectReference), required
 
@@ -73,15 +73,15 @@ specification of a horizontal pod autoscaler.
 
   - **scaleTargetRef.kind** (string), required
 
-    Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
   - **scaleTargetRef.name** (string), required
 
-    Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+    name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 
   - **scaleTargetRef.apiVersion** (string)
 
-    API version of the referent
+    apiVersion is the API version of the referent
 
 - **minReplicas** (int32)
 
@@ -89,7 +89,7 @@ specification of a horizontal pod autoscaler.
 
 - **targetCPUUtilizationPercentage** (int32)
 
-  target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.
+  targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.
 
 
 
@@ -103,26 +103,26 @@ current status of a horizontal pod autoscaler
 
 - **currentReplicas** (int32), required
 
-  current number of replicas of pods managed by this autoscaler.
+  currentReplicas is the current number of replicas of pods managed by this autoscaler.
 
 - **desiredReplicas** (int32), required
 
-  desired number of replicas of pods managed by this autoscaler.
+  desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.
 
 - **currentCPUUtilizationPercentage** (int32)
 
-  current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.
+  currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.
 
 - **lastScaleTime** (Time)
 
-  last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.
+  lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.
 
   
   *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
 
 - **observedGeneration** (int64)
 
-  most recent generation observed by this autoscaler.
+  observedGeneration is the most recent generation observed by this autoscaler.
 
 
 
@@ -146,7 +146,7 @@ list of horizontal pod autoscaler objects.
 
 - **items** ([]}}">HorizontalPodAutoscaler), required
 
-  list of horizontal pod autoscaler objects.
+  items is the list of horizontal pod autoscaler objects.
 
 
 
@@ -283,6 +283,11 @@ GET /apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -351,6 +356,11 @@ GET /apis/autoscaling/v1/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -776,6 +786,11 @@ DELETE /apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2.md b/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2.md
index 16f7b34bd1f..9c0a6c50965 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2.md
@@ -73,15 +73,15 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
   - **scaleTargetRef.kind** (string), required
 
-    Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
   - **scaleTargetRef.name** (string), required
 
-    Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+    name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 
   - **scaleTargetRef.apiVersion** (string)
 
-    API version of the referent
+    apiVersion is the API version of the referent
 
 - **minReplicas** (int32)
 
@@ -112,15 +112,15 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
       - **behavior.scaleDown.policies.type** (string), required
 
-        Type is used to specify the scaling policy.
+        type is used to specify the scaling policy.
 
       - **behavior.scaleDown.policies.value** (int32), required
 
-        Value contains the amount of change which is permitted by the policy. It must be greater than zero
+        value contains the amount of change which is permitted by the policy. It must be greater than zero
 
       - **behavior.scaleDown.policies.periodSeconds** (int32), required
 
-        PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+        periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
 
     - **behavior.scaleDown.selectPolicy** (string)
 
@@ -128,7 +128,7 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
     - **behavior.scaleDown.stabilizationWindowSeconds** (int32)
 
-      StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+      stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
 
   - **behavior.scaleUp** (HPAScalingRules)
 
@@ -151,15 +151,15 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
       - **behavior.scaleUp.policies.type** (string), required
 
-        Type is used to specify the scaling policy.
+        type is used to specify the scaling policy.
 
       - **behavior.scaleUp.policies.value** (int32), required
 
-        Value contains the amount of change which is permitted by the policy. It must be greater than zero
+        value contains the amount of change which is permitted by the policy. It must be greater than zero
 
       - **behavior.scaleUp.policies.periodSeconds** (int32), required
 
-        PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+        periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
 
     - **behavior.scaleUp.selectPolicy** (string)
 
@@ -167,7 +167,7 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
     - **behavior.scaleUp.stabilizationWindowSeconds** (int32)
 
-      StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+      stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
 
 - **metrics** ([]MetricSpec)
 
@@ -281,15 +281,15 @@ HorizontalPodAutoscalerSpec describes the desired functionality of the Horizonta
 
       - **metrics.object.describedObject.kind** (string), required
 
-        Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+        kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
       - **metrics.object.describedObject.name** (string), required
 
-        Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+        name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 
       - **metrics.object.describedObject.apiVersion** (string)
 
-        API version of the referent
+        apiVersion is the API version of the referent
 
     - **metrics.object.metric** (MetricIdentifier), required
 
@@ -478,7 +478,7 @@ HorizontalPodAutoscalerStatus describes the current status of a horizontal pod a
 
     - **currentMetrics.containerResource.container** (string), required
 
-      Container is the name of the container in the pods of the scaling target
+      container is the name of the container in the pods of the scaling target
 
     - **currentMetrics.containerResource.current** (MetricValueStatus), required
 
@@ -501,7 +501,7 @@ HorizontalPodAutoscalerStatus describes the current status of a horizontal pod a
 
     - **currentMetrics.containerResource.name** (string), required
 
-      Name is the name of the resource in question.
+      name is the name of the resource in question.
 
   - **currentMetrics.external** (ExternalMetricStatus)
 
@@ -579,15 +579,15 @@ HorizontalPodAutoscalerStatus describes the current status of a horizontal pod a
 
       - **currentMetrics.object.describedObject.kind** (string), required
 
-        Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+        kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
       - **currentMetrics.object.describedObject.name** (string), required
 
-        Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+        name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 
       - **currentMetrics.object.describedObject.apiVersion** (string)
 
-        API version of the referent
+        apiVersion is the API version of the referent
 
     - **currentMetrics.object.metric** (MetricIdentifier), required
 
@@ -673,7 +673,7 @@ HorizontalPodAutoscalerStatus describes the current status of a horizontal pod a
 
     - **currentMetrics.resource.name** (string), required
 
-      Name is the name of the resource in question.
+      name is the name of the resource in question.
 
 - **currentReplicas** (int32)
 
@@ -849,6 +849,11 @@ GET /apis/autoscaling/v2/namespaces/{namespace}/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -917,6 +922,11 @@ GET /apis/autoscaling/v2/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -1342,6 +1352,11 @@ DELETE /apis/autoscaling/v2/namespaces/{namespace}/horizontalpodautoscalers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/job-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/job-v1.md
index 42cec53db7c..00790c4af0a 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/job-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/job-v1.md
@@ -67,7 +67,7 @@ JobSpec describes how the job execution will look like.
 
 - **template** (}}">PodTemplateSpec), required
 
-  Describes the pod that will be created when executing a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  Describes the pod that will be created when executing a job. The only allowed template.spec.restartPolicy values are "Never" or "OnFailure". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 
 - **parallelism** (int32)
 
@@ -78,11 +78,11 @@ JobSpec describes how the job execution will look like.
 
 - **completions** (int32)
 
-  Specifies the desired number of successfully finished pods the job should be run with.  Setting to nil means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  Specifies the desired number of successfully finished pods the job should be run with.  Setting to null means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 
 - **completionMode** (string)
 
-  CompletionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.
+  completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.
   
   `NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.
   
@@ -104,7 +104,7 @@ JobSpec describes how the job execution will look like.
 
 - **suspend** (boolean)
 
-  Suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.
+  suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.
 
 ### Selector
 
@@ -136,11 +136,12 @@ JobSpec describes how the job execution will look like.
     A list of pod failure policy rules. The rules are evaluated in order. Once a rule matches a Pod failure, the remaining of the rules are ignored. When no rule matches the Pod failure, the default handling applies - the counter of pod failures is incremented and it is checked against the backoffLimit. At most 20 elements are allowed.
 
     
-    *PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of OnExitCodes and onPodConditions, but not both, can be used in each rule.*
+    *PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of onExitCodes and onPodConditions, but not both, can be used in each rule.*
 
     - **podFailurePolicy.rules.action** (string), required
 
       Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are:
+      
       - FailJob: indicates that the pod's job is marked as Failed and all
         running pods are terminated.
       - Ignore: indicates that the counter towards the .backoffLimit is not
@@ -148,8 +149,6 @@ JobSpec describes how the job execution will look like.
       - Count: indicates that the pod is handled in the default way - the
         counter towards the .backoffLimit is incremented.
       Additional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.
-      
-      
 
     - **podFailurePolicy.rules.onPodConditions** ([]PodFailurePolicyOnPodConditionsPattern), required
 
@@ -178,6 +177,7 @@ JobSpec describes how the job execution will look like.
       - **podFailurePolicy.rules.onExitCodes.operator** (string), required
 
         Represents the relationship between the container exit code(s) and the specified values. Containers completed with success (exit code 0) are excluded from the requirement check. Possible values are:
+        
         - In: the requirement is satisfied if at least one container exit code
           (might be multiple if there are multiple containers not restricted
           by the 'containerName' field) is in the set of specified values.
@@ -185,8 +185,6 @@ JobSpec describes how the job execution will look like.
           (might be multiple if there are multiple containers not restricted
           by the 'containerName' field) is not in the set of specified values.
         Additional values are considered to be added in the future. Clients should react to an unknown operator by assuming the requirement is not satisfied.
-        
-        
 
       - **podFailurePolicy.rules.onExitCodes.values** ([]int32), required
 
@@ -234,7 +232,7 @@ JobStatus represents the current state of a Job.
 
 - **completedIndexes** (string)
 
-  CompletedIndexes holds the completed indexes when .spec.completionMode = "Indexed" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as "1,3-5,7".
+  completedIndexes holds the completed indexes when .spec.completionMode = "Indexed" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as "1,3-5,7".
 
 - **conditions** ([]JobCondition)
 
@@ -279,9 +277,11 @@ JobStatus represents the current state of a Job.
 
 - **uncountedTerminatedPods** (UncountedTerminatedPods)
 
-  UncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.
+  uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.
   
-  The job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status: (1) Add the pod UID to the arrays in this field. (2) Remove the pod finalizer. (3) Remove the pod UID from the arrays while increasing the corresponding
+  The job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:
+  
+  1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding
       counter.
   
   Old jobs might not be tracked using this field, in which case the field remains null.
@@ -293,13 +293,13 @@ JobStatus represents the current state of a Job.
 
     *Set: unique values will be kept during a merge*
     
-    Failed holds UIDs of failed Pods.
+    failed holds UIDs of failed Pods.
 
   - **uncountedTerminatedPods.succeeded** ([]string)
 
     *Set: unique values will be kept during a merge*
     
-    Succeeded holds UIDs of succeeded Pods.
+    succeeded holds UIDs of succeeded Pods.
 
 
 
@@ -469,6 +469,11 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -537,6 +542,11 @@ GET /apis/batch/v1/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -962,6 +972,11 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-v1alpha1.md b/content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-context-v1alpha2.md
similarity index 69%
rename from content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-v1alpha1.md
rename to content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-context-v1alpha2.md
index 72a2196d523..bb6c08f3ceb 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/pod-scheduling-context-v1alpha2.md
@@ -1,11 +1,11 @@
 ---
 api_metadata:
-  apiVersion: "resource.k8s.io/v1alpha1"
-  import: "k8s.io/api/resource/v1alpha1"
-  kind: "PodScheduling"
+  apiVersion: "resource.k8s.io/v1alpha2"
+  import: "k8s.io/api/resource/v1alpha2"
+  kind: "PodSchedulingContext"
 content_type: "api_reference"
-description: "PodScheduling objects hold information that is needed to schedule a Pod with ResourceClaims that use \"WaitForFirstConsumer\" allocation mode."
-title: "PodScheduling v1alpha1"
+description: "PodSchedulingContext objects hold information that is needed to schedule a Pod with ResourceClaims that use \"WaitForFirstConsumer\" allocation mode."
+title: "PodSchedulingContext v1alpha2"
 weight: 14
 auto_generated: true
 ---
@@ -21,34 +21,34 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-`apiVersion: resource.k8s.io/v1alpha1`
+`apiVersion: resource.k8s.io/v1alpha2`
 
-`import "k8s.io/api/resource/v1alpha1"`
+`import "k8s.io/api/resource/v1alpha2"`
 
 
-## PodScheduling {#PodScheduling}
+## PodSchedulingContext {#PodSchedulingContext}
 
-PodScheduling objects hold information that is needed to schedule a Pod with ResourceClaims that use "WaitForFirstConsumer" allocation mode.
+PodSchedulingContext objects hold information that is needed to schedule a Pod with ResourceClaims that use "WaitForFirstConsumer" allocation mode.
 
 This is an alpha type and requires enabling the DynamicResourceAllocation feature gate.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
-- **kind**: PodScheduling
+- **kind**: PodSchedulingContext
 
 
 - **metadata** (}}">ObjectMeta)
 
   Standard object metadata
 
-- **spec** (}}">PodSchedulingSpec), required
+- **spec** (}}">PodSchedulingContextSpec), required
 
   Spec describes where resources for the Pod are needed.
 
-- **status** (}}">PodSchedulingStatus)
+- **status** (}}">PodSchedulingContextStatus)
 
   Status describes where resources for the Pod can be allocated.
 
@@ -56,9 +56,9 @@ This is an alpha type and requires enabling the DynamicResourceAllocation featur
 
 
 
-## PodSchedulingSpec {#PodSchedulingSpec}
+## PodSchedulingContextSpec {#PodSchedulingContextSpec}
 
-PodSchedulingSpec describes where resources for the Pod are needed.
+PodSchedulingContextSpec describes where resources for the Pod are needed.
 
 

 
@@ -78,9 +78,9 @@ PodSchedulingSpec describes where resources for the Pod are needed.
 
 
 
-## PodSchedulingStatus {#PodSchedulingStatus}
+## PodSchedulingContextStatus {#PodSchedulingContextStatus}
 
-PodSchedulingStatus describes where resources for the Pod can be allocated.
+PodSchedulingContextStatus describes where resources for the Pod can be allocated.
 
 

 
@@ -109,25 +109,25 @@ PodSchedulingStatus describes where resources for the Pod can be allocated.
 
 
 
-## PodSchedulingList {#PodSchedulingList}
+## PodSchedulingContextList {#PodSchedulingContextList}
 
-PodSchedulingList is a collection of Pod scheduling objects.
+PodSchedulingContextList is a collection of Pod scheduling objects.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
-- **kind**: PodSchedulingList
+- **kind**: PodSchedulingContextList
 
 
 - **metadata** (}}">ListMeta)
 
   Standard list metadata
 
-- **items** ([]}}">PodScheduling), required
+- **items** ([]}}">PodSchedulingContext), required
 
-  Items is the list of PodScheduling objects.
+  Items is the list of PodSchedulingContext objects.
 
 
 
@@ -144,18 +144,18 @@ PodSchedulingList is a collection of Pod scheduling objects.
 
 
 
-### `get` read the specified PodScheduling
+### `get` read the specified PodSchedulingContext
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -172,23 +172,23 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
 401: Unauthorized
 
 
-### `get` read status of the specified PodScheduling
+### `get` read status of the specified PodSchedulingContext
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/status
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}/status
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -205,16 +205,16 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
 401: Unauthorized
 
 
-### `list` list or watch objects of kind PodScheduling
+### `list` list or watch objects of kind PodSchedulingContext
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts
 
 #### Parameters
 
@@ -264,6 +264,11 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -278,16 +283,16 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
 #### Response
 
 
-200 (}}">PodSchedulingList): OK
+200 (}}">PodSchedulingContextList): OK
 
 401: Unauthorized
 
 
-### `list` list or watch objects of kind PodScheduling
+### `list` list or watch objects of kind PodSchedulingContext
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/podschedulings
+GET /apis/resource.k8s.io/v1alpha2/podschedulingcontexts
 
 #### Parameters
 
@@ -332,6 +337,11 @@ GET /apis/resource.k8s.io/v1alpha1/podschedulings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -346,16 +356,16 @@ GET /apis/resource.k8s.io/v1alpha1/podschedulings
 #### Response
 
 
-200 (}}">PodSchedulingList): OK
+200 (}}">PodSchedulingContextList): OK
 
 401: Unauthorized
 
 
-### `create` create a PodScheduling
+### `create` create a PodSchedulingContext
 
 #### HTTP Request
 
-POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
+POST /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts
 
 #### Parameters
 
@@ -365,7 +375,7 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
   }}">namespace
 
 
-- **body**: }}">PodScheduling, required
+- **body**: }}">PodSchedulingContext, required
 
   
 
@@ -394,27 +404,27 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-201 (}}">PodScheduling): Created
+201 (}}">PodSchedulingContext): Created
 
-202 (}}">PodScheduling): Accepted
+202 (}}">PodSchedulingContext): Accepted
 
 401: Unauthorized
 
 
-### `update` replace the specified PodScheduling
+### `update` replace the specified PodSchedulingContext
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
+PUT /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -422,7 +432,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
   }}">namespace
 
 
-- **body**: }}">PodScheduling, required
+- **body**: }}">PodSchedulingContext, required
 
   
 
@@ -451,25 +461,25 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-201 (}}">PodScheduling): Created
+201 (}}">PodSchedulingContext): Created
 
 401: Unauthorized
 
 
-### `update` replace status of the specified PodScheduling
+### `update` replace status of the specified PodSchedulingContext
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/status
+PUT /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}/status
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -477,7 +487,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/
   }}">namespace
 
 
-- **body**: }}">PodScheduling, required
+- **body**: }}">PodSchedulingContext, required
 
   
 
@@ -506,25 +516,25 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-201 (}}">PodScheduling): Created
+201 (}}">PodSchedulingContext): Created
 
 401: Unauthorized
 
 
-### `patch` partially update the specified PodScheduling
+### `patch` partially update the specified PodSchedulingContext
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
+PATCH /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -566,25 +576,25 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-201 (}}">PodScheduling): Created
+201 (}}">PodSchedulingContext): Created
 
 401: Unauthorized
 
 
-### `patch` partially update status of the specified PodScheduling
+### `patch` partially update status of the specified PodSchedulingContext
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}/status
+PATCH /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}/status
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -626,25 +636,25 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-201 (}}">PodScheduling): Created
+201 (}}">PodSchedulingContext): Created
 
 401: Unauthorized
 
 
-### `delete` delete a PodScheduling
+### `delete` delete a PodSchedulingContext
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{name}
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts/{name}
 
 #### Parameters
 
 
 - **name** (*in path*): string, required
 
-  name of the PodScheduling
+  name of the PodSchedulingContext
 
 
 - **namespace** (*in path*): string, required
@@ -681,18 +691,18 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings/{nam
 #### Response
 
 
-200 (}}">PodScheduling): OK
+200 (}}">PodSchedulingContext): OK
 
-202 (}}">PodScheduling): Accepted
+202 (}}">PodSchedulingContext): Accepted
 
 401: Unauthorized
 
 
-### `deletecollection` delete collection of PodScheduling
+### `deletecollection` delete collection of PodSchedulingContext
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/podschedulingcontexts
 
 #### Parameters
 
@@ -757,6 +767,11 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/podschedulings
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/pod-template-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/pod-template-v1.md
index 8d2737ee735..b8a028e890a 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/pod-template-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/pod-template-v1.md
@@ -190,6 +190,11 @@ GET /api/v1/namespaces/{namespace}/podtemplates
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -258,6 +263,11 @@ GET /api/v1/podtemplates
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -568,6 +578,11 @@ DELETE /api/v1/namespaces/{namespace}/podtemplates
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
index 3b4dbd6ef84..16813f69737 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
@@ -161,8 +161,6 @@ PodSpec is a description of a pod.
   - **tolerations.operator** (string)
 
     Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
-    
-    
 
   - **tolerations.value** (string)
 
@@ -171,8 +169,6 @@ PodSpec is a description of a pod.
   - **tolerations.effect** (string)
 
     Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
-    
-    
 
   - **tolerations.tolerationSeconds** (int64)
 
@@ -219,15 +215,10 @@ PodSpec is a description of a pod.
 
   - **topologySpreadConstraints.whenUnsatisfiable** (string), required
 
-    WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint.
-    - DoNotSchedule (default) tells the scheduler not to schedule it.
-    - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+    WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,
       but giving higher precedence to topologies that would help reduce the
       skew.
-  
     A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.
-    
-    
 
   - **topologySpreadConstraints.labelSelector** (}}">LabelSelector)
 
@@ -237,7 +228,9 @@ PodSpec is a description of a pod.
 
     *Atomic: will be replaced during a merge*
     
-    MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.
+    MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.
+    
+    This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
 
   - **topologySpreadConstraints.minDomains** (int32)
 
@@ -268,9 +261,7 @@ PodSpec is a description of a pod.
 
 - **restartPolicy** (string)
 
-  Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
-  
-  
+  Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
 
 - **terminationGracePeriodSeconds** (int64)
 
@@ -355,8 +346,6 @@ PodSpec is a description of a pod.
 - **dnsPolicy** (string)
 
   Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
-  
-  
 
 ### Hosts namespaces
 
@@ -438,8 +427,6 @@ PodSpec is a description of a pod.
       type indicates which kind of seccomp profile will be applied. Valid options are:
       
       Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
-      
-      
 
     - **securityContext.seccompProfile.localhostProfile** (string)
 
@@ -561,9 +548,11 @@ PodSpec is a description of a pod.
   
   *Map: unique values on key name will be kept during a merge*
   
-  SchedulingGates is an opaque list of values that if specified will block scheduling the pod. More info:  https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness.
+  SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.
   
-  This is an alpha-level feature enabled by PodSchedulingReadiness feature gate.
+  SchedulingGates can only be set at pod creation time, and be removed only afterwards.
+  
+  This is a beta feature enabled by the PodSchedulingReadiness feature gate.
 
   
   *PodSchedulingGate is associated to a Pod to guard its scheduling.*
@@ -603,8 +592,6 @@ A single application container that you want to run within a pod.
 - **imagePullPolicy** (string)
 
   Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
-  
-  
 
 ### Entrypoint
 
@@ -654,8 +641,6 @@ A single application container that you want to run within a pod.
   - **ports.protocol** (string)
 
     Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
-    
-    
 
 ### Environment variables
 
@@ -840,13 +825,13 @@ A single application container that you want to run within a pod.
 
   - **resources.claims** ([]ResourceClaim)
 
-    *Set: unique values will be kept during a merge*
+    *Map: unique values on key name will be kept during a merge*
     
     Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
     
     This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
     
-    This field is immutable.
+    This field is immutable. It can only be set for containers.
 
     
     *ResourceClaim references one entry in PodSpec.ResourceClaims.*
@@ -861,7 +846,24 @@ A single application container that you want to run within a pod.
 
   - **resources.requests** (map[string]}}">Quantity)
 
-    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+- **resizePolicy** ([]ContainerResizePolicy)
+
+  *Atomic: will be replaced during a merge*
+  
+  Resources resize policy for the container.
+
+  
+  *ContainerResizePolicy represents resource resize policy for the container.*
+
+  - **resizePolicy.resourceName** (string), required
+
+    Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.
+
+  - **resizePolicy.restartPolicy** (string), required
+
+    Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.
 
 ### Lifecycle
 
@@ -888,8 +890,6 @@ A single application container that you want to run within a pod.
 - **terminationMessagePolicy** (string)
 
   Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
-  
-  
 
 - **livenessProbe** (}}">Probe)
 
@@ -968,8 +968,6 @@ A single application container that you want to run within a pod.
       type indicates which kind of seccomp profile will be applied. Valid options are:
       
       Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
-      
-      
 
     - **securityContext.seccompProfile.localhostProfile** (string)
 
@@ -1068,8 +1066,6 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
 - **imagePullPolicy** (string)
 
   Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
-  
-  
 
 ### Entrypoint
 
@@ -1257,6 +1253,26 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
 
     name must match the name of a persistentVolumeClaim in the pod
 
+### Resources
+
+
+- **resizePolicy** ([]ContainerResizePolicy)
+
+  *Atomic: will be replaced during a merge*
+  
+  Resources resize policy for the container.
+
+  
+  *ContainerResizePolicy represents resource resize policy for the container.*
+
+  - **resizePolicy.resourceName** (string), required
+
+    Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.
+
+  - **resizePolicy.restartPolicy** (string), required
+
+    Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.
+
 ### Lifecycle
 
 
@@ -1267,8 +1283,6 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
 - **terminationMessagePolicy** (string)
 
   Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
-  
-  
 
 ### Debugging
 
@@ -1350,8 +1364,6 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
       type indicates which kind of seccomp profile will be applied. Valid options are:
       
       Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
-      
-      
 
     - **securityContext.seccompProfile.localhostProfile** (string)
 
@@ -1436,8 +1448,6 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
   - **ports.protocol** (string)
 
     Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
-    
-    
 
 - **resources** (ResourceRequirements)
 
@@ -1448,13 +1458,13 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
 
   - **resources.claims** ([]ResourceClaim)
 
-    *Set: unique values will be kept during a merge*
+    *Map: unique values on key name will be kept during a merge*
     
     Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
     
     This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
     
-    This field is immutable.
+    This field is immutable. It can only be set for containers.
 
     
     *ResourceClaim references one entry in PodSpec.ResourceClaims.*
@@ -1469,7 +1479,7 @@ To add an ephemeral container, use the ephemeralcontainers subresource of an exi
 
   - **resources.requests** (map[string]}}">Quantity)
 
-    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 - **lifecycle** (Lifecycle)
 
@@ -1557,8 +1567,6 @@ LifecycleHandler defines a specific action that should be taken in a lifecycle h
   - **httpGet.scheme** (string)
 
     Scheme to use for connecting to the host. Defaults to HTTP.
-    
-    
 
 - **tcpSocket** (TCPSocketAction)
 
@@ -1831,8 +1839,6 @@ Probe describes a health check to be performed against a container to determine
   - **httpGet.scheme** (string)
 
     Scheme to use for connecting to the host. Defaults to HTTP.
-    
-    
 
 - **tcpSocket** (TCPSocketAction)
 
@@ -1878,7 +1884,7 @@ Probe describes a health check to be performed against a container to determine
 
 - **grpc** (GRPCAction)
 
-  GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate.
+  GRPC specifies an action involving a GRPC port.
 
   
   **
@@ -1925,8 +1931,6 @@ PodStatus represents information about the status of a pod. Status may trail the
   Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.
   
   More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase
-  
-  
 
 - **message** (string)
 
@@ -1996,9 +2000,7 @@ PodStatus represents information about the status of a pod. Status may trail the
 
 - **qosClass** (string)
 
-  The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md
-  
-  
+  The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes
 
 - **initContainerStatuses** ([]ContainerStatus)
 
@@ -2007,188 +2009,6 @@ PodStatus represents information about the status of a pod. Status may trail the
   
   *ContainerStatus contains details for the current status of this container.*
 
-  - **initContainerStatuses.name** (string), required
-
-    This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.
-
-  - **initContainerStatuses.image** (string), required
-
-    The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.
-
-  - **initContainerStatuses.imageID** (string), required
-
-    ImageID of the container's image.
-
-  - **initContainerStatuses.containerID** (string)
-
-    Container's ID in the format '\://\'.
-
-  - **initContainerStatuses.state** (ContainerState)
-
-    Details about the container's current condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **initContainerStatuses.state.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **initContainerStatuses.state.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **initContainerStatuses.state.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **initContainerStatuses.state.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **initContainerStatuses.state.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **initContainerStatuses.state.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **initContainerStatuses.state.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **initContainerStatuses.state.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **initContainerStatuses.state.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **initContainerStatuses.state.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **initContainerStatuses.state.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **initContainerStatuses.state.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **initContainerStatuses.state.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **initContainerStatuses.lastState** (ContainerState)
-
-    Details about the container's last termination condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **initContainerStatuses.lastState.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **initContainerStatuses.lastState.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **initContainerStatuses.lastState.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **initContainerStatuses.lastState.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **initContainerStatuses.lastState.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **initContainerStatuses.lastState.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **initContainerStatuses.lastState.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **initContainerStatuses.lastState.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **initContainerStatuses.lastState.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **initContainerStatuses.lastState.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **initContainerStatuses.lastState.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **initContainerStatuses.lastState.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **initContainerStatuses.lastState.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **initContainerStatuses.ready** (boolean), required
-
-    Specifies whether the container has passed its readiness probe.
-
-  - **initContainerStatuses.restartCount** (int32), required
-
-    The number of times the container has been restarted.
-
-  - **initContainerStatuses.started** (boolean)
-
-    Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.
-
 - **containerStatuses** ([]ContainerStatus)
 
   The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
@@ -2196,188 +2016,6 @@ PodStatus represents information about the status of a pod. Status may trail the
   
   *ContainerStatus contains details for the current status of this container.*
 
-  - **containerStatuses.name** (string), required
-
-    This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.
-
-  - **containerStatuses.image** (string), required
-
-    The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.
-
-  - **containerStatuses.imageID** (string), required
-
-    ImageID of the container's image.
-
-  - **containerStatuses.containerID** (string)
-
-    Container's ID in the format '\://\'.
-
-  - **containerStatuses.state** (ContainerState)
-
-    Details about the container's current condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **containerStatuses.state.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **containerStatuses.state.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **containerStatuses.state.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **containerStatuses.state.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **containerStatuses.state.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **containerStatuses.state.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **containerStatuses.state.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **containerStatuses.state.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **containerStatuses.state.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **containerStatuses.state.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **containerStatuses.state.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **containerStatuses.state.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **containerStatuses.state.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **containerStatuses.lastState** (ContainerState)
-
-    Details about the container's last termination condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **containerStatuses.lastState.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **containerStatuses.lastState.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **containerStatuses.lastState.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **containerStatuses.lastState.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **containerStatuses.lastState.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **containerStatuses.lastState.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **containerStatuses.lastState.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **containerStatuses.lastState.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **containerStatuses.lastState.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **containerStatuses.lastState.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **containerStatuses.lastState.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **containerStatuses.lastState.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **containerStatuses.lastState.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **containerStatuses.ready** (boolean), required
-
-    Specifies whether the container has passed its readiness probe.
-
-  - **containerStatuses.restartCount** (int32), required
-
-    The number of times the container has been restarted.
-
-  - **containerStatuses.started** (boolean)
-
-    Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.
-
 - **ephemeralContainerStatuses** ([]ContainerStatus)
 
   Status for any ephemeral containers that have run in this pod.
@@ -2385,187 +2023,9 @@ PodStatus represents information about the status of a pod. Status may trail the
   
   *ContainerStatus contains details for the current status of this container.*
 
-  - **ephemeralContainerStatuses.name** (string), required
+- **resize** (string)
 
-    This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.
-
-  - **ephemeralContainerStatuses.image** (string), required
-
-    The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.
-
-  - **ephemeralContainerStatuses.imageID** (string), required
-
-    ImageID of the container's image.
-
-  - **ephemeralContainerStatuses.containerID** (string)
-
-    Container's ID in the format '\://\'.
-
-  - **ephemeralContainerStatuses.state** (ContainerState)
-
-    Details about the container's current condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **ephemeralContainerStatuses.state.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **ephemeralContainerStatuses.state.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **ephemeralContainerStatuses.state.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **ephemeralContainerStatuses.state.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **ephemeralContainerStatuses.state.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **ephemeralContainerStatuses.state.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **ephemeralContainerStatuses.state.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **ephemeralContainerStatuses.state.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **ephemeralContainerStatuses.state.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **ephemeralContainerStatuses.state.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **ephemeralContainerStatuses.state.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **ephemeralContainerStatuses.state.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **ephemeralContainerStatuses.state.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **ephemeralContainerStatuses.lastState** (ContainerState)
-
-    Details about the container's last termination condition.
-
-    
-    *ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.*
-
-    - **ephemeralContainerStatuses.lastState.running** (ContainerStateRunning)
-
-      Details about a running container
-
-      
-      *ContainerStateRunning is a running state of a container.*
-
-      - **ephemeralContainerStatuses.lastState.running.startedAt** (Time)
-
-        Time at which the container was last (re-)started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-    - **ephemeralContainerStatuses.lastState.terminated** (ContainerStateTerminated)
-
-      Details about a terminated container
-
-      
-      *ContainerStateTerminated is a terminated state of a container.*
-
-      - **ephemeralContainerStatuses.lastState.terminated.containerID** (string)
-
-        Container's ID in the format '\://\'
-
-      - **ephemeralContainerStatuses.lastState.terminated.exitCode** (int32), required
-
-        Exit status from the last termination of the container
-
-      - **ephemeralContainerStatuses.lastState.terminated.startedAt** (Time)
-
-        Time at which previous execution of the container started
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **ephemeralContainerStatuses.lastState.terminated.finishedAt** (Time)
-
-        Time at which the container last terminated
-
-        
-        *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
-
-      - **ephemeralContainerStatuses.lastState.terminated.message** (string)
-
-        Message regarding the last termination of the container
-
-      - **ephemeralContainerStatuses.lastState.terminated.reason** (string)
-
-        (brief) reason from the last termination of the container
-
-      - **ephemeralContainerStatuses.lastState.terminated.signal** (int32)
-
-        Signal from the last termination of the container
-
-    - **ephemeralContainerStatuses.lastState.waiting** (ContainerStateWaiting)
-
-      Details about a waiting container
-
-      
-      *ContainerStateWaiting is a waiting state of a container.*
-
-      - **ephemeralContainerStatuses.lastState.waiting.message** (string)
-
-        Message regarding why the container is not yet running.
-
-      - **ephemeralContainerStatuses.lastState.waiting.reason** (string)
-
-        (brief) reason the container is not yet running.
-
-  - **ephemeralContainerStatuses.ready** (boolean), required
-
-    Specifies whether the container has passed its readiness probe.
-
-  - **ephemeralContainerStatuses.restartCount** (int32), required
-
-    The number of times the container has been restarted.
-
-  - **ephemeralContainerStatuses.started** (boolean)
-
-    Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.
+  Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to "Proposed"
 
 
 
@@ -2834,6 +2294,11 @@ GET /api/v1/namespaces/{namespace}/pods
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -2902,6 +2367,11 @@ GET /api/v1/pods
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -3442,6 +2912,11 @@ DELETE /api/v1/namespaces/{namespace}/pods
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
index d3faa756960..5afb617faba 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
@@ -44,7 +44,7 @@ PriorityClass defines mapping from a priority class name to the priority integer
 
 - **value** (int32), required
 
-  The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
+  value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
 
 - **description** (string)
 
@@ -56,7 +56,7 @@ PriorityClass defines mapping from a priority class name to the priority integer
 
 - **preemptionPolicy** (string)
 
-  PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
+  preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
 
 
 
@@ -174,6 +174,11 @@ GET /apis/scheduling.k8s.io/v1/priorityclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -459,6 +464,11 @@ DELETE /apis/scheduling.k8s.io/v1/priorityclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
index 6745c9ef18b..5c6040313cd 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
@@ -297,6 +297,11 @@ GET /apis/apps/v1/namespaces/{namespace}/replicasets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -365,6 +370,11 @@ GET /apis/apps/v1/replicasets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -790,6 +800,11 @@ DELETE /apis/apps/v1/namespaces/{namespace}/replicasets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
index c07094341c3..b0bb72eaeda 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
@@ -66,7 +66,7 @@ ReplicationControllerSpec is the specification of a replication controller.
 
 - **template** (}}">PodTemplateSpec)
 
-  Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is "Always". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
 
 - **replicas** (int32)
 
@@ -297,6 +297,11 @@ GET /api/v1/namespaces/{namespace}/replicationcontrollers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -365,6 +370,11 @@ GET /api/v1/replicationcontrollers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -790,6 +800,11 @@ DELETE /api/v1/namespaces/{namespace}/replicationcontrollers
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha1.md b/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha2.md
similarity index 84%
rename from content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha1.md
rename to content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha2.md
index 61dbcbfe4d3..ed1d6b7104f 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1alpha2.md
@@ -1,11 +1,11 @@
 ---
 api_metadata:
-  apiVersion: "resource.k8s.io/v1alpha1"
-  import: "k8s.io/api/resource/v1alpha1"
+  apiVersion: "resource.k8s.io/v1alpha2"
+  import: "k8s.io/api/resource/v1alpha2"
   kind: "ResourceClaimTemplate"
 content_type: "api_reference"
 description: "ResourceClaimTemplate is used to produce ResourceClaim objects."
-title: "ResourceClaimTemplate v1alpha1"
+title: "ResourceClaimTemplate v1alpha2"
 weight: 16
 auto_generated: true
 ---
@@ -21,9 +21,9 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-`apiVersion: resource.k8s.io/v1alpha1`
+`apiVersion: resource.k8s.io/v1alpha2`
 
-`import "k8s.io/api/resource/v1alpha1"`
+`import "k8s.io/api/resource/v1alpha2"`
 
 
 ## ResourceClaimTemplate {#ResourceClaimTemplate}
@@ -32,7 +32,7 @@ ResourceClaimTemplate is used to produce ResourceClaim objects.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClaimTemplate
@@ -42,7 +42,7 @@ ResourceClaimTemplate is used to produce ResourceClaim objects.
 
   Standard object metadata
 
-- **spec** (}}">ResourceClaimTemplateSpec), required
+- **spec** (}}">ResourceClaimTemplateSpec), required
 
   Describes the ResourceClaim that is to be generated.
   
@@ -58,7 +58,7 @@ ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.
 
 

 
-- **spec** (}}">ResourceClaimSpec), required
+- **spec** (}}">ResourceClaimSpec), required
 
   Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.
 
@@ -76,7 +76,7 @@ ResourceClaimTemplateList is a collection of claim templates.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClaimTemplateList
@@ -86,7 +86,7 @@ ResourceClaimTemplateList is a collection of claim templates.
 
   Standard list metadata
 
-- **items** ([]}}">ResourceClaimTemplate), required
+- **items** ([]}}">ResourceClaimTemplate), required
 
   Items is the list of resource claim templates.
 
@@ -109,7 +109,7 @@ ResourceClaimTemplateList is a collection of claim templates.
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates/{name}
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates/{name}
 
 #### Parameters
 
@@ -133,7 +133,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 #### Response
 
 
-200 (}}">ResourceClaimTemplate): OK
+200 (}}">ResourceClaimTemplate): OK
 
 401: Unauthorized
 
@@ -142,7 +142,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates
 
 #### Parameters
 
@@ -192,6 +192,11 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -206,7 +211,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 #### Response
 
 
-200 (}}">ResourceClaimTemplateList): OK
+200 (}}">ResourceClaimTemplateList): OK
 
 401: Unauthorized
 
@@ -215,7 +220,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/resourceclaimtemplates
+GET /apis/resource.k8s.io/v1alpha2/resourceclaimtemplates
 
 #### Parameters
 
@@ -260,6 +265,11 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaimtemplates
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -274,7 +284,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaimtemplates
 #### Response
 
 
-200 (}}">ResourceClaimTemplateList): OK
+200 (}}">ResourceClaimTemplateList): OK
 
 401: Unauthorized
 
@@ -283,7 +293,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaimtemplates
 
 #### HTTP Request
 
-POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
+POST /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates
 
 #### Parameters
 
@@ -293,7 +303,7 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplate
   }}">namespace
 
 
-- **body**: }}">ResourceClaimTemplate, required
+- **body**: }}">ResourceClaimTemplate, required
 
   
 
@@ -322,11 +332,11 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplate
 #### Response
 
 
-200 (}}">ResourceClaimTemplate): OK
+200 (}}">ResourceClaimTemplate): OK
 
-201 (}}">ResourceClaimTemplate): Created
+201 (}}">ResourceClaimTemplate): Created
 
-202 (}}">ResourceClaimTemplate): Accepted
+202 (}}">ResourceClaimTemplate): Accepted
 
 401: Unauthorized
 
@@ -335,7 +345,7 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplate
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates/{name}
+PUT /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates/{name}
 
 #### Parameters
 
@@ -350,7 +360,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
   }}">namespace
 
 
-- **body**: }}">ResourceClaimTemplate, required
+- **body**: }}">ResourceClaimTemplate, required
 
   
 
@@ -379,9 +389,9 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 #### Response
 
 
-200 (}}">ResourceClaimTemplate): OK
+200 (}}">ResourceClaimTemplate): OK
 
-201 (}}">ResourceClaimTemplate): Created
+201 (}}">ResourceClaimTemplate): Created
 
 401: Unauthorized
 
@@ -390,7 +400,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates/{name}
+PATCH /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates/{name}
 
 #### Parameters
 
@@ -439,9 +449,9 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplat
 #### Response
 
 
-200 (}}">ResourceClaimTemplate): OK
+200 (}}">ResourceClaimTemplate): OK
 
-201 (}}">ResourceClaimTemplate): Created
+201 (}}">ResourceClaimTemplate): Created
 
 401: Unauthorized
 
@@ -450,7 +460,7 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplat
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates/{name}
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates/{name}
 
 #### Parameters
 
@@ -494,9 +504,9 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtempla
 #### Response
 
 
-200 (}}">ResourceClaimTemplate): OK
+200 (}}">ResourceClaimTemplate): OK
 
-202 (}}">ResourceClaimTemplate): Accepted
+202 (}}">ResourceClaimTemplate): Accepted
 
 401: Unauthorized
 
@@ -505,7 +515,7 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtempla
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtemplates
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaimtemplates
 
 #### Parameters
 
@@ -570,6 +580,11 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaimtempla
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha1.md b/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha2.md
similarity index 80%
rename from content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha1.md
rename to content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha2.md
index 0f435c9721a..24b8419a5ee 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/resource-claim-v1alpha2.md
@@ -1,11 +1,11 @@
 ---
 api_metadata:
-  apiVersion: "resource.k8s.io/v1alpha1"
-  import: "k8s.io/api/resource/v1alpha1"
+  apiVersion: "resource.k8s.io/v1alpha2"
+  import: "k8s.io/api/resource/v1alpha2"
   kind: "ResourceClaim"
 content_type: "api_reference"
 description: "ResourceClaim describes which resources are needed by a resource consumer."
-title: "ResourceClaim v1alpha1"
+title: "ResourceClaim v1alpha2"
 weight: 15
 auto_generated: true
 ---
@@ -21,9 +21,9 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-`apiVersion: resource.k8s.io/v1alpha1`
+`apiVersion: resource.k8s.io/v1alpha2`
 
-`import "k8s.io/api/resource/v1alpha1"`
+`import "k8s.io/api/resource/v1alpha2"`
 
 
 ## ResourceClaim {#ResourceClaim}
@@ -34,7 +34,7 @@ This is an alpha type and requires enabling the DynamicResourceAllocation featur
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClaim
@@ -44,11 +44,11 @@ This is an alpha type and requires enabling the DynamicResourceAllocation featur
 
   Standard object metadata
 
-- **spec** (}}">ResourceClaimSpec), required
+- **spec** (}}">ResourceClaimSpec), required
 
   Spec describes the desired attributes of a resource that then needs to be allocated. It can only be set once when creating the ResourceClaim.
 
-- **status** (}}">ResourceClaimStatus)
+- **status** (}}">ResourceClaimStatus)
 
   Status describes whether the resource is available and with which attributes.
 
@@ -103,14 +103,14 @@ ResourceClaimStatus tracks whether the resource has been allocated and what the
 
 - **allocation** (AllocationResult)
 
-  Allocation is set by the resource driver once a resource has been allocated successfully. If this is not specified, the resource is not yet allocated.
+  Allocation is set by the resource driver once a resource or set of resources has been allocated successfully. If this is not specified, the resources have not been allocated yet.
 
   
-  *AllocationResult contains attributed of an allocated resource.*
+  *AllocationResult contains attributes of an allocated resource.*
 
   - **allocation.availableOnNodes** (NodeSelector)
 
-    This field will get set by the resource driver after it has allocated the resource driver to inform the scheduler where it can schedule Pods using the ResourceClaim.
+    This field will get set by the resource driver after it has allocated the resource to inform the scheduler where it can schedule Pods using the ResourceClaim.
     
     Setting this field is optional. If null, the resource is available everywhere.
 
@@ -132,11 +132,26 @@ ResourceClaimStatus tracks whether the resource has been allocated and what the
 
         A list of node selector requirements by node's fields.
 
-  - **allocation.resourceHandle** (string)
+  - **allocation.resourceHandles** ([]ResourceHandle)
 
-    ResourceHandle contains arbitrary data returned by the driver after a successful allocation. This is opaque for Kubernetes. Driver documentation may explain to users how to interpret this data if needed.
+    *Atomic: will be replaced during a merge*
     
-    The maximum size of this field is 16KiB. This may get increased in the future, but not reduced.
+    ResourceHandles contain the state associated with an allocation that should be maintained throughout the lifetime of a claim. Each ResourceHandle contains data that should be passed to a specific kubelet plugin once it lands on a node. This data is returned by the driver after a successful allocation and is opaque to Kubernetes. Driver documentation may explain to users how to interpret this data if needed.
+    
+    Setting this field is optional. It has a maximum size of 32 entries. If null (or empty), it is assumed this allocation will be processed by a single kubelet plugin with no ResourceHandle data attached. The name of the kubelet plugin invoked will match the DriverName set in the ResourceClaimStatus this AllocationResult is embedded in.
+
+    
+    *ResourceHandle holds opaque resource data for processing by a specific kubelet plugin.*
+
+    - **allocation.resourceHandles.data** (string)
+
+      Data contains the opaque data associated with this ResourceHandle. It is set by the controller component of the resource driver whose name matches the DriverName set in the ResourceClaimStatus this ResourceHandle is embedded in. It is set at allocation time and is intended for processing by the kubelet plugin whose name matches the DriverName set in this ResourceHandle.
+      
+      The maximum size of this field is 16KiB. This may get increased in the future, but not reduced.
+
+    - **allocation.resourceHandles.driverName** (string)
+
+      DriverName specifies the name of the resource driver whose kubelet plugin should be invoked to process this ResourceHandle's data once it lands on a node. This may differ from the DriverName set in ResourceClaimStatus this ResourceHandle is embedded in.
 
   - **allocation.shareable** (boolean)
 
@@ -156,7 +171,7 @@ ResourceClaimStatus tracks whether the resource has been allocated and what the
 
 - **reservedFor** ([]ResourceClaimConsumerReference)
 
-  *Set: unique values will be kept during a merge*
+  *Map: unique values on key uid will be kept during a merge*
   
   ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started.
   
@@ -191,7 +206,7 @@ ResourceClaimList is a collection of claims.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClaimList
@@ -201,7 +216,7 @@ ResourceClaimList is a collection of claims.
 
   Standard list metadata
 
-- **items** ([]}}">ResourceClaim), required
+- **items** ([]}}">ResourceClaim), required
 
   Items is the list of resource claims.
 
@@ -224,7 +239,7 @@ ResourceClaimList is a collection of claims.
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}
 
 #### Parameters
 
@@ -248,7 +263,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
 401: Unauthorized
 
@@ -257,7 +272,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/status
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}/status
 
 #### Parameters
 
@@ -281,7 +296,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
 401: Unauthorized
 
@@ -290,7 +305,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
+GET /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims
 
 #### Parameters
 
@@ -340,6 +355,11 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -354,7 +374,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
 #### Response
 
 
-200 (}}">ResourceClaimList): OK
+200 (}}">ResourceClaimList): OK
 
 401: Unauthorized
 
@@ -363,7 +383,7 @@ GET /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/resourceclaims
+GET /apis/resource.k8s.io/v1alpha2/resourceclaims
 
 #### Parameters
 
@@ -408,6 +428,11 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -422,7 +447,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaims
 #### Response
 
 
-200 (}}">ResourceClaimList): OK
+200 (}}">ResourceClaimList): OK
 
 401: Unauthorized
 
@@ -431,7 +456,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclaims
 
 #### HTTP Request
 
-POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
+POST /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims
 
 #### Parameters
 
@@ -441,7 +466,7 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
   }}">namespace
 
 
-- **body**: }}">ResourceClaim, required
+- **body**: }}">ResourceClaim, required
 
   
 
@@ -470,11 +495,11 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-201 (}}">ResourceClaim): Created
+201 (}}">ResourceClaim): Created
 
-202 (}}">ResourceClaim): Accepted
+202 (}}">ResourceClaim): Accepted
 
 401: Unauthorized
 
@@ -483,7 +508,7 @@ POST /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
+PUT /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}
 
 #### Parameters
 
@@ -498,7 +523,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
   }}">namespace
 
 
-- **body**: }}">ResourceClaim, required
+- **body**: }}">ResourceClaim, required
 
   
 
@@ -527,9 +552,9 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-201 (}}">ResourceClaim): Created
+201 (}}">ResourceClaim): Created
 
 401: Unauthorized
 
@@ -538,7 +563,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/status
+PUT /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}/status
 
 #### Parameters
 
@@ -553,7 +578,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/
   }}">namespace
 
 
-- **body**: }}">ResourceClaim, required
+- **body**: }}">ResourceClaim, required
 
   
 
@@ -582,9 +607,9 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-201 (}}">ResourceClaim): Created
+201 (}}">ResourceClaim): Created
 
 401: Unauthorized
 
@@ -593,7 +618,7 @@ PUT /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
+PATCH /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}
 
 #### Parameters
 
@@ -642,9 +667,9 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-201 (}}">ResourceClaim): Created
+201 (}}">ResourceClaim): Created
 
 401: Unauthorized
 
@@ -653,7 +678,7 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}/status
+PATCH /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}/status
 
 #### Parameters
 
@@ -702,9 +727,9 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-201 (}}">ResourceClaim): Created
+201 (}}">ResourceClaim): Created
 
 401: Unauthorized
 
@@ -713,7 +738,7 @@ PATCH /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{name}
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims/{name}
 
 #### Parameters
 
@@ -757,9 +782,9 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{nam
 #### Response
 
 
-200 (}}">ResourceClaim): OK
+200 (}}">ResourceClaim): OK
 
-202 (}}">ResourceClaim): Accepted
+202 (}}">ResourceClaim): Accepted
 
 401: Unauthorized
 
@@ -768,7 +793,7 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims/{nam
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
+DELETE /apis/resource.k8s.io/v1alpha2/namespaces/{namespace}/resourceclaims
 
 #### Parameters
 
@@ -833,6 +858,11 @@ DELETE /apis/resource.k8s.io/v1alpha1/namespaces/{namespace}/resourceclaims
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha1.md b/content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha2.md
similarity index 87%
rename from content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha1.md
rename to content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha2.md
index e06ae249913..8e3c5a50da5 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/resource-class-v1alpha2.md
@@ -1,11 +1,11 @@
 ---
 api_metadata:
-  apiVersion: "resource.k8s.io/v1alpha1"
-  import: "k8s.io/api/resource/v1alpha1"
+  apiVersion: "resource.k8s.io/v1alpha2"
+  import: "k8s.io/api/resource/v1alpha2"
   kind: "ResourceClass"
 content_type: "api_reference"
 description: "ResourceClass is used by administrators to influence how resources are allocated."
-title: "ResourceClass v1alpha1"
+title: "ResourceClass v1alpha2"
 weight: 17
 auto_generated: true
 ---
@@ -21,9 +21,9 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-`apiVersion: resource.k8s.io/v1alpha1`
+`apiVersion: resource.k8s.io/v1alpha2`
 
-`import "k8s.io/api/resource/v1alpha1"`
+`import "k8s.io/api/resource/v1alpha2"`
 
 
 ## ResourceClass {#ResourceClass}
@@ -34,7 +34,7 @@ This is an alpha type and requires enabling the DynamicResourceAllocation featur
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClass
@@ -107,7 +107,7 @@ ResourceClassList is a collection of classes.
 
 

 
-- **apiVersion**: resource.k8s.io/v1alpha1
+- **apiVersion**: resource.k8s.io/v1alpha2
 
 
 - **kind**: ResourceClassList
@@ -117,7 +117,7 @@ ResourceClassList is a collection of classes.
 
   Standard list metadata
 
-- **items** ([]}}">ResourceClass), required
+- **items** ([]}}">ResourceClass), required
 
   Items is the list of resource classes.
 
@@ -140,7 +140,7 @@ ResourceClassList is a collection of classes.
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
+GET /apis/resource.k8s.io/v1alpha2/resourceclasses/{name}
 
 #### Parameters
 
@@ -159,7 +159,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 #### Response
 
 
-200 (}}">ResourceClass): OK
+200 (}}">ResourceClass): OK
 
 401: Unauthorized
 
@@ -168,7 +168,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 
 #### HTTP Request
 
-GET /apis/resource.k8s.io/v1alpha1/resourceclasses
+GET /apis/resource.k8s.io/v1alpha2/resourceclasses
 
 #### Parameters
 
@@ -213,6 +213,11 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -227,7 +232,7 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclasses
 #### Response
 
 
-200 (}}">ResourceClassList): OK
+200 (}}">ResourceClassList): OK
 
 401: Unauthorized
 
@@ -236,12 +241,12 @@ GET /apis/resource.k8s.io/v1alpha1/resourceclasses
 
 #### HTTP Request
 
-POST /apis/resource.k8s.io/v1alpha1/resourceclasses
+POST /apis/resource.k8s.io/v1alpha2/resourceclasses
 
 #### Parameters
 
 
-- **body**: }}">ResourceClass, required
+- **body**: }}">ResourceClass, required
 
   
 
@@ -270,11 +275,11 @@ POST /apis/resource.k8s.io/v1alpha1/resourceclasses
 #### Response
 
 
-200 (}}">ResourceClass): OK
+200 (}}">ResourceClass): OK
 
-201 (}}">ResourceClass): Created
+201 (}}">ResourceClass): Created
 
-202 (}}">ResourceClass): Accepted
+202 (}}">ResourceClass): Accepted
 
 401: Unauthorized
 
@@ -283,7 +288,7 @@ POST /apis/resource.k8s.io/v1alpha1/resourceclasses
 
 #### HTTP Request
 
-PUT /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
+PUT /apis/resource.k8s.io/v1alpha2/resourceclasses/{name}
 
 #### Parameters
 
@@ -293,7 +298,7 @@ PUT /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
   name of the ResourceClass
 
 
-- **body**: }}">ResourceClass, required
+- **body**: }}">ResourceClass, required
 
   
 
@@ -322,9 +327,9 @@ PUT /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 #### Response
 
 
-200 (}}">ResourceClass): OK
+200 (}}">ResourceClass): OK
 
-201 (}}">ResourceClass): Created
+201 (}}">ResourceClass): Created
 
 401: Unauthorized
 
@@ -333,7 +338,7 @@ PUT /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 
 #### HTTP Request
 
-PATCH /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
+PATCH /apis/resource.k8s.io/v1alpha2/resourceclasses/{name}
 
 #### Parameters
 
@@ -377,9 +382,9 @@ PATCH /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 #### Response
 
 
-200 (}}">ResourceClass): OK
+200 (}}">ResourceClass): OK
 
-201 (}}">ResourceClass): Created
+201 (}}">ResourceClass): Created
 
 401: Unauthorized
 
@@ -388,7 +393,7 @@ PATCH /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
+DELETE /apis/resource.k8s.io/v1alpha2/resourceclasses/{name}
 
 #### Parameters
 
@@ -427,9 +432,9 @@ DELETE /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 #### Response
 
 
-200 (}}">ResourceClass): OK
+200 (}}">ResourceClass): OK
 
-202 (}}">ResourceClass): Accepted
+202 (}}">ResourceClass): Accepted
 
 401: Unauthorized
 
@@ -438,7 +443,7 @@ DELETE /apis/resource.k8s.io/v1alpha1/resourceclasses/{name}
 
 #### HTTP Request
 
-DELETE /apis/resource.k8s.io/v1alpha1/resourceclasses
+DELETE /apis/resource.k8s.io/v1alpha2/resourceclasses
 
 #### Parameters
 
@@ -498,6 +503,11 @@ DELETE /apis/resource.k8s.io/v1alpha1/resourceclasses
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/stateful-set-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/stateful-set-v1.md
index 2e588e6f131..a106d18d27e 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/stateful-set-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/stateful-set-v1.md
@@ -74,7 +74,7 @@ A StatefulSetSpec is the specification of a StatefulSet.
 
 - **template** (}}">PodTemplateSpec), required
 
-  template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format \-\. For example, a pod in a StatefulSet named "web" with index number "3" would be named "web-3".
+  template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format \-\. For example, a pod in a StatefulSet named "web" with index number "3" would be named "web-3". The only allowed template.spec.restartPolicy value is "Always".
 
 - **replicas** (int32)
 
@@ -90,8 +90,6 @@ A StatefulSetSpec is the specification of a StatefulSet.
   - **updateStrategy.type** (string)
 
     Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.
-    
-    
 
   - **updateStrategy.rollingUpdate** (RollingUpdateStatefulSetStrategy)
 
@@ -114,8 +112,6 @@ A StatefulSetSpec is the specification of a StatefulSet.
 - **podManagementPolicy** (string)
 
   podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.
-  
-  
 
 - **revisionHistoryLimit** (int32)
 
@@ -146,7 +142,7 @@ A StatefulSetSpec is the specification of a StatefulSet.
 
 - **ordinals** (StatefulSetOrdinals)
 
-  ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a "0" index to the first replica and increments the index by one for each additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal feature gate to be enabled, which is alpha.
+  ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a "0" index to the first replica and increments the index by one for each additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal feature gate to be enabled, which is beta.
 
   
   *StatefulSetOrdinals describes the policy used for replica ordinal assignment in this StatefulSet.*
@@ -395,6 +391,11 @@ GET /apis/apps/v1/namespaces/{namespace}/statefulsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -463,6 +464,11 @@ GET /apis/apps/v1/statefulsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds
@@ -888,6 +894,11 @@ DELETE /apis/apps/v1/namespaces/{namespace}/statefulsets
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+
 - **timeoutSeconds** (*in query*): integer
 
   }}">timeoutSeconds

From ba1d6bd99907f4cb0c09c1a44d9e4fb1045126ab Mon Sep 17 00:00:00 2001
From: Kante Yin 
Date: Mon, 3 Apr 2023 00:48:27 +0800
Subject: [PATCH 082/272] Add section about nodeInclusionPolicy

Signed-off-by: Kante Yin 
---
 .../2023-04-11-topology-spread-features.md    | 50 +++++++++++++++++--
 1 file changed, 45 insertions(+), 5 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 290a5ac2b73..990e3ff784f 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -8,7 +8,7 @@ evergreen: true
 
 **Authors:** [Alex Wang](https://github.com/denkensk)(Shopee), [Kante Yin](https://github.com/kerthcet)(DaoCloud), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
 
-In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA. 
+In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA.
 It is the feature to control how Pods are spread to each failure-domain (regions, zones, nodes etc).
 
 As time passes, we've got further feedbacks from users,
@@ -47,17 +47,57 @@ but other 2 Pods from this replicaset will be unschedulable until more Nodes joi
 The cluster autoscaler provisions new Nodes based on these unschedulable Pods,
 and as a result, the replicas are finally spread over 5 Nodes.
 
-## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
+## Take taints/tolerations into consideration when calculating PodTopologySpread skew
 
-TODO(kerthcet): write it
+Before this, when we deploy a pod with `podTopologySpread` configured, we'll take all
+affinity nodes(satisfied with pod nodeAffinity and nodeSelector) into consideration
+in filtering and scoring, but a node with pod untolerated taint may also be a candidate
+because we didn't take care of node taints, which will lead to the pod pending.
+
+To avoid this and make a more fine-gained decision in scheduling, we introduced two new fields in
+`TopologySpreadConstraint` to define node inclusion policies including nodeAffinity and nodeTaint.
+
+It mostly looks like:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+spec:
+  # Configure a topology spread constraint
+  topologySpreadConstraints:
+    - maxSkew: 
+      # ...
+      nodeAffinityPolicy: [Honor|Ignore]
+      nodeTaintsPolicy: [Honor|Ignore]
+  # other Pod fields go here
+```
+
+**nodeAffinityPolicy** indicates how we'll treat Pod's nodeAffinity/nodeSelector in pod topology spreading.
+If `Honor`, we'll filter out nodes not matching nodeAffinity/nodeSelector in calculation.
+If `Ignore`, these nodes will be included instead.
+
+For backwards-compatibility, nodeAffinityPolicy is default to `Honor`.
+
+**nodeTaintsPolicy** indicates how we'll treat node taints in pod topology spreading.
+If `Honor`, only tainted nodes for which the incoming pod has a toleration, will be included in calculation.
+If `Ignore`, we'll not consider the node taints at all in calculation, so a node with pod untolerated taint
+will also be included.
+
+For backwards-compatibility, nodeTaintsPolicy is default to the `Ignore`.
+
+The feature was introduced in v1.25 as alpha level. By default, it was disabled, so if you want to use this feature in v1.25,
+you have to enable the feature gate `NodeInclusionPolicyInPodTopologySpread` actively. In the following v1.26, we graduated
+this feature to beta and it was enabled by default since.
 
 ## KEP-3243: Respect PodTopologySpread after rolling upgrades
 
 TODO(denkensk): write it
 
-## Getting involved 
+## Getting involved
 
-These features are managed by the [SIG/Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling). 
+These features are managed by the [SIG/Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling).
 
 Please join us and share your feedback. We look forward to hearing from you!
 

From c35cd20175cc3a86d3622794db869a3eaa294d3a Mon Sep 17 00:00:00 2001
From: Alex Wang 
Date: Mon, 3 Apr 2023 15:46:20 +0800
Subject: [PATCH 083/272] blog: add section about matchLabelKeys

Signed-off-by: Alex Wang 
---
 .../2023-04-11-topology-spread-features.md    | 33 ++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 990e3ff784f..9be4953732f 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -93,7 +93,38 @@ this feature to beta and it was enabled by default since.
 
 ## KEP-3243: Respect PodTopologySpread after rolling upgrades
 
-TODO(denkensk): write it
+Pod Topology Spread uses the fields `topologyKey` or `labelSelector` to identify the group of pods over which
+spreading will be calculated. But it applies to all pods in a Deployment irrespective of their owning
+ReplicaSet. As a result, when a new revision is rolled out, spreading will apply across pods from both the
+old and new ReplicaSets, and so by the time the new ReplicaSet is completely rolled out and the old one is
+rolled back, the actual spreading we are left with may not match expectations because the deleted pods from
+the older ReplicaSet will cause skewed distribution for the remaining pods.
+
+In order to solve this problem and to make more accurate decisions in scheduling, we added a new named
+`matchLabelKeys` to `topologySpreadConstraints`. `matchLabelKeys` is a list of pod label keys to select
+the pods over which spreading will be calculated. The keys are used to lookup values from the pod labels,
+those key-value labels are ANDed with `labelSelector` to select the group of existing pods over
+which spreading will be calculated for the incoming pod.
+
+With `matchLabelKeys`, you don't need to update the `pod.spec` between different revisions.
+The controller/operator just needs to set different values to the same label key for different revisions.
+The scheduler will assume the values automatically based on `matchLabelKeys`.
+For example, if you are configuring a Deployment, you can use the label keyed with
+[pod-template-hash](https://kubernetes.io//docs/concepts/workloads/controllers/deployment/#pod-template-hash-label),
+which is added automatically by the Deployment controller, to distinguish between different
+revisions in a single Deployment.
+
+```yaml
+topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: foo
+      matchLabelKeys:
+        - pod-template-hash
+```
 
 ## Getting involved
 

From dcfe5ae35f97dc1719e7df3bd83ad9dac46cd8fa Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Mon, 3 Apr 2023 16:50:49 +0900
Subject: [PATCH 084/272] updat title and slug

---
 content/en/blog/_posts/2023-04-11-topology-spread-features.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 9be4953732f..a159117e310 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -1,8 +1,8 @@
 ---
 layout: blog
-title: "TBD" // TODO: have a cool title.
+title: "Kubernetes 1.27: More fine-grained pod topology spread policies reached beta"
 date: 2023-04-11
-slug: topology-spread-new-features
+slug: fine-grained-pod-topology-spread-features-beta
 evergreen: true
 ---
 

From bbe2382abfe1f96ef1ddca60ad7fd90bc684d348 Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Mon, 3 Apr 2023 16:52:53 +0900
Subject: [PATCH 085/272] change the section header

---
 content/en/blog/_posts/2023-04-11-topology-spread-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index a159117e310..bd908eece73 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -47,7 +47,7 @@ but other 2 Pods from this replicaset will be unschedulable until more Nodes joi
 The cluster autoscaler provisions new Nodes based on these unschedulable Pods,
 and as a result, the replicas are finally spread over 5 Nodes.
 
-## Take taints/tolerations into consideration when calculating PodTopologySpread skew
+## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
 
 Before this, when we deploy a pod with `podTopologySpread` configured, we'll take all
 affinity nodes(satisfied with pod nodeAffinity and nodeSelector) into consideration

From 89c7e2ed6e9a4a525e591716153f90edc21a4d8a Mon Sep 17 00:00:00 2001
From: Han Kang 
Date: Mon, 3 Apr 2023 01:13:52 -0700
Subject: [PATCH 086/272] Update documentation on SLI metrics (#40064)

* update metrics/slis documentation

* Update content/en/docs/reference/instrumentation/slis.md

Co-authored-by: Tim Bannister 

* Update content/en/docs/reference/instrumentation/slis.md

Co-authored-by: Tim Bannister 

* update feature gate doc

* Update content/en/docs/reference/command-line-tools-reference/feature-gates.md

Co-authored-by: Qiming Teng 

---------

Co-authored-by: Tim Bannister 
Co-authored-by: Qiming Teng 
---
 .../command-line-tools-reference/feature-gates.md         | 3 ++-
 content/en/docs/reference/instrumentation/slis.md         | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 56385ff1481..884018118ca 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -84,7 +84,8 @@ For a reference to old feature gates that are removed, please refer to
 | `CSINodeExpandSecret` | `true` | Beta | 1.27 | |
 | `CSIVolumeHealth` | `false` | Alpha | 1.21 | |
 | `CloudDualStackNodeIPs` | false | Alpha | 1.27 | |
-| `ComponentSLIs` | `false` | Alpha | 1.26 | |
+| `ComponentSLIs` | `false` | Alpha | 1.26 | 1.26 |
+| `ComponentSLIs` | `true` | Beta | 1.27 | |
 | `ContainerCheckpoint` | `false` | Alpha | 1.25 | |
 | `ContextualLogging` | `false` | Alpha | 1.24 | |
 | `CrossNamespaceVolumeDataSource` | `false` | Alpha| 1.26 | |
diff --git a/content/en/docs/reference/instrumentation/slis.md b/content/en/docs/reference/instrumentation/slis.md
index 744df09336e..3b559a398c9 100644
--- a/content/en/docs/reference/instrumentation/slis.md
+++ b/content/en/docs/reference/instrumentation/slis.md
@@ -9,13 +9,13 @@ weight: 20
 
 
 
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
-As an alpha feature, Kubernetes lets you configure Service Level Indicator (SLI) metrics 
+By default, Kubernetes {{< skew currentVersion >}} publishes Service Level Indicator (SLI) metrics 
 for each Kubernetes component binary. This metric endpoint is exposed on the serving 
-HTTPS port of each component, at the path `/metrics/slis`. You must enable the 
+HTTPS port of each component, at the path `/metrics/slis`. The 
 `ComponentSLIs` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-for every component from which you want to scrape SLI metrics.
+defaults to enabled for each Kubernetes component as of v1.27.
 
 
 

From 24b259fa36f46086827ee19d226fd82a5d0b3d9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20K=C5=99epinsk=C3=BD?= 
Date: Wed, 15 Mar 2023 13:20:43 +0100
Subject: [PATCH 087/272] Promote PodDisruptionBudget
 UnhealthyPodEvictionPolicy to Beta

---
 content/en/docs/concepts/workloads/pods/disruptions.md       | 5 +++++
 .../reference/command-line-tools-reference/feature-gates.md  | 3 ++-
 .../en/docs/tasks/administer-cluster/safely-drain-node.md    | 5 +++++
 content/en/docs/tasks/run-application/configure-pdb.md       | 4 ++--
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/content/en/docs/concepts/workloads/pods/disruptions.md b/content/en/docs/concepts/workloads/pods/disruptions.md
index 25982067532..1d2b33d55f5 100644
--- a/content/en/docs/concepts/workloads/pods/disruptions.md
+++ b/content/en/docs/concepts/workloads/pods/disruptions.md
@@ -136,6 +136,11 @@ against the disruption budget, but workload resources (such as Deployment and St
 are not limited by PDBs when doing rolling upgrades. Instead, the handling of failures
 during application updates is configured in the spec for the specific workload resource.
 
+It is recommended to set `AlwaysAllow` [Unhealthy Pod Eviction Policy](/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy)
+to your PodDisruptionBudgets to support eviction of misbehaving applications during a node drain.
+The default behavior is to wait for the application pods to become [healthy](/docs/tasks/run-application/configure-pdb/#healthiness-of-a-pod)
+before the drain can proceed.
+
 When a pod is evicted using the eviction API, it is gracefully
 [terminated](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination), honoring the
 `terminationGracePeriodSeconds` setting in its [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core).
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 884018118ca..361370af51a 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -158,7 +158,8 @@ For a reference to old feature gates that are removed, please refer to
 | `NodeSwap` | `false` | Alpha | 1.22 | |
 | `OpenAPIEnums` | `false` | Alpha | 1.23 | 1.23 |
 | `OpenAPIEnums` | `true` | Beta | 1.24 | |
-| `PDBUnhealthyPodEvictionPolicy` | `false` | Alpha | 1.26 | |
+| `PDBUnhealthyPodEvictionPolicy` | `false` | Alpha | 1.26 | 1.26 |
+| `PDBUnhealthyPodEvictionPolicy` | `true` | Beta | 1.27 | |
 | `PodAndContainerStatsFromCRI` | `false` | Alpha | 1.23 | |
 | `PodDeletionCost` | `false` | Alpha | 1.21 | 1.21 |
 | `PodDeletionCost` | `true` | Beta | 1.22 | |
diff --git a/content/en/docs/tasks/administer-cluster/safely-drain-node.md b/content/en/docs/tasks/administer-cluster/safely-drain-node.md
index 456fd02c7d4..5afcd3eac1c 100644
--- a/content/en/docs/tasks/administer-cluster/safely-drain-node.md
+++ b/content/en/docs/tasks/administer-cluster/safely-drain-node.md
@@ -35,6 +35,11 @@ If availability is important for any applications that run or could run on the n
 that you are draining, [configure a PodDisruptionBudgets](/docs/tasks/run-application/configure-pdb/)
 first and then continue following this guide.
 
+It is recommended to set `AlwaysAllow` [Unhealthy Pod Eviction Policy](/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy)
+to your PodDisruptionBudgets to support eviction of misbehaving applications during a node drain.
+The default behavior is to wait for the application pods to become [healthy](/docs/tasks/run-application/configure-pdb/#healthiness-of-a-pod)
+before the drain can proceed.
+
 ## Use `kubectl drain` to remove a node from service
 
 You can use `kubectl drain` to safely evict all of your pods from a
diff --git a/content/en/docs/tasks/run-application/configure-pdb.md b/content/en/docs/tasks/run-application/configure-pdb.md
index ed3eebe6270..b7e219d4ee9 100644
--- a/content/en/docs/tasks/run-application/configure-pdb.md
+++ b/content/en/docs/tasks/run-application/configure-pdb.md
@@ -241,10 +241,10 @@ These pods are tracked via `.status.currentHealthy` field in the PDB status.
 
 ## Unhealthy Pod Eviction Policy
 
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 {{< note >}}
-In order to use this behavior, you must enable the `PDBUnhealthyPodEvictionPolicy`
+This feature is enabled by default. You can disable it by disabling the `PDBUnhealthyPodEvictionPolicy`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/).
 {{< /note >}}

From 85292c0290feb4b23ff613538de98f79f0a4d051 Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Mon, 3 Apr 2023 17:08:25 +0530
Subject: [PATCH 088/272] made the required changes

---
 .../_posts/2023-04-11-kubernetes-1.27-blog.md | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index 5a8874f9dea..ba5b715e07b 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -9,7 +9,7 @@ slug: kubernetes-v1-27-release
 
 Announcing the release of Kubernetes v1.27, the first release of 2023!
 
-This release consist of sixty enhancements. Eighteen of those enhancements are entering Alpha, Tweentynine are graduating to Beta, and Thirteen are graduating to Stable.
+This release consist of 60 enhancements. 18 of those enhancements are entering Alpha, 29 are graduating to Beta, and 13 are graduating to Stable.
 
 ## Release theme and logo
 
@@ -22,16 +22,16 @@ The theme for Kubernetes v1.27 is *Chill Vibes*.
 
 It's a little silly, but there were some important shifts in this release that helped inspire the theme. Throughout a typical Kubernetes release cycle, there are several deadlines that features need to meet to remain included. If a feature misses any of these deadlines, there is an exception process they can go through. Handling these exceptions is a very normal part of the release. But v1.27 is the first release that anyone can remember where we didn't receive a single exception request after the enhancements freeze. Even as the release progressed, things remained much calmer than any of us are used to.
 
-There's a specific reason we were able to enjoy a more calm release this time around, and that's all the work that folks put in beind the scenes to improve how we manage the release. That's what this theme celebrates, people putting in the work to make things better for the community.
+There's a specific reason we were able to enjoy a more calm release this time around, and that's all the work that folks put in behind the scenes to improve how we manage the release. That's what this theme celebrates, people putting in the work to make things better for the community.
 
-Special thinks to [Britnee Laverack](https://www.instagram.com/artsyfie/) for creating the logo. Britnee also design the logo for [Kubernetes 1.24: Stargazer](https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#release-theme-and-logo).
+Special thanks to [Britnee Laverack](https://www.instagram.com/artsyfie/) for creating the logo. Britnee also designed the logo for [Kubernetes 1.24: Stargazer](https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#release-theme-and-logo).
 
 # What's New (Major Themes)
 
 ## Freeze `k8s.gcr.io` image registry
 
 Replacing the old image registry, [k8s.gcr.io](https://cloud.google.com/container-registry/) with [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io) which has been generally available for several months. The Kubernetes project created and runs the `registry.k8s.io` image registry, which is fully controlled by the community.
-This mean that all subsequent image releases would not be available on the old registry. Freezing  the `k8s.gcr.io` image registry by not pushing any new digests or tags after this release.
+This means that the old registry `k8s.gcr.io` will be frozen and no further images for Kubernetes and related subprojects will be pushed to the old registry. 
 
 What does this change mean for contributors:
 
@@ -41,7 +41,7 @@ What does this change mean for end users:
 
 * This Kubernetes release will not be published to the old registry.
 
-* Patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry from April. 
+* Patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry after April. 
 
 * Starting in v1.25, the default image registry has been set to `registry.k8s.io`. This value is overridable in kubeadm and kubelet but setting it to `k8s.gcr.io` will fail for new releases after April as they won’t be present in the old registry.
 
@@ -65,9 +65,10 @@ The `schedulingGates` field contains a list of strings, and each string literal
 
 ## Node Service Log Viewer
 
-This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use the feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. On Linux we assume that service logs are available either via journald. On Windows we assume that service logs are available in the application log provider. On both operating systems, logs are also available by reading files within `/var/log/`.
+This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use the feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. 
+On Linux, we assume that service logs are available via journald. On Windows, we assume that service logs are available in the application log provider. Logs are also available in the `/var/log/` and `C:\var\log` directories on Linux and Windows, respectively.
 
-A node level administrator can try out this alpha feature on all their nodes, or on just a subset. Provided you're authorized to do so.
+A cluster administrator can try out this alpha feature on all their nodes, or on just a subset.
 
 ## ReadWriteOncePod PersistentVolume Access Mode goes to beta 
 
@@ -102,22 +103,21 @@ In Kubernetes v1.25 and v1.26, this behavior toggle was part of the `SELinuxMoun
 
 ## `JobMutableNodeSchedulingDirectives` graduates to GA
 
-This was introduced in v1.22 and started as a beta level, now it's stable. In most cases a parallel job will want the pods to run with constraints, like all in the same zone, or all either on GPU model x or y but not a mix of both. The suspend field is the first step towards achieving those semantics. Suspend allows a custom queue controller to decide when a job should start. However, once a job is unsuspended, a custom queue controller has no influence on where the pods of a job will actually land.
+This was introduced in v1.22 and started as a beta level, now it's stable. In most cases a parallel job will want the pods to run with constraints, like all in the same zone, or all either on GPU model x or y but not a mix of both. The `suspend` field is the first step towards achieving those semantics. `suspend` allows a custom queue controller to decide when a job should start. However, once a job is unsuspended, a custom queue controller has no influence on where the pods of a job will actually land.
 
 This feature allows updating a Job's scheduling directives before it starts, which gives custom queue controllers the ability to influence pod placement while at the same time offloading actual pod-to-node assignment to kube-scheduler. This is allowed only for suspended Jobs that have never been unsuspended before. The fields in a Job's pod template that can be updated are node affinity, node selector, tolerations, labels and annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/). Find more details in KEP: [Allow updating scheduling directives of jobs](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/2926-job-mutable-scheduling-directives)
 
 ## Mutable Pod Scheduling Directives goes to beta
 
-This allows a pod to make pod scheduling directives (nodeSelector, affinity) mutable as long as the pod is gated.  It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled, and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
+This allows mutating a pod that is blocked on a scheduling readiness gate with a more constrained node affinity/selector. It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled, and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
 
 This opens the door for a new pattern of adding scheduling features to Kubernetes.  Specifically, building lightweight schedulers that implement features not supported by kube-scheduler, while relying on the existing kube-scheduler to support all upstream features and handle the pod-to-node binding. This pattern should be the preferred one if the custom feature doesn't require implementing a schedule plugin, which entails re-building and maintaining a custom kube-scheduler binary.
 
 ## DownwardAPIHugePages graduates to stable 
 
-Support for `requests.hugepages-` and `limits.hugepages-` is being added to the downward API to be consistent with other resources like cpu, memory, and ephemeral storage. You can find more details in the KEP: [Downward API HugePages](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2053-downward-api-hugepages).
+In kubernetes v1.20, support for `requests.hugepages-` and `limits.hugepages-` was added to the downward API to be consistent with other resources like cpu, memory, and ephemeral storage. This feature graduates to stable in this release. You can find more details in the KEP: [Downward API HugePages](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2053-downward-api-hugepages).
 
 # Other Updates
-
 ## Graduations to stable
 
 This release includes a total of thirteen enhancements promoted to Stable:

From 6e568b89aace66d641168e6242c8b9387c128b11 Mon Sep 17 00:00:00 2001
From: Jan Safranek 
Date: Wed, 15 Mar 2023 10:34:51 +0100
Subject: [PATCH 089/272] Flip SELinuxMountReadWriteOncePod to Beta

Co-authored-by: Qiming Teng 
Co-authored-by: Tim Bannister 
---
 .../feature-gates.md                          |  3 ++-
 .../security-context.md                       | 27 ++++++++++---------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 884018118ca..a4f2488dc50 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -183,7 +183,8 @@ For a reference to old feature gates that are removed, please refer to
 | `RetroactiveDefaultStorageClass` | `true` | Beta | 1.26 | |
 | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
 | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
-| `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | |
+| `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | 1.26 |
+| `SELinuxMountReadWriteOncePod` | `true` | Beta | 1.27 | |
 | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | |
 | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
 | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md
index 0f5549c220b..c23ef53396a 100644
--- a/content/en/docs/tasks/configure-pod-container/security-context.md
+++ b/content/en/docs/tasks/configure-pod-container/security-context.md
@@ -440,7 +440,7 @@ To assign SELinux labels, the SELinux security module must be loaded on the host
 
 ### Efficient SELinux volume relabeling
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 By default, the container runtime recursively assigns SELinux label to all
 files on all Pod volumes. To speed up this process, Kubernetes can change the
@@ -449,16 +449,16 @@ SELinux label of a volume instantly by using a mount option
 
 To benefit from this speedup, all these conditions must be met:
 
-* Alpha feature gate `SELinuxMountReadWriteOncePod` must be enabled.
+* The [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) `ReadWriteOncePod`
+  and `SELinuxMountReadWriteOncePod` must be enabled.
 * Pod must use PersistentVolumeClaim with `accessModes: ["ReadWriteOncePod"]`.
 * Pod (or all its Containers that use the PersistentVolumeClaim) must
   have `seLinuxOptions` set.
-* The corresponding PersistentVolume must be either a volume that uses a
-  {{< glossary_tooltip text="CSI" term_id="csi" >}} driver, or a volume that uses the
-  legacy `iscsi` volume type.
-  * If you use a volume backed by a CSI driver, that CSI driver must announce that it
-    supports mounting with `-o context` by setting `spec.seLinuxMount: true` in
-    its CSIDriver instance.
+* The corresponding PersistentVolume must be either:
+  * A volume that uses the legacy in-tree `iscsi`, `rbd` or `fc` volume type.
+  * Or a volume that uses a {{< glossary_tooltip text="CSI" term_id="csi" >}} driver.
+    The CSI driver must announce that it supports mounting with `-o context` by setting
+    `spec.seLinuxMount: true` in its CSIDriver instance.
 
 For any other volume types, SELinux relabelling happens another way: the container
 runtime  recursively changes the SELinux label for all inodes (files and directories)
@@ -466,11 +466,12 @@ in the volume.
 The more files and directories in the volume, the longer that relabelling takes.
 
 {{< note >}}
-In Kubernetes 1.25, the kubelet loses track of volume labels after restart. In
-other words, then kubelet may refuse to start Pods with errors similar to  "conflicting
-SELinux labels of volume", while there are no conflicting labels in Pods. Make sure
-nodes are [fully drained](/docs/tasks/administer-cluster/safely-drain-node/)
-before restarting kubelet.
+
+If you are running Kubernetes v1.25, refer to the v1.25 version of this task page:
+[Configure a Security Context for a Pod or Container](https://v1-25.docs.kubernetes.io/docs/tasks/configure-pod-container/security-context/) (v1.25).  
+There is an important note in that documentation about a situation where the kubelet
+can lose track of volume labels after restart. This deficiency has been fixed
+in Kubernetes 1.26.
 {{< /note >}}
 
 ## Discussion

From a6d1ec99df27b35d04c84084533d9f9b6fe989be Mon Sep 17 00:00:00 2001
From: Daniel Vega-Myhre <105610547+danielvegamyhre@users.noreply.github.com>
Date: Mon, 3 Apr 2023 07:59:51 -0700
Subject: [PATCH 090/272] Add docs for mutable scheduling directives on gated
 Pods (#40000)

* initial commit

* address comments

* Update content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md

Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com>

* adjust phrasing

* Update content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md

Co-authored-by: Qiming Teng 

* Update content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md

Co-authored-by: Qiming Teng 

---------

Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com>
Co-authored-by: Qiming Teng 
---
 .../pod-scheduling-readiness.md               | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md b/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md
index 07064386701..6146cd23d9f 100644
--- a/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md
+++ b/content/en/docs/concepts/scheduling-eviction/pod-scheduling-readiness.md
@@ -89,6 +89,32 @@ The metric `scheduler_pending_pods` comes with a new label `"gated"` to distingu
 has been tried scheduling but claimed as unschedulable, or explicitly marked as not ready for
 scheduling. You can use `scheduler_pending_pods{queue="gated"}` to check the metric result.
 
+## Mutable Pod Scheduling Directives
+
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
+
+You can mutate scheduling directives of Pods while they have scheduling gates, with certain constraints.
+At a high level, you can only tighten the scheduling directives of a Pod. In other words, the updated 
+directives would cause the Pods to only be able to be scheduled on a subset of the nodes that it would 
+previously match. More concretely, the rules for updating a Pod's scheduling directives are as follows:
+
+1. For `.spec.nodeSelector`, only additions are allowed. If absent, it will be allowed to be set.
+
+2. For `spec.affinity.nodeAffinity`, if nil, then setting anything is allowed.
+
+3. If `NodeSelectorTerms` was empty, it will be allowed to be set.
+   If not empty, then only additions of `NodeSelectorRequirements` to `matchExpressions`
+   or `fieldExpressions` are allowed, and no changes to existing `matchExpressions`
+   and `fieldExpressions` will be allowed. This is because the terms in
+   `.requiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms`, are ORed
+   while the expressions in `nodeSelectorTerms[].matchExpressions` and 
+   `nodeSelectorTerms[].fieldExpressions` are ANDed. 
+
+4. For `.preferredDuringSchedulingIgnoredDuringExecution`, all updates are allowed.
+   This is because preferred terms are not authoritative, and so policy controllers
+   don't validate those terms.
+
+
 ## {{% heading "whatsnext" %}}
 
 * Read the [PodSchedulingReadiness KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/3521-pod-scheduling-readiness) for more details

From 27460b23fa05b73697a1436fe02d65923067a910 Mon Sep 17 00:00:00 2001
From: Tim Allclair 
Date: Mon, 3 Apr 2023 08:23:51 -0700
Subject: [PATCH 091/272] AdmissionWebhookMatchConditions feature documentation
 (#40058)

* AdmissionWebhookMatchConditions feature documentation

* #squash ivelichkovich feedback

* #squash sftim feedback

* Correct statement about request.object

* #squash: sftim feedback

* #squash jpbetz feedback

* #squash: denied function removed

* #squash fix match conditions example

* #squash fix expression quoting

* #squash scope authorizatoin check example

* #squash separate RBAC webhook example

* #squash sftim feedback

* #squash add shared client config for example

* Don't use yaml anchors in example
---
 .../extensible-admission-controllers.md       | 44 ++++++++++++++++-
 .../feature-gates.md                          |  2 +
 .../admission-webhook-match-conditions.yaml   | 47 +++++++++++++++++++
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 content/en/examples/access/admission-webhook-match-conditions.yaml

diff --git a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
index da59b907c48..aa1a61b2e38 100644
--- a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
@@ -719,6 +719,49 @@ webhooks:
 
 The `matchPolicy` for an admission webhooks defaults to `Equivalent`.
 
+### Matching requests: `matchConditions`
+
+{{< feature-state state="alpha" for_k8s_version="v1.27" >}}
+
+{{< note >}}
+Use of `matchConditions` requires the [featuregate](/docs/reference/command-line-tools-reference/feature-gates/)
+`AdmissionWebhookMatchConditions` to be explicitly enabled on the kube-apiserver before this feature can be used.
+{{< /note >}}
+
+You can define _match conditions_for webhooks if you need fine-grained request filtering. These
+conditions are useful if you find that match rules, `objectSelectors` and `namespaceSelectors` still
+doesn't provide the filtering you want over when to call out over HTTP. Match conditions are
+[CEL expressions](/docs/reference/using-api/cel/). All match conditions must evaluate to true for the
+webhook to be called.
+
+Here is an example illustrating a few different uses for match conditions:
+
+{{< codenew file="access/admission-webhook-match-conditions.yaml" >}}
+
+Match conditions have access to the following CEL variables:
+
+- `object` - The object from the incoming request. The value is null for DELETE requests. The object
+  version may be converted based on the [matchPolicy](#matching-requests-matchpolicy).
+- `oldObject` - The existing object. The value is null for CREATE requests.
+- `request` - The request portion of the [AdmissionReview](#request), excluding `object` and `oldObject`.
+- `authorizer` - A CEL Authorizer. May be used to perform authorization checks for the principal
+  (authenticated user) of the request. See
+  [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz) in the Kubernetes CEL library
+  documentation for more details.
+- `authorizer.requestResource` - A shortcut for an authorization check configured with the request
+  resource (group, resource, (subresource), namespace, name).
+
+For more information on CEL expressions, refer to the
+[Common Expression Language in Kubernetes reference](/docs/reference/using-api/cel/).
+
+In the event of an error evaluating a match condition the webhook is never called. Whether to reject
+the request is determined as follows:
+
+1. If **any** match condition evaluated to `false` (regardless of other errors), the API server skips the webhook.
+2. Otherwise:
+    - for [`failurePolicy: Fail`](#failure-policy), reject the request (without calling the webhook).
+    - for [`failurePolicy: Ignore`](#failure-policy), proceed with the request but skip the webhook.
+
 ### Contacting the webhook
 
 Once the API server has determined a request should be sent to a webhook,
@@ -1175,4 +1218,3 @@ cause the control plane components to stop functioning or introduce unknown beha
 If your admission webhooks don't intend to modify the behavior of the Kubernetes control
 plane, exclude the `kube-system` namespace from being intercepted using a
 [`namespaceSelector`](#matching-requests-namespaceselector).
-
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 10c32102134..7741defbe86 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -56,6 +56,7 @@ For a reference to old feature gates that are removed, please refer to
 
 | Feature | Default | Stage | Since | Until |
 |---------|---------|-------|-------|-------|
+| `AdmissionWebhookMatchConditions` | Alpha | `false` | 1.27 | |
 | `APIListChunking` | `false` | Alpha | 1.8 | 1.8 |
 | `APIListChunking` | `true` | Beta | 1.9 | |
 | `APIPriorityAndFairness` | `false` | Alpha | 1.18 | 1.19 |
@@ -385,6 +386,7 @@ A *General Availability* (GA) feature is also referred to as a *stable* feature.
 
 Each feature gate is designed for enabling/disabling a specific feature:
 
+- `AdmissionWebhookMatchConditions`: Enable [match conditions](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) on mutating & validating admission webhooks.
 - `APIListChunking`: Enable the API clients to retrieve (`LIST` or `GET`)
   resources from API server in chunks.
 - `APIPriorityAndFairness`: Enable managing request concurrency with
diff --git a/content/en/examples/access/admission-webhook-match-conditions.yaml b/content/en/examples/access/admission-webhook-match-conditions.yaml
new file mode 100644
index 00000000000..96705289a95
--- /dev/null
+++ b/content/en/examples/access/admission-webhook-match-conditions.yaml
@@ -0,0 +1,47 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+- name: my-webhook.example.com
+  matchPolicy: Equivalent
+  rules:
+  - operations: ['CREATE','UPDATE']
+    apiGroups: ['*']
+    apiVersions: ['*']
+    resources: ['*']
+  failurePolicy: 'Ignore' # Fail-open (optional)
+  sideEffects: None
+  clientConfig:
+    service:
+      namespace: my-namespace
+      name: my-webhook
+    caBundle: ''
+  matchConditions:
+  - name: 'exclude-leases' # Each match condition must have a unique name
+    expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+  - name: 'exclude-kubelet-requests'
+    expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+  - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
+    expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+
+# This example illustrates the use of the 'authorizer'. The authorization check is more expensive
+# than a simple expression, so in this example it is scoped to only RBAC requests by using a second
+# webhook. Both webhooks can be served by the same endpoint.
+- name: rbac.my-webhook.example.com
+  matchPolicy: Equivalent
+  rules:
+  - operations: ['CREATE','UPDATE']
+    apiGroups: ['rbac.authorization.k8s.io']
+    apiVersions: ['*']
+    resources: ['*']
+  failurePolicy: 'Fail' # Fail-closed (the default)
+  sideEffects: None
+  clientConfig:
+    service:
+      namespace: my-namespace
+      name: my-webhook
+    caBundle: ''
+  matchConditions:
+  - name: 'breakglass'
+    # Skip requests made by users authorized to 'breakglass' on this webhook.
+    # The 'breakglass' API verb does not need to exist outside this check.
+    expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'

From cf37b594f24d1e7167687651f1c743816975428f Mon Sep 17 00:00:00 2001
From: Joe Betz 
Date: Mon, 3 Apr 2023 08:55:52 -0700
Subject: [PATCH 092/272] KEP-3488 ValidatingAdmissionPolicy: Enforcement
 actions, audit annotations, and secondary authz (#40098)

* Document auditAnnotations, validationActions and authorizer

* Apply suggestions from code review

Co-authored-by: Qiming Teng 

* Apply suggestions from code review

Co-authored-by: Tim Allclair 

* Apply feedback

---------

Co-authored-by: Qiming Teng 
Co-authored-by: Tim Allclair 
---
 .../validating-admission-policy.md            | 61 +++++++++++++++++++
 .../audit-annotations.md                      | 22 +++++++
 .../audit-event-with-audit-annotation.yaml    | 12 ++++
 ...ing-admission-policy-audit-annotation.yaml | 15 +++++
 4 files changed, 110 insertions(+)
 create mode 100644 content/en/examples/access/audit-event-with-audit-annotation.yaml
 create mode 100644 content/en/examples/access/validating-admission-policy-audit-annotation.yaml

diff --git a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
index 6342fd3994e..86565e42e98 100644
--- a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
+++ b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
@@ -92,6 +92,7 @@ metadata:
   name: "demo-binding-test.example.com"
 spec:
   policyName: "demo-policy.example.com"
+  validationActions: [Deny]
   matchResources:
     namespaceSelector:
       matchLabels:
@@ -107,6 +108,37 @@ ValidatingAdmissionPolicy 'demo-policy.example.com' with binding 'demo-binding-t
 
 The above provides a simple example of using ValidatingAdmissionPolicy without a parameter configured.
 
+#### Validation actions
+
+Each `ValidatingAdmissionPolicyBinding` must specify one or more
+`validationActions` to declare how `validations` of a policy are enforced.
+
+The supported `validationActions` are:
+
+- `Deny`: Validation failure results in a denied request.
+- `Warn`: Validation failure is reported to the request client
+  as a [warning](/blog/2020/09/03/warnings/).
+- `Audit`: Validation failure is included in the audit event for the API request.
+
+For example, to both warn clients about a validation failure and to audit the
+validation failures, use:
+
+```yaml
+validationActions: [Warn, Audit]
+```
+
+`Deny` and `Warn` may not be used together since this combination
+needlessly duplicates the validation failure both in the
+API response body and the HTTP warning headers.
+
+A `validation` that evaluates to false is always enforced according to these
+actions. Failures defined by the `failurePolicy` are enforced
+according to these actions only if the `failurePolicy` is set to `Fail` (or unset),
+otherwise the failures are ignored.
+
+See [Audit Annotations: validation falures](/docs/reference/labels-annotations-taints/audit-annotations/#validation-policy-admission-k8s-io-validation_failure)
+for more details about the validation failure audit annotation.
+
 #### Parameter resources
 
 Parameter resources allow a policy configuration to be separate from its definition. 
@@ -159,6 +191,7 @@ metadata:
   name: "replicalimit-binding-test.example.com"
 spec:
   policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
   paramRef:
     name: "replica-limit-test.example.com"
   matchResources:
@@ -188,6 +221,7 @@ metadata:
   name: "replicalimit-binding-nontest"
 spec:
   policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
   paramRef:
     name: "replica-limit-clusterwide.example.com"
   matchResources:
@@ -219,6 +253,7 @@ metadata:
   name: "replicalimit-binding-global"
 spec:
   policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
   params: "replica-limit-clusterwide.example.com"
   matchResources:
     namespaceSelector:
@@ -299,6 +334,12 @@ variables as well as some other useful variables:
 - 'request' - Attributes of the [admission request](/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest).
 - 'params' - Parameter resource referred to by the policy binding being evaluated. The value is
   null if `ParamKind` is unset.
+- `authorizer` - A CEL Authorizer. May be used to perform authorization checks for the principal
+  (authenticated user) of the request. See
+  [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz) in the Kubernetes CEL library
+  documentation for more details.
+- `authorizer.requestResource` - A shortcut for an authorization check configured with the request
+  resource (group, resource, (subresource), namespace, name).
 	
 The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from
 the root of the object. No other metadata properties are accessible.
@@ -386,3 +427,23 @@ the request is determined as follows:
 2. Otherwise:
   - for [`failurePolicy: Fail`](#failure-policy), reject the request (without evaluating the policy).
   - for [`failurePolicy: Ignore`](#failure-policy), proceed with the request but skip the policy.
+
+### Audit annotations
+
+`auditAnnotations` may be used to include audit annotations in the audit event of the API request.
+
+For example, here is an admission policy with an audit annotation:
+
+{{< codenew file="access/validating-admission-policy-audit-annotation.yaml" >}}
+
+When an API request is validated with this admission policy, the resulting audit event will look like:
+
+{{< codenew file="access/audit-event-with-audit-annotation.yaml" >}}
+
+In this example the annotation will only be included if the `spec.replicas` of the Deployment is more than
+50, otherwise the CEL expression evalutes to null and the annotation will not be included.
+
+Note that audit annotation keys are prefixed by the name of the `ValidatingAdmissionWebhook` and a `/`. If
+another admission controller, such as an admission webhook, uses the exact same audit annotation key, the 
+value of the first admission controller to include the audit annotation will be included in the audit
+event and all other values will be ignored.
\ No newline at end of file
diff --git a/content/en/docs/reference/labels-annotations-taints/audit-annotations.md b/content/en/docs/reference/labels-annotations-taints/audit-annotations.md
index f950c6457e2..7c076132058 100644
--- a/content/en/docs/reference/labels-annotations-taints/audit-annotations.md
+++ b/content/en/docs/reference/labels-annotations-taints/audit-annotations.md
@@ -108,3 +108,25 @@ to ensure connections are secured properly and to avoid disruption in future rel
 
 There's more information about this in the Go documentation:
 [Rejecting SHA-1 certificates](https://go.dev/doc/go1.18#sha1).
+
+## validation.policy.admission.k8s.io/validation_failure
+
+Example: `validation.policy.admission.k8s.io/validation_failure: '[{"message": "Invalid value", {"policy": "policy.example.com", {"binding": "policybinding.example.com", {"expressionIndex": "1", {"validationActions": ["Audit"]}]'`
+
+Used by Kubernetes version v1.27 and later.
+
+This annotation indicates that a admission policy validation evaluted to false
+for an API request, or that the validation resulted in an error while the policy
+was configured with `failurePolicy: Fail`.
+
+The value of the annotation is a JSON object. The `message` in the JSON
+provides the message about the validation failure.
+
+The `policy`, `binding` and `expressionIndex` in the JSON identifies the
+name of the `ValidatingAdmissionPolicy`, the name of the
+`ValidatingAdmissionPolicyBinding` and the index in the policy `validations` of
+the CEL expressions that failed, respectively.
+
+The `validationActions` shows what actions were taken for this validation failure.
+See [Validating Admission Policy](/docs/reference/access-authn-authz/validating-admission-policy/)
+for more details about `validationActions`.
diff --git a/content/en/examples/access/audit-event-with-audit-annotation.yaml b/content/en/examples/access/audit-event-with-audit-annotation.yaml
new file mode 100644
index 00000000000..6d947745d4b
--- /dev/null
+++ b/content/en/examples/access/audit-event-with-audit-annotation.yaml
@@ -0,0 +1,12 @@
+# the audit event recorded
+{
+    "kind": "Event",
+    "apiVersion": "audit.k8s.io/v1",
+    "annotations": {
+        "demo-policy.example.com/high-replica-count": "Deployment spec.replicas set to 128"
+        # other annotations
+        ...
+    }
+    # other fields
+    ...
+}
diff --git a/content/en/examples/access/validating-admission-policy-audit-annotation.yaml b/content/en/examples/access/validating-admission-policy-audit-annotation.yaml
new file mode 100644
index 00000000000..378fa97247a
--- /dev/null
+++ b/content/en/examples/access/validating-admission-policy-audit-annotation.yaml
@@ -0,0 +1,15 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "demo-policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - key: "high-replica-count"
+      valueExpression: "object.spec.replicas > 50 ? 'Deployment spec.replicas set to ' + string(object.spec.replicas) : null"

From 0d862b9afe63486f18f804efa6847b19445c6844 Mon Sep 17 00:00:00 2001
From: Jiahui Feng 
Date: Wed, 22 Mar 2023 13:42:53 -0700
Subject: [PATCH 093/272] message expression and type checking.

---
 .../validating-admission-policy.md            | 120 +++++++++++++++++-
 .../access/deployment-replicas-policy.yaml    |  20 +++
 2 files changed, 139 insertions(+), 1 deletion(-)
 create mode 100644 content/en/examples/access/deployment-replicas-policy.yaml

diff --git a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
index 86565e42e98..ffb7f96965c 100644
--- a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
+++ b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
@@ -446,4 +446,122 @@ In this example the annotation will only be included if the `spec.replicas` of t
 Note that audit annotation keys are prefixed by the name of the `ValidatingAdmissionWebhook` and a `/`. If
 another admission controller, such as an admission webhook, uses the exact same audit annotation key, the 
 value of the first admission controller to include the audit annotation will be included in the audit
-event and all other values will be ignored.
\ No newline at end of file
+event and all other values will be ignored.
+
+### Message expression
+
+To return a more friendly message when the policy rejects a request, we can use a CEL expression
+to composite a message with `spec.validations[i].messageExpression`. Similar to the validation expression,
+a message expression has access to `object`, `oldObject`, `request`, and `params`. Unlike validations,
+message expression must evaluate to a string.
+
+For example, to better inform the user of the reason of denial when the policy refers to a parameter,
+we can have the following validation:
+
+{{< codenew file="access/deployment-replicas-policy.yaml" >}}
+
+After creating a params object that limits the replicas to 3 and setting up the binding,
+when we try to create a deployment with 5 replicas, we will receive the following message.
+
+```
+$ kubectl create deploy --image=nginx nginx --replicas=5
+error: failed to create deployment: deployments.apps "nginx" is forbidden: ValidatingAdmissionPolicy 'deploy-replica-policy.example.com' with binding 'demo-binding-test.example.com' denied request: object.spec.replicas must be no greater than 3
+```
+
+This is more informative than a static message of "too many replicas".
+
+The message expression takes precedence over the static message defined in `spec.validations[i].message` if both are defined.
+However, if the message expression fails to evaluate, the static message will be used instead.
+Additionally, if the message expression evaluates to a multi-line string,
+the evaluation result will be discarded and the static message will be used if present.
+Note that static message is validated against multi-line strings.
+
+### Type checking
+
+When a policy definition is created or updated, the validation process parses the expressions it contains
+and reports any syntax errors, rejecting the definition if any errors are found. 
+Afterward, the referred variables are checked for type errors, including missing fields and type confusion,
+against the matched types of `spec.matchConstraints`.
+The result of type checking can be retrieved from `status.typeChecking`.
+The presence of `status.typeChecking` indicates the completion of type checking,
+and an empty `status.typeChecking` means that no errors were detected.
+
+For example, given the following policy definition:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "deploy-replica-policy.example.com"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+  - expression: "object.replicas > 1" # should be "object.spec.replicas > 1"
+    message: "must be replicated"
+    reason: Invalid
+```
+
+The status will yield the following information:
+
+```yaml
+status:
+  typeChecking:
+    expressionWarnings:
+    - fieldRef: spec.validations[0].expression
+      warning: |-
+        apps/v1, Kind=Deployment: ERROR: :1:7: undefined field 'replicas'
+         | object.replicas > 1
+         | ......^
+```
+
+If multiple resources are matched in `spec.matchConstraints`, all of matched resources will be checked against.
+For example, the following policy definition 
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "replica-policy.example.com"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets"]
+  validations:
+  - expression: "object.replicas > 1" # should be "object.spec.replicas > 1"
+    message: "must be replicated"
+    reason: Invalid
+```
+
+will have multiple types and type checking result of each type in the warning message.
+
+```yaml
+status:
+  typeChecking:
+    expressionWarnings:
+    - fieldRef: spec.validations[0].expression
+      warning: |-
+        apps/v1, Kind=Deployment: ERROR: :1:7: undefined field 'replicas'
+         | object.replicas > 1
+         | ......^
+        apps/v1, Kind=ReplicaSet: ERROR: :1:7: undefined field 'replicas'
+         | object.replicas > 1
+         | ......^
+```
+
+Type Checking has the following limitation:
+
+- No wildcard matching. If `spec.matchConstraints.resourceRules` contains `"*"` in any of `apiGroups`, `apiVersions` or `resources`,
+  the types that `"*"` matches will not be checked.
+- The number of matched types is limited to 10. This is to prevent a policy that manually specifying too many types.
+  to consume excessive computing resources. In the order of ascending group, version, and then resource, 11th combination and beyond are ignored.
+- Type Checking does not affect the policy behavior in any way. Even if the type checking detects errors, the policy will continue
+  to evaluate. If errors do occur during evaluate, the failure policy will decide its outcome.
+- Type Checking does not apply to CRDs, including matched CRD types and reference of paramKind. The support for CRDs will come in future release.
\ No newline at end of file
diff --git a/content/en/examples/access/deployment-replicas-policy.yaml b/content/en/examples/access/deployment-replicas-policy.yaml
new file mode 100644
index 00000000000..23c04fff621
--- /dev/null
+++ b/content/en/examples/access/deployment-replicas-policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "deploy-replica-policy.example.com"
+spec:
+  paramKind:
+    group: rules.example.com
+    kind: ReplicaLimit
+    version: v1
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+  - expression: "object.spec.replicas <= params.maxReplicas"
+    messageExpression: "'object.spec.replicas must be no greater than ' + string(params.maxReplicas)"
+    reason: Invalid
+

From 60ea174553f53c0426c3fd5a80fe0a9bbda83748 Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Tue, 4 Apr 2023 01:08:13 +0530
Subject: [PATCH 094/272] made the required changes

---
 .../_posts/2023-04-11-kubernetes-1.27-blog.md | 76 +++++++++++--------
 1 file changed, 46 insertions(+), 30 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index ba5b715e07b..7d933b4119d 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -55,26 +55,48 @@ If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default
 
 You can find more detailed information about a possible upgrade and downgrade strategy in the related Kubernetes Enhancement Proposal (KEP): [Enable seccomp by default](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2413-seccomp-by-default).
 
+## Mutable scheduling directives for Jobs graduates to GA
+
+This was introduced in v1.22 and started as a beta level, now it's stable. In most cases a parallel job will want the pods to run with constraints, like all in the same zone, or all either on GPU model x or y but not a mix of both. The `suspend` field is the first step towards achieving those semantics. `suspend` allows a custom queue controller to decide when a job should start. However, once a job is unsuspended, a custom queue controller has no influence on where the pods of a job will actually land.
+
+This feature allows updating a Job's scheduling directives before it starts, which gives custom queue controllers
+the ability to influence pod placement while at the same time offloading actual pod-to-node assignment to
+kube-scheduler. This is allowed only for suspended Jobs that have never been unsuspended before.
+The fields in a Job's pod template that can be updated are node affinity, node selector, tolerations, labels
+and annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/).
+Find more details in the KEP:
+[Allow updating scheduling directives of jobs](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/2926-job-mutable-scheduling-directives).
+
+## DownwardAPIHugePages graduates to stable 
+
+In Kubernetes v1.20, support for `requests.hugepages-` and `limits.hugepages-` was added
+to the [downward API](/docs/concepts/workloads/pods/downward-api/) to be consistent with other resources like cpu, memory, and ephemeral storage.
+This feature graduates to stable in this release. You can find more details in the KEP:
+[Downward API HugePages](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2053-downward-api-hugepages).
+
 ## Pod Scheduling Readiness goes to beta 
 
-Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a "miss-essential-resources" state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster AutoScaler) in an unnecessary manner.
+Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a _missing-essential-resources_ state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster Autoscaler) in an unnecessary manner.
 
 By specifying/removing a Pod's `.spec.schedulingGates`, you can control when a Pod is ready to be considered for scheduling.
 
 The `schedulingGates` field contains a list of strings, and each string literal is perceived as a criteria that Pod should be satisfied before considered schedulable. This field can be initialized only when a Pod is created (either by the client, or mutated during admission). After creation, each schedulingGate can be removed in an arbitrary order, but addition of a new scheduling gate is disallowed.
 
-## Node Service Log Viewer
+## Node log access via Kubernetes API
 
 This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use the feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. 
-On Linux, we assume that service logs are available via journald. On Windows, we assume that service logs are available in the application log provider. Logs are also available in the `/var/log/` and `C:\var\log` directories on Linux and Windows, respectively.
+On Linux, we assume that service logs are available via journald. On Windows, we assume that service logs are available in the application log provider. You can also fetch logs from the `/var/log/` and `C:\var\log` directories on Linux and Windows, respectively.
 
 A cluster administrator can try out this alpha feature on all their nodes, or on just a subset.
 
-## ReadWriteOncePod PersistentVolume Access Mode goes to beta 
+## ReadWriteOncePod PersistentVolume access mode goes to beta 
 
 ReadWriteOncePod is a new access mode for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs) introduced in Kubernetes v1.22. This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
 
-The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/) of pods using ReadWriteOncePod PVCs. Scheduler preemption allows higher-priority pods to preempt lower-priority pods, so that they can start running on the same node. With this release, pods using ReadWriteOncePod PVCs can also be preempted if a higher-priority pod requires the same PVC. For more context [see here](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode).
+The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+of pods that use ReadWriteOncePod PVCs.
+Scheduler preemption allows higher-priority pods to preempt lower-priority pods, for example when a pod (A) with a ReadWriteOncePod PVC is scheduled, and if another pod (B) is found using the same PVC and pod (A) has higher priority, the scheduler will return an "Unschedulable" status and attempt to preempt pod (B).
+For more context, see the KEP: [ReadWriteOncePod PersistentVolume AccessMode](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode).
 
 
 ## Respect PodTopologySpread after rolling upgrades
@@ -84,59 +106,53 @@ The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts
 With `matchLabelKeys`, users don't need to update the `pod.spec` between different revisions. The controller/operator just needs to set different values to the same `label` key for different revisions. The scheduler will assume the values automatically based on `matchLabelKeys`. For example, if users use Deployment, they can use the label keyed with `pod-template-hash`, which is added automatically by the Deployment controller, to distinguish between different revisions in a single Deployment.
 
 
-## Speed up SELinux volume relabeling using mounts
+## Faster SELinux volume relabeling using mounts
 
 In this release, how SELinux labels are applied to volumes used by Pods is graduating to beta. This feature speeds up container startup by mounting volumes with the correct SELinux label instead of changing each file on the volumes recursively. Linux kernel with SELinux support allows the first mount of a volume to set SELinux label on the whole volume using `-o context=` mount option. This way, all files will have assigned the given label in a constant time, without recursively walking through the whole volumes.
 
-`context` mount option cannot be applied to bind-mounts or re-mounts of already mounted volumes. Since it's a CSI driver that does the first mount of a volume, it must be the CSI driver who actually applies this mount option. We added a new field `SELinuxMount` to CSI Driver object, so CSI drivers can announce if they support `-o context` mount option.
+The `context` mount option cannot be applied to bind mounts or re-mounts of already mounted volumes.
+For CSI storage, a CSI driver does the first mount of a volume, and so it must be the CSI driver that actually
+applies this mount option. We added a new field `SELinuxMount` to CSIDriver objects, so that drivers can
+announce whether they support the `-o context` mount option.
 
-If Kubernetes knows SELinux label of a Pod **and** CSI driver responsible for a pod's volume announces `SELinuxMount: true` **and** the volume has Access Mode `ReadWriteOncePod`, then it will ask the CSI driver to mount the volume with mount option `context=` **and** it will tell the container runtime not to relabel content of the volume - all files already have the right label. Get more information on the KEP: [Speed up SELinux volume relabeling using mounts](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling)
+If Kubernetes knows the SELinux label of a Pod **and** the  CSI driver responsible for a pod's volume
+announces `SELinuxMount: true` **and** the volume has Access Mode `ReadWriteOncePod`, then it
+will ask the CSI driver to mount the volume with mount option `context=` **and** it will tell the container
+runtime not to relabel content of the volume (because all files already have the right label).
+Get more information on this from the KEP: [Speed up SELinux volume relabeling using mounts](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling).
 
 ## Robust VolumeManager reconstruction goes to beta
 
-This is a VolumeManager refactoring that allows kubelet to populate additional information about how existing volumes are mounted during the kubelet startup. In general, this makes volume cleanup more robust. 
-By adding `NewVolumeManagerReconstruction` feature gate and enabling it by default to enable improved discovery of mounted volumes during kubelet startup.
+This is a volume manager refactoring that allows the kubelet to populate additional information about how
+existing volumes are mounted during the kubelet startup. In general, this makes volume cleanup more robust. 
+By adding `NewVolumeManagerReconstruction` feature gate and enabling it by default will enhance the discovery of mounted volumes during kubelet startup.
 
 Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select the legacy discovery behavior.
 
 In Kubernetes v1.25 and v1.26, this behavior toggle was part of the `SELinuxMountReadWriteOncePod` feature gate.
 
-## `JobMutableNodeSchedulingDirectives` graduates to GA
-
-This was introduced in v1.22 and started as a beta level, now it's stable. In most cases a parallel job will want the pods to run with constraints, like all in the same zone, or all either on GPU model x or y but not a mix of both. The `suspend` field is the first step towards achieving those semantics. `suspend` allows a custom queue controller to decide when a job should start. However, once a job is unsuspended, a custom queue controller has no influence on where the pods of a job will actually land.
-
-This feature allows updating a Job's scheduling directives before it starts, which gives custom queue controllers the ability to influence pod placement while at the same time offloading actual pod-to-node assignment to kube-scheduler. This is allowed only for suspended Jobs that have never been unsuspended before. The fields in a Job's pod template that can be updated are node affinity, node selector, tolerations, labels and annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/). Find more details in KEP: [Allow updating scheduling directives of jobs](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/2926-job-mutable-scheduling-directives)
-
 ## Mutable Pod Scheduling Directives goes to beta
 
 This allows mutating a pod that is blocked on a scheduling readiness gate with a more constrained node affinity/selector. It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled, and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
 
 This opens the door for a new pattern of adding scheduling features to Kubernetes.  Specifically, building lightweight schedulers that implement features not supported by kube-scheduler, while relying on the existing kube-scheduler to support all upstream features and handle the pod-to-node binding. This pattern should be the preferred one if the custom feature doesn't require implementing a schedule plugin, which entails re-building and maintaining a custom kube-scheduler binary.
 
-## DownwardAPIHugePages graduates to stable 
+## Feature graduations and deprecations in Kubernetes v1.27
+### Graduations to stable
 
-In kubernetes v1.20, support for `requests.hugepages-` and `limits.hugepages-` was added to the downward API to be consistent with other resources like cpu, memory, and ephemeral storage. This feature graduates to stable in this release. You can find more details in the KEP: [Downward API HugePages](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2053-downward-api-hugepages).
+This release includes a total of 9 enhancements promoted to Stable:
 
-# Other Updates
-## Graduations to stable
-
-This release includes a total of thirteen enhancements promoted to Stable:
-
-* [Mutable scheduling directives for suspended Jobs](https://github.com/kubernetes/enhancements/issues/2926)
-* [Add downward API support for hugepages](https://github.com/kubernetes/enhancements/issues/2053)
-* [Kubelet option to enable seccomp by default](https://github.com/kubernetes/enhancements/issues/2413)
 * [Default container annotation that to be used by kubectl](https://github.com/kubernetes/enhancements/issues/2227)
 * [TimeZone support in CronJob](https://github.com/kubernetes/enhancements/issues/3140)
 * [Expose metrics about resource requests and limits that represent the pod model](https://github.com/kubernetes/enhancements/issues/1748)
 * [Server Side Unknown Field Validation](https://github.com/kubernetes/enhancements/issues/2885)
 * [Node Topology Manager](https://github.com/kubernetes/enhancements/issues/693)
-* [Freeze k8s.gcr.io image registry](https://github.com/kubernetes/enhancements/issues/3720)
 * [Add gRPC probe to Pod.Spec.Container.{Liveness,Readiness,Startup} Probe](https://github.com/kubernetes/enhancements/issues/2727)
 * [Add configurable grace period to probes](https://github.com/kubernetes/enhancements/issues/2238)
 * [OpenAPI v3](https://github.com/kubernetes/enhancements/issues/2896)
-* [Stay on supported go versions](https://github.com/kubernetes/enhancements/issues/3744)
+* [Stay on supported Go versions](https://github.com/kubernetes/enhancements/issues/3744)
 
-## Deprecations and removals
+### Deprecations and removals
 
 This release saw several removals:
 
@@ -180,7 +196,7 @@ The [CNCF K8s DevStats](https://k8s.devstats.cncf.io/d/12/dashboards?orgId=1&ref
 
 In the v1.27 release cycle, which [ran for 14 weeks](https://github.com/kubernetes/sig-release/tree/master/releases/release-1.27) (January 9 to April 11), we saw contributions from [1020 companies](https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1&var-period_name=v1.26.0%20-%20now&var-metric=contributions) and [1603 individuals](https://k8s.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=v1.26.0%20-%20now&var-metric=contributions&var-repogroup_name=Kubernetes&var-repo_name=kubernetes%2Fkubernetes&var-country_name=All&var-companies=All).
 
-## Upcoming Release Webinar
+## Upcoming release webinar
 
 Join members of the Kubernetes v1.27 release team on  to learn about the major features of this release, as well as deprecations and removals to help plan for upgrades. For more information and registration, visit the [event page](#) on the CNCF Online Programs site.
 

From e16de4e8bea60fe7aed1241f0ab2cdf759a8889a Mon Sep 17 00:00:00 2001
From: Aravindh Puthiyaparambil 
Date: Tue, 14 Mar 2023 13:59:35 -0700
Subject: [PATCH 095/272] KEP-2258: Node log query documentation

---
 .../cluster-administration/system-logs.md     | 47 +++++++++++++++++++
 .../feature-gates.md                          |  1 +
 2 files changed, 48 insertions(+)

diff --git a/content/en/docs/concepts/cluster-administration/system-logs.md b/content/en/docs/concepts/cluster-administration/system-logs.md
index 6e731ade02b..2c7e29ab548 100644
--- a/content/en/docs/concepts/cluster-administration/system-logs.md
+++ b/content/en/docs/concepts/cluster-administration/system-logs.md
@@ -231,6 +231,53 @@ Similar to the container logs, you should rotate system component logs in the `/
 In Kubernetes clusters created by the `kube-up.sh` script, log rotation is configured by the `logrotate` tool.
 The `logrotate` tool rotates logs daily, or once the log size is greater than 100MB.
 
+## Log query
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+To help with debugging issues on nodes, Kubernetes v1.27 introduced a feature that allows viewing logs of services
+running on the node. To use the feature, ensure that the `NodeLogQuery`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the
+kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. On Linux
+we assume that service logs are available via journald. On Windows we assume that service logs are available
+in the application log provider. On both operating systems, logs are also available by reading files within
+`/var/log/`.
+
+Provided you are authorized to interact with node objects, you can try out this alpha feature on all your nodes or
+just a subset. Here is an example to retrieve the kubelet service logs from a node:
+```shell
+# Fetch kubelet logs from a node named node-1.example
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet"
+```
+
+You can also fetch files, provided that the files are in a directory that the kubelet allows for log
+fetches. For example, you can fetch a log from `/var/log` on a Linux node:
+```shell
+kubectl get --raw "/api/v1/nodes//proxy/logs/?query=/"
+```
+
+The kubelet uses heuristics to retrieve logs. This helps if you are not aware whether a given system service is
+writing logs to the operating system's native logger like journald or to a log file in `/var/log/`. The heuristics
+first checks the native logger and if that is not available attempts to retrieve the first logs from
+`/var/log/` or `/var/log/.log` or `/var/log//.log`.
+
+The complete list of options that can be used are:
+
+Option | Description
+------ | -----------
+`boot` | boot show messages from a specific system boot
+`pattern` | pattern filters log entries by the provided PERL-compatible regular expression
+`query` | query specifies services(s) or files from which to return logs (required)
+`sinceTime` | an [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) timestamp from which to show logs (inclusive)
+`untilTime` | an [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) timestamp until which to show logs (inclusive)
+`tailLines` | specify how many lines from the end of the log to retrieve; the default is to fetch the whole log
+
+Example of a more complex query:
+```shell
+# Fetch kubelet logs from a node named node-1.example that have the word "error"
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet&pattern=error"
+```
+
 ## {{% heading "whatsnext" %}}
 
 * Read about the [Kubernetes Logging Architecture](/docs/concepts/cluster-administration/logging/)
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 626cc6931f6..b43a12359bb 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -151,6 +151,7 @@ For a reference to old feature gates that are removed, please refer to
 | `NetworkPolicyStatus` | `false` | Alpha | 1.24 |  |
 | `NodeInclusionPolicyInPodTopologySpread` | `false` | Alpha | 1.25 | 1.25 |
 | `NodeInclusionPolicyInPodTopologySpread` | `true` | Beta | 1.26 | |
+| `NodeLogQuery` | `false` | Alpha | 1.27 | |
 | `NodeOutOfServiceVolumeDetach` | `false` | Alpha | 1.24 | 1.25 |
 | `NodeOutOfServiceVolumeDetach` | `true` | Beta | 1.26 | |
 | `NodeSwap` | `false` | Alpha | 1.22 | |

From 07bfd16069f16344e5c8d0999b15b82ab35aa55c Mon Sep 17 00:00:00 2001
From: Ryan Phillips 
Date: Mon, 3 Apr 2023 16:37:58 -0500
Subject: [PATCH 096/272] terminationGracePeriodSeconds: stable in 1.27

---
 .../configure-liveness-readiness-startup-probes.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 0f7d9ecc4f9..bafa4e36992 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -511,7 +511,7 @@ to resolve it.
 
 ### Probe-level `terminationGracePeriodSeconds`
 
-{{< feature-state for_k8s_version="v1.25" state="beta" >}}
+{{< feature-state for_k8s_version="v1.27" state="stable" >}}
 
 Prior to release 1.21, the pod-level `terminationGracePeriodSeconds` was used
 for terminating a container that failed its liveness or startup probe. This

From 618a942f9ee0eccbada6a22e96fd78d71b57e1f0 Mon Sep 17 00:00:00 2001
From: Daniel Vega-Myhre 
Date: Tue, 14 Mar 2023 17:04:09 +0000
Subject: [PATCH 097/272] document elastic indexed jobs

---
 .../en/docs/concepts/workloads/controllers/job.md   | 13 +++++++++++++
 .../command-line-tools-reference/feature-gates.md   |  7 ++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/workloads/controllers/job.md b/content/en/docs/concepts/workloads/controllers/job.md
index 3e0360cc1b4..20b655588d5 100644
--- a/content/en/docs/concepts/workloads/controllers/job.md
+++ b/content/en/docs/concepts/workloads/controllers/job.md
@@ -849,6 +849,19 @@ checking if the Job has the annotation
 this annotation from Jobs. Instead, you can recreate the Jobs to ensure they
 are tracked using Pod finalizers.
 
+### Elastic Indexed Jobs
+
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
+
+You can scale Indexed Jobs up or down by mutating both `.spec.parallelism` 
+and `.spec.completions` together such that `.spec.parallelism == .spec.completions`. 
+When the `ElasticIndexedJob`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/)
+is disabled, `.spec.completions` is immutable.
+
+Use cases for elastic Indexed Jobs include batch workloads which require 
+scaling an indexed Job, such as MPI, Horovord, Ray, and PyTorch training jobs.
+
 ## Alternatives
 
 ### Bare Pods
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index a45aa27baa4..7c3bb4a33a7 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -96,6 +96,7 @@ For a reference to old feature gates that are removed, please refer to
 | `DisableCloudProviders` | `false` | Alpha | 1.22 | |
 | `DisableKubeletCloudCredentialProviders` | `false` | Alpha | 1.23 | |
 | `DynamicResourceAllocation` | `false` | Alpha | 1.26 | |
+| `ElasticIndexedJob` | `true` | Beta` | 1.27 | |
 | `EventedPLEG` | `false` | Alpha | 1.26 | 1.26 |
 | `EventedPLEG` | `false` | Beta | 1.27 | - |
 | `ExpandedDNSConfig` | `false` | Alpha | 1.22 | 1.25 |
@@ -511,8 +512,12 @@ Each feature gate is designed for enabling/disabling a specific feature:
   [downward API](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information).
 - `DryRun`: Enable server-side [dry run](/docs/reference/using-api/api-concepts/#dry-run) requests
   so that validation, merging, and mutation can be tested without committing.
-- `DynamicResourceAllocation": Enables support for resources with custom parameters and a lifecycle
+- `DynamicResourceAllocation`: Enables support for resources with custom parameters and a lifecycle
   that is independent of a Pod.
+- `ElasticIndexedJob`: Enables Indexed Jobs to be scaled up or down by mutating both
+  `spec.completions` and `spec.parallelism` together such that `spec.completions == spec.parallelism`.
+  See docs on [elastic Indexed Jobs](docs/concepts/workloads/controllers/job#elastic-indexed-jobs)
+  for more details.
 - `EndpointSliceTerminatingCondition`: Enables EndpointSlice `terminating` and `serving`
    condition fields.
 - `EfficientWatchResumption`: Allows for storage-originated bookmark (progress

From f736f8ff055ccc38fd9e87badf8f00aed1c942ae Mon Sep 17 00:00:00 2001
From: kemkemG0 
Date: Mon, 3 Apr 2023 18:13:45 -0700
Subject: [PATCH 098/272] fix japanese wording

---
 content/ja/docs/concepts/overview/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/overview/_index.md b/content/ja/docs/concepts/overview/_index.md
index 89935936589..d4f4a91e473 100644
--- a/content/ja/docs/concepts/overview/_index.md
+++ b/content/ja/docs/concepts/overview/_index.md
@@ -70,7 +70,7 @@ Kubernetesを使うとデプロイしたコンテナのあるべき状態を記
 * **自己修復**
 Kubernetesは、処理が失敗したコンテナを再起動し、コンテナを入れ替え、定義したヘルスチェックに応答しないコンテナを強制終了します。処理の準備ができるまでは、クライアントに通知しません。
 * **機密情報と構成管理**
-Kubernetesは、パスワードやOAuthトークン、SSHキーのよう機密の情報を保持し、管理することができます。機密情報をデプロイし、コンテナイメージを再作成することなくアプリケーションの構成情報を更新することができます。スタック構成の中で機密情報を晒してしまうこともありません。
+Kubernetesは、パスワードやOAuthトークン、SSHキーなどの機密の情報を保持し、管理することができます。機密情報をデプロイし、コンテナイメージを再作成することなくアプリケーションの構成情報を更新することができます。スタック構成の中で機密情報を晒してしまうこともありません。
 
 ## Kubernetesにないもの
 

From eaf9199d071a613632b74e7f3b1c60cd12fdd47d Mon Sep 17 00:00:00 2001
From: Moshe Levi 
Date: Tue, 14 Mar 2023 01:58:36 +0200
Subject: [PATCH 099/272] doc: extend PodResources API for Dynamic Resource
 Allocation

Signed-off-by: Moshe Levi 
---
 .../compute-storage-net/device-plugins.md     | 62 +++++++++++++++++++
 .../dynamic-resource-allocation.md            |  6 ++
 .../feature-gates.md                          |  7 +++
 3 files changed, 75 insertions(+)

diff --git a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
index a241ccee3d4..537bde377ca 100644
--- a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
+++ b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
@@ -213,6 +213,7 @@ for these devices:
 service PodResourcesLister {
     rpc List(ListPodResourcesRequest) returns (ListPodResourcesResponse) {}
     rpc GetAllocatableResources(AllocatableResourcesRequest) returns (AllocatableResourcesResponse) {}
+    rpc Get(GetPodResourcesRequest) returns (GetPodResourcesResponse) {}
 }
 ```
 
@@ -223,6 +224,14 @@ id of exclusively allocated CPUs, device id as it was reported by device plugins
 the NUMA node where these devices are allocated. Also, for NUMA-based machines, it contains the
 information about memory and hugepages reserved for a container.
 
+Starting from Kubernetes v1.27, the `List` enpoint can provide information on resources
+of running pods allocated in `ResourceClaims` by the `DynamicResourceAllocation` API. To enable
+this feature `kubelet` must be started with the following flags:
+
+```
+--feature-gates=DynamicResourceAllocation=true,KubeletPodResourcesDynamiceResources=true
+```
+
 ```gRPC
 // ListPodResourcesResponse is the response returned by List function
 message ListPodResourcesResponse {
@@ -242,6 +251,7 @@ message ContainerResources {
     repeated ContainerDevices devices = 2;
     repeated int64 cpu_ids = 3;
     repeated ContainerMemory memory = 4;
+    repeated DynamicResource dynamic_resources = 5;
 }
 
 // ContainerMemory contains information about memory and hugepages assigned to a container
@@ -267,6 +277,28 @@ message ContainerDevices {
     repeated string device_ids = 2;
     TopologyInfo topology = 3;
 }
+
+// DynamicResource contains information about the devices assigned to a container by Dynamic Resource Allocation
+message DynamicResource {
+    string class_name = 1;
+    string claim_name = 2;
+    string claim_namespace = 3;
+    repeated ClaimResource claim_resources = 4;
+}
+
+// ClaimResource contains per-plugin resource information
+message ClaimResource {
+    repeated CDIDevice cdi_devices = 1 [(gogoproto.customname) = "CDIDevices"];
+}
+
+// CDIDevice specifies a CDI device information
+message CDIDevice {
+    // Fully qualified CDI device name
+    // for example: vendor.com/gpu=gpudevice1
+    // see more details in the CDI specification:
+    // https://github.com/container-orchestrated-devices/container-device-interface/blob/main/SPEC.md
+    string name = 1;
+}
 ```
 {{< note >}}
 cpu_ids in the `ContainerResources` in the `List` endpoint correspond to exclusive CPUs allocated
@@ -333,6 +365,36 @@ Support for the `PodResourcesLister service` requires `KubeletPodResources`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to be enabled.
 It is enabled by default starting with Kubernetes 1.15 and is v1 since Kubernetes 1.20.
 
+### `Get` gRPC endpoint {#grpc-endpoint-get}
+
+{{< feature-state state="alpha" for_k8s_version="v1.27" >}}
+
+The `Get` endpoint provides information on resources of a running Pod. It exposes information
+similar to those described in the `List` endpoint. The `Get` endpoint requires `PodName`
+and `PodNamespace` of the running Pod.
+
+```gRPC
+// GetPodResourcesRequest contains information about the pod
+message GetPodResourcesRequest {
+    string pod_name = 1;
+    string pod_namespace = 2;
+}
+```
+
+To enable this feature, you must start your kubelet services with the following flag:
+
+```
+--feature-gates=KubeletPodResourcesGet=true
+```
+
+The `Get` endpoint can provide Pod information related to dynamic resources
+allocated by the dynamic resource allocation API. To enable this feature, you must
+ensure your kubelet services are started with the following flags:
+
+```
+--feature-gates=KubeletPodResourcesGet=true,DynamicResourceAllocation=true,KubeletPodResourcesDynamiceResources=true
+```
+
 ## Device plugin integration with the Topology Manager
 
 {{< feature-state for_k8s_version="v1.18" state="beta" >}}
diff --git a/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md b/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md
index e1c468f58f0..b2bca19c36b 100644
--- a/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md
+++ b/content/en/docs/concepts/scheduling-eviction/dynamic-resource-allocation.md
@@ -162,6 +162,12 @@ gets scheduled onto one node and then cannot run there, which is bad because
 such a pending Pod also blocks all other resources like RAM or CPU that were
 set aside for it.
 
+## Monitoring resources
+
+The kubelet provides a gRPC service to enable discovery of dynamic resources of
+running Pods. For more information on the gRPC endpoints, see the
+[resource allocation reporting](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources).
+
 ## Limitations
 
 The scheduler plugin must be involved in scheduling Pods which use
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 626cc6931f6..cb56ed88416 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -125,8 +125,10 @@ For a reference to old feature gates that are removed, please refer to
 | `KubeletInUserNamespace` | `false` | Alpha | 1.22 | |
 | `KubeletPodResources` | `false` | Alpha | 1.13 | 1.14 |
 | `KubeletPodResources` | `true` | Beta | 1.15 | |
+| `KubeletPodResourcesGet` | `false` | Alpha | 1.27 | |
 | `KubeletPodResourcesGetAllocatable` | `false` | Alpha | 1.21 | 1.22 |
 | `KubeletPodResourcesGetAllocatable` | `true` | Beta | 1.23 | |
+| `KubeletPodResourcesDynamicResources` | `false` | Alpha | 1.27 | |
 | `KubeletTracing` | `false` | Alpha | 1.25 | |
 | `LegacyServiceAccountTokenTracking` | `false` | Alpha | 1.25 | |
 | `LocalStorageCapacityIsolationFSQuotaMonitoring` | `false` | Alpha | 1.15 | - |
@@ -578,9 +580,14 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `KubeletPodResources`: Enable the kubelet's pod resources gRPC endpoint. See
   [Support Device Monitoring](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/606-compute-device-assignment/README.md)
   for more details.
+- `KubeletPodResourcesGet`: Enable the `Get` gRPC endpoint on kubelet's for Pod resources.
+  This API augments the [resource allocation reporting](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources).
 - `KubeletPodResourcesGetAllocatable`: Enable the kubelet's pod resources
   `GetAllocatableResources` functionality. This API augments the
   [resource allocation reporting](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources)
+- `KubeletPodResourcesDynamiceResources`: Extend the kubelet's pod resources gRPC endpoint to
+  to include resources allocated in `ResourceClaims` via `DynamicResourceAllocation` API.
+  See [resource allocation reporting](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources) for more details.
   with informations about the allocatable resources, enabling clients to properly
   track the free compute resources on a node.
 - `KubeletTracing`: Add support for distributed tracing in the kubelet.

From a8c4876d4d624edfe75d668ec57253a6a560b1e4 Mon Sep 17 00:00:00 2001
From: niranjandarshann 
Date: Tue, 4 Apr 2023 13:24:50 +0530
Subject: [PATCH 100/272] Fixed  Incorrect Command At Tutorial #40473

---
 .../docs/tutorials/kubernetes-basics/update/update-intro.html   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tutorials/kubernetes-basics/update/update-intro.html b/content/en/docs/tutorials/kubernetes-basics/update/update-intro.html
index 62d16e5851d..0c2a3eaca5b 100644
--- a/content/en/docs/tutorials/kubernetes-basics/update/update-intro.html
+++ b/content/en/docs/tutorials/kubernetes-basics/update/update-intro.html
@@ -144,7 +144,7 @@ description: |-
                
First, check that the app is running. To find the exposed IP address and port, run the describe service command:

                
kubectl describe services/kubernetes-bootcamp

                
Create an environment variable called NODE_PORT that has the value of the Node port assigned:

-               
export NODE_PORT="$(kubectl get services/kubernetes-bootcamp -o go-template='{{(index .spec.ports 0).nodePort}}')

+               
export NODE_PORT="$(kubectl get services/kubernetes-bootcamp -o go-template='{{(index .spec.ports 0).nodePort}}')"

                   echo "NODE_PORT=$NODE_PORT"

                
Next, do a curl to the the exposed IP and port:

                
curl http://"$(minikube ip):$NODE_PORT"


From dd444636217a65e4ec8824a4051e66efa607be92 Mon Sep 17 00:00:00 2001
From: Antonio Ojea 
Date: Tue, 4 Apr 2023 13:18:08 +0200
Subject: [PATCH 101/272] Update
 content/en/docs/reference/networking/virtual-ips.md

Co-authored-by: Qiming Teng 
---
 content/en/docs/reference/networking/virtual-ips.md | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
index a33b08da067..5d07a7076bc 100644
--- a/content/en/docs/reference/networking/virtual-ips.md
+++ b/content/en/docs/reference/networking/virtual-ips.md
@@ -316,12 +316,17 @@ Users now will be able to inspect the IP addresses assigned to their Services, a
 new network APIs, like Gateway API, can use this new object to extend the Kubernetes
 networking capabilities overcoming the limitations of current Services API.
 
-```bash
-$ kubectl get services
+```shell
+kubectl get services
+```
+```
 NAME         TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)   AGE
 kubernetes   ClusterIP   2001:db8:1:2::1           443/TCP   3d1h
-
-$ kubectl get ipaddresses
+```
+```shell
+kubectl get ipaddresses
+```
+```
 NAME              PARENTREF
 2001:db8:1:2::1   services/default/kubernetes
 2001:db8:1:2::a   services/kube-system/kube-dns

From f674460775e23a2f3c835f0b30f73020b62baf29 Mon Sep 17 00:00:00 2001
From: Antonio Ojea 
Date: Tue, 4 Apr 2023 11:33:45 +0000
Subject: [PATCH 102/272] enable v1alpha1 networking api group@

---
 content/en/docs/reference/networking/virtual-ips.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
index 5d07a7076bc..586221ad9f3 100644
--- a/content/en/docs/reference/networking/virtual-ips.md
+++ b/content/en/docs/reference/networking/virtual-ips.md
@@ -300,7 +300,8 @@ IP addresses that are no longer used by any Services.
 
 {{< feature-state for_k8s_version="v1.27" state="alpha" >}}
 If you enable the `MultiCIDRServiceAllocator`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
+[networking.k8s.io/v1alpha1 API group](https://kubernetes.io/docs/tasks/administer-cluster/enable-disable-api/),
 the control plane replaces the existing etcd allocator with a new one, using IPAddress
 objects instead of an internal global allocation map.  The ClusterIP address
 associated to each `Service` will have a referenced IPAddress object.

From 8c906eaab277aa12c6e363a1254081ebafa6f37b Mon Sep 17 00:00:00 2001
From: Katrina Verey 
Date: Tue, 4 Apr 2023 08:23:53 -0400
Subject: [PATCH 103/272] Add docs for ApplySet-based pruning in kubectl apply
 (#39818)

* Documentation for ApplySet-based pruning (KEP3659)

* Apply suggestions from code review

Co-authored-by: Tim Bannister 

* Add ApplySet labels and annotations to well-known list

* Minor fixups

* Address feedback on label/annotation listing

* Apply suggestions from code review

Co-authored-by: Tim Bannister 

* fix label vs annotation copy-paste errors

* Update prefix to kubernetes.io

---------

Co-authored-by: Tim Bannister 
---
 .../labels-annotations-taints/_index.md       | 63 ++++++++++++++
 .../declarative-config.md                     | 84 +++++++++++++------
 2 files changed, 123 insertions(+), 24 deletions(-)

diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index 35723ced33a..80603b4a2fa 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -92,6 +92,69 @@ Common forms of values include:
 
 One of the [recommended labels](/docs/concepts/overview/working-with-objects/common-labels/#labels).
 
+### applyset.kubernetes.io/additional-namespaces (alpha) {#applyset-kubernetes-io-additional-namespaces}
+
+Example: `applyset.kubernetes.io/additional-namespaces: "namespace1,namespace2"`
+
+Used on: Objects being used as ApplySet parents.
+
+Use of this annotation is alpha.
+For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label.
+
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This annotation is applied to the parent object used to track an ApplySet to extend the scope of the ApplySet beyond the parent object's own namespace (if any). The value is a comma-separated list of the names of namespaces other than the parent's namespace in which objects are found.
+
+### applyset.kubernetes.io/contains-group-resources (alpha) {#applyset-kubernetes-io-contains-group-resources}
+
+Example: `applyset.kubernetes.io/contains-group-resources: "certificates.cert-manager.io,configmaps,deployments.apps,secrets,services"`
+
+Used on: Objects being used as ApplySet parents.
+
+Use of this annotation is alpha.
+For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label.
+
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This annotation is applied to the parent object used to track an ApplySet to optimize listing of ApplySet member objects. It is optional in the ApplySet specification, as tools can perform discovery or use a different optimization. However, as of Kubernetes version {{< skew currentVersion >}}, it is required by kubectl. When present, the value of this annotation must be a comma separated list of the group-kinds, in the fully-qualified name format, i.e. `.`.
+
+
+### applyset.kubernetes.io/id (alpha) {#applyset-kubernetes-io-id}
+
+Example: `applyset.kubernetes.io/id: "applyset-0eFHV8ySqp7XoShsGvyWFQD3s96yqwHmzc4e0HR1dsY-v1"`
+
+Used on: Objects being used as ApplySet parents.
+
+Use of this label is alpha.
+For Kubernetes version {{< skew currentVersion >}}, you can use this label on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label.
+
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This label is what makes an object an ApplySet parent object. Its value is the unique ID of the ApplySet, which is derived from the identity of the parent object itself. This ID **must** be the base64 encoding (using the URL safe encoding of RFC4648) of the hash of the group-kind-name-namespace of the object it is on, in the form: `...))>`. There is no relation between the value of this label and object UIDs.
+
+### applyset.kubernetes.io/is-parent-type (alpha) {#applyset-kubernetes-io-is-parent-type}
+
+Example: `applyset.kubernetes.io/is-parent-type: "true"`
+
+Used on: Custom Resource Definition (CRD)
+
+Use of this label is alpha.
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). You can set this label on a {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} (CRD) to identify the custom resource type it defines (not the CRD itself) as an allowed parent for an ApplySet. The only permitted value for this label is `"true"`; if you want to mark a CRD as not being a valid parent for ApplySets, omit this label.
+
+### applyset.kubernetes.io/part-of (alpha) {#applyset-kubernetes-io-part-of}
+
+Example: `applyset.kubernetes.io/part-of: "applyset-0eFHV8ySqp7XoShsGvyWFQD3s96yqwHmzc4e0HR1dsY-v1"`
+
+Used on: All objects.
+
+Use of this label is alpha.
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This label is what makes an object a member of an ApplySet. The value of the label **must** match the value of the `applyset.kubernetes.io/id` label on the parent object.
+
+### applyset.kubernetes.io/tooling (alpha) {#applyset-kubernetes-io-tooling}
+
+Example: `applyset.kubernetes.io/tooling: "kubectl/v{{< skew currentVersion >}}"`
+
+Used on: Objects being used as ApplySet parents.
+
+Use of this annotation is alpha.
+For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label.
+
+Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This annotation is applied to the parent object used to track an ApplySet to indicate which tooling manages that ApplySet. Tooling should refuse to mutate ApplySets belonging to other tools. The value must be in the format `/`.
+
 ### cluster-autoscaler.kubernetes.io/safe-to-evict
 
 Example: `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"`
diff --git a/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md b/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
index 2b54f2f4094..ef51d18fc6d 100644
--- a/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
+++ b/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
@@ -371,44 +371,82 @@ to result in the user deleting something unintentionally:
 kubectl delete -f 
 ```
 
-### Alternative: `kubectl apply -f  --prune -l your=label`
+### Alternative: `kubectl apply -f  --prune`
 
-Only use this if you know what you are doing.
+As an alternative to `kubectl delete`, you can use `kubectl apply` to identify objects to be deleted after
+their manifests have been removed from a directory in the local filesystem.
+
+In Kubernetes {{< skew currentVersion >}}, there are two pruning modes available in kubectl apply:
+- Allowlist-based pruning: This mode has existed since kubectl v1.5 but is still in alpha due to usability, correctness and performance issues with its design. The ApplySet-based mode is designed to replace it.
+- ApplySet-based pruning: An _apply set_ is a server-side object (by default, a Secret) that kubectl can use to accurately and efficiently track set membership across **apply** operations. This mode was introduced in alpha in kubectl v1.27 as a replacement for allowlist-based pruning.
+
+{{< tabs name="kubectl_apply_prune" >}}
+{{% tab name="Allow list" %}}
+
+{{< feature-state for_k8s_version="v1.5" state="alpha" >}}
 
 {{< warning >}}
-`kubectl apply --prune` is in alpha, and backwards incompatible
-changes might be introduced in subsequent releases.
+Take care when using `--prune` with `kubectl apply` in allow list mode. Which objects are pruned depends on the values of the `--prune-allowlist`, `--selector` and `--namespace` flags, and relies on dynamic discovery of the objects in scope. Especially if flag values are changed between invocations, this can lead to objects being unexpectedly deleted or retained.
 {{< /warning >}}
 
-{{< warning >}}
-You must be careful when using this command, so that you
-do not delete objects unintentionally.
-{{< /warning >}}
+To use allowlist-based pruning, add the following flags to your `kubectl apply` invocation:
+- `--prune`: Delete previously applied objects that are not in the set passed to the current invocation.
+- `--prune-allowlist`: A list of group-version-kinds (GVKs) to consider for pruning. This flag is optional but strongly encouraged, as its default value is a partial list of both namespaced and cluster-scoped types, which can lead to surprising results.
+- `--selector/-l`: Use a label selector to constrain the set of objects selected for pruning. This flag is optional but strongly encouraged.
+- `--all`: use instead of `--selector/-l` to explicitly select all previously applied objects of the allowlisted types.
 
-As an alternative to `kubectl delete`, you can use `kubectl apply` to identify objects to be deleted after their
-configuration files have been removed from the directory. Apply with `--prune`
-queries the API server for all objects matching a set of labels, and attempts
-to match the returned live object configurations against the object
-configuration files. If an object matches the query, and it does not have a
-configuration file in the directory, and it has a `last-applied-configuration` annotation,
+Allowlist-based pruning queries the API server for all objects of the allowlisted GVKs that match the given labels (if any), and attempts to match the returned live object configurations against the object
+manifest files. If an object matches the query, and it does not have a
+manifest in the directory, and it has a `kubectl.kubernetes.io/last-applied-configuration` annotation,
 it is deleted.
 
-{{< comment >}}
-TODO(pwittrock): We need to change the behavior to prevent the user from running apply on subdirectories unintentionally.
-{{< /comment >}}
 
 ```shell
-kubectl apply -f  --prune -l 
+kubectl apply -f  --prune -l  --prune-allowlist=
 ```
 
 {{< warning >}}
 Apply with prune should only be run against the root directory
-containing the object configuration files. Running against sub-directories
-can cause objects to be unintentionally deleted if they are returned
-by the label selector query specified with `-l ` and
-do not appear in the subdirectory.
+containing the object manifests. Running against sub-directories
+can cause objects to be unintentionally deleted if they were previously applied, 
+have the labels given (if any), and do not appear in the subdirectory.
 {{< /warning >}}
 
+{{% /tab %}}
+
+{{% tab name="Apply set" %}}
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+{{< caution >}}
+`kubectl apply --prune --applyset` is in alpha, and backwards incompatible
+changes might be introduced in subsequent releases.
+{{< /caution >}}
+
+To use ApplySet-based pruning, set the `KUBECTL_APPLYSET=true` environment variable, and add the following flags to your `kubectl apply` invocation:
+- `--prune`: Delete previously applied objects that are not in the set passed to the current invocation.
+- `--applyset`: The name of an object that kubectl can use to accurately and efficiently track set membership across `apply` operations.
+
+```shell
+KUBECTL_APPLYSET=true kubectl apply -f  --prune --applyset=
+```
+
+By default, the type of the ApplySet parent object used is a Secret. However, ConfigMaps can also be used in the format: `--applyset=configmaps/`. When using a Secret or ConfigMap, kubectl will create the object if it does not already exist.
+
+It is also possible to use custom resources as ApplySet parent objects. To enable this, label the Custom Resource Definition (CRD) that defines the resource you want to use with the following: `applyset.kubernetes.io/is-parent-type: true`. Then, create the object you want to use as an ApplySet parent (kubectl does not do this automatically for custom resources). Finally, refer to that object in the applyset flag as follows: `--applyset=./` (for example, `widgets.custom.example.com/widget-name`).
+
+With ApplySet-based pruning, kubectl adds the `applyset.kubernetes.io/part-of=` label to each object in the set before they are sent to the server. For performance reasons, it also collects the list of resource types and namespaces that the set contains and adds these in annotations on the live parent object. Finally, at the end of the apply operation, it queries the API server for objects of those types in those namespaces (or in the cluster scope, as applicable) that belong to the set, as defined by the `applyset.kubernetes.io/part-of=` label.
+
+Caveats and restrictions:
+- Each object may be a member of at most one set.
+- The `--namespace` flag is required when using any namespaced parent, including the default Secret.  This means that ApplySets spanning multiple namespaces must use a cluster-scoped custom resource as the parent object.
+- To safely use ApplySet-based pruning with multiple directories, use a unique ApplySet name for each.
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+
 ## How to view an object
 
 You can use `kubectl get` with `-o yaml` to view the configuration of a live object:
@@ -1007,5 +1045,3 @@ template:
 * [Imperative Management of Kubernetes Objects Using Configuration Files](/docs/tasks/manage-kubernetes-objects/imperative-config/)
 * [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
-
-

From 81dfd0cd00c2fdcc99d01f5eb629d1cc24e55c72 Mon Sep 17 00:00:00 2001
From: Sergey Kanzhelev 
Date: Tue, 4 Apr 2023 05:57:54 -0700
Subject: [PATCH 104/272] gRPC GA (#39919)

---
 .../_posts/2022-05-13-grpc-probes-in-beta.md  |  1 +
 .../concepts/workloads/pods/pod-lifecycle.md  |  5 +----
 .../feature-gates.md                          |  8 +++++--
 ...igure-liveness-readiness-startup-probes.md | 22 ++++++++++++-------
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md b/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md
index e4a9ab0092c..77cf06d1040 100644
--- a/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md
+++ b/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md
@@ -7,6 +7,7 @@ slug: grpc-probes-now-in-beta
 
 **Author**: Sergey Kanzhelev (Google)
 
+_Update: Since this article was posted, the feature was graduated to GA in v1.27 and doesn't require any feature gates to be enabled.
 
 With Kubernetes 1.24 the gRPC probes functionality entered beta and is available by default.
 Now you can configure startup, liveness, and readiness probes for your gRPC app
diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
index e37e8ac92db..b209a6a65f3 100644
--- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -302,10 +302,7 @@ Each probe must define exactly one of these four mechanisms:
   The target should implement
   [gRPC health checks](https://grpc.io/grpc/core/md_doc_health-checking.html).
   The diagnostic is considered successful if the `status`
-  of the response is `SERVING`.
-  gRPC probes are an alpha feature and are only available if you
-  enable the `GRPCContainerProbe`
-  [feature gate](/docs/reference/command-line-tools-reference/feature-gates/).
+  of the response is `SERVING`.  
 
 `httpGet`
 : Performs an HTTP `GET` request against the Pod's IP
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index f1dd7e6721a..25c3f1c3f65 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -101,8 +101,6 @@ For a reference to old feature gates that are removed, please refer to
 | `ExpandedDNSConfig` | `false` | Alpha | 1.22 | 1.25 |
 | `ExpandedDNSConfig` | `true` | Beta | 1.26 | |
 | `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | |
-| `GRPCContainerProbe` | `false` | Alpha | 1.23 | 1.23 |
-| `GRPCContainerProbe` | `true` | Beta | 1.24 | |
 | `GracefulNodeShutdown` | `false` | Alpha | 1.20 | 1.20 |
 | `GracefulNodeShutdown` | `true` | Beta | 1.21 | |
 | `GracefulNodeShutdownBasedOnPodPriority` | `false` | Alpha | 1.23 | 1.23 |
@@ -293,6 +291,12 @@ For a reference to old feature gates that are removed, please refer to
 | `ExecProbeTimeout` | `true` | GA | 1.20 | - |
 | `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | 1.26 |
 | `JobMutableNodeSchedulingDirectives` | `true` | GA | 1.27 | |
+| `GRPCContainerProbe` | `false` | Alpha | 1.23 | 1.23 |
+| `GRPCContainerProbe` | `true` | Beta | 1.24 | 1.26 |
+| `GRPCContainerProbe` | `true` | GA | 1.27 | |
+| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 |
+| `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 |
+| `IdentifyPodOS` | `true` | GA | 1.25 | - |
 | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 |
 | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 |
 | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 |
diff --git a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index bafa4e36992..b8d91a824b1 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -240,21 +240,27 @@ kubectl describe pod goproxy
 
 {{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
-If your application implements [gRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md),
-kubelet can be configured to use it for application liveness checks.
-You must enable the `GRPCContainerProbe`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-in order to configure checks that rely on gRPC.
+If your application implements the [gRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md),
+this example shows how to configure Kubernetes to use it for application liveness checks.
+Similarly you can configure readiness and startup probes.
 
 Here is an example manifest:
 
 {{< codenew file="pods/probe/grpc-liveness.yaml" >}}
 
-To use a gRPC probe, `port` must be configured. If the health endpoint is configured
-on a non-default service, you must also specify the `service`.
+To use a gRPC probe, `port` must be configured. If you want to distinguish probes of different types
+and probes for different features you can use the `service` field.
+You can set `service` to the value `liveness` and make your gRPC Health Checking endpoint
+respond to this request differently then when you set `service` set to `readiness`.
+This lets you use the same endpoint for different kinds of container health check
+(rather than needing to listen on two different ports).
+If you want to specify your own custom service name and also specify a probe type,
+the Kubernetes project recommends that you use a name that concatenates
+those. For example: `myservice-liveness` (using `-` as a separator).
 
 {{< note >}}
-Unlike HTTP and TCP probes, named ports cannot be used and custom host cannot be configured.
+Unlike HTTP or TCP probes, you cannot specify the healthcheck port by name, and you
+cannot configure a custom hostname.
 {{< /note >}}
 
 Configuration problems (for example: incorrect port and service, unimplemented health checking protocol)

From 427ed08ec7d2f95201f51704be69c6d3f0d44c13 Mon Sep 17 00:00:00 2001
From: Antonio Ojea 
Date: Tue, 4 Apr 2023 15:43:52 +0200
Subject: [PATCH 105/272] Update
 content/en/docs/reference/networking/virtual-ips.md

Co-authored-by: Tim Bannister 
---
 content/en/docs/reference/networking/virtual-ips.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
index 586221ad9f3..0b4a6e974f4 100644
--- a/content/en/docs/reference/networking/virtual-ips.md
+++ b/content/en/docs/reference/networking/virtual-ips.md
@@ -301,7 +301,7 @@ IP addresses that are no longer used by any Services.
 {{< feature-state for_k8s_version="v1.27" state="alpha" >}}
 If you enable the `MultiCIDRServiceAllocator`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
-[networking.k8s.io/v1alpha1 API group](https://kubernetes.io/docs/tasks/administer-cluster/enable-disable-api/),
+[`networking.k8s.io/v1alpha1` API group](/docs/tasks/administer-cluster/enable-disable-api/),
 the control plane replaces the existing etcd allocator with a new one, using IPAddress
 objects instead of an internal global allocation map.  The ClusterIP address
 associated to each `Service` will have a referenced IPAddress object.

From c4e4aecde8e3f191804a01d25d17c28458757c2b Mon Sep 17 00:00:00 2001
From: Antonio Ojea 
Date: Tue, 4 Apr 2023 15:44:19 +0200
Subject: [PATCH 106/272] Update
 content/en/docs/reference/networking/virtual-ips.md

Co-authored-by: Tim Bannister 
---
 content/en/docs/reference/networking/virtual-ips.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
index 0b4a6e974f4..6c2cdaacf74 100644
--- a/content/en/docs/reference/networking/virtual-ips.md
+++ b/content/en/docs/reference/networking/virtual-ips.md
@@ -304,7 +304,7 @@ If you enable the `MultiCIDRServiceAllocator`
 [`networking.k8s.io/v1alpha1` API group](/docs/tasks/administer-cluster/enable-disable-api/),
 the control plane replaces the existing etcd allocator with a new one, using IPAddress
 objects instead of an internal global allocation map.  The ClusterIP address
-associated to each `Service` will have a referenced IPAddress object.
+associated to each Service will have a referenced IPAddress object.
 
 The background controller is also replaced by a new one to handle the new IPAddress
 objects and the migration from the old allocator model.

From 460b8993521654b201acc2316e9e64a2a7c9a77f Mon Sep 17 00:00:00 2001
From: MaxymVlasov 
Date: Tue, 4 Apr 2023 16:44:23 +0300
Subject: [PATCH 107/272] Mention kubernetes/websites everywhere in the same
 way

---
 content/hi/docs/contribute/_index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/hi/docs/contribute/_index.md b/content/hi/docs/contribute/_index.md
index dc652738acc..c6f748bbda0 100644
--- a/content/hi/docs/contribute/_index.md
+++ b/content/hi/docs/contribute/_index.md
@@ -68,7 +68,7 @@ end
 subgraph second[समीक्षा]
 direction TB
    T[ ] -.-
-   D[K8s/website
रिपॉजिटरी
को देखें] --- E[Hugo स्टैटिक साइट
जनरेटर
को देखें]
+   D[kubernetes/website
रिपॉजिटरी
को देखें] --- E[Hugo स्टैटिक साइट
जनरेटर
को देखें]
    E --- F[मूलभूत GitHub
कमांड समझें]
    F --- G[ओपन PR की समीक्षा करे
और समीक्षा प्रक्रिया
को बदलें]
 end
@@ -115,7 +115,7 @@ flowchart LR
     direction TB
     S[ ] -.-
     G[दूसरे K8s मेम्बर्स के
PRs की समीक्षा करें] -->
-    A[अपने पहले इशू (गुफ फर्स्ट इशू)
के लिए K8s/website
की इशू सूची पर जाएं] --> B[PR ओपन करें!!]
+    A[अपने पहले इशू (गुफ फर्स्ट इशू)
के लिए kubernetes/website
की इशू सूची पर जाएं] --> B[PR ओपन करें!!]
     end
     subgraph first[सूचित तैयारी]
     direction TB

From 5056816f28830beee2114ba7f0c347d6349cb8f7 Mon Sep 17 00:00:00 2001
From: Antonio Ojea 
Date: Tue, 4 Apr 2023 15:44:30 +0200
Subject: [PATCH 108/272] Update
 content/en/docs/reference/networking/virtual-ips.md

Co-authored-by: Tim Bannister 
---
 content/en/docs/reference/networking/virtual-ips.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
index 6c2cdaacf74..e6a6ef135c0 100644
--- a/content/en/docs/reference/networking/virtual-ips.md
+++ b/content/en/docs/reference/networking/virtual-ips.md
@@ -314,8 +314,9 @@ for the `service-cluster-ip-range`, there is no limitations for IPv4 and for IPv
 users can use masks equal or larger than /64 (previously it was /108).
 
 Users now will be able to inspect the IP addresses assigned to their Services, and
-new network APIs, like Gateway API, can use this new object to extend the Kubernetes
-networking capabilities overcoming the limitations of current Services API.
+Kubernetes extensions such as the [Gateway](https://gateway-api.sigs.k8s.io/) API, can use this new
+IPAddress object kind to enhance the Kubernetes networking capabilities, going beyond the limitations of
+the built-in Service API.
 
 ```shell
 kubectl get services

From 407b5af6c388957e16b2c320e6107f1777c1a9fd Mon Sep 17 00:00:00 2001
From: Matthew Cary 
Date: Tue, 4 Apr 2023 08:05:56 -0700
Subject: [PATCH 109/272] Update docs for StatefulSetAutoDeletePVC beta in 1.27

---
 content/en/docs/concepts/workloads/controllers/statefulset.md  | 2 +-
 .../reference/command-line-tools-reference/feature-gates.md    | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/concepts/workloads/controllers/statefulset.md b/content/en/docs/concepts/workloads/controllers/statefulset.md
index 8023c1020f0..bdb0703f7af 100644
--- a/content/en/docs/concepts/workloads/controllers/statefulset.md
+++ b/content/en/docs/concepts/workloads/controllers/statefulset.md
@@ -360,7 +360,7 @@ StatefulSet will then begin to recreate the Pods using the reverted template.
 
 ## PersistentVolumeClaim retention
 
-{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 The optional `.spec.persistentVolumeClaimRetentionPolicy` field controls if
 and how PVCs are deleted during the lifecycle of a StatefulSet. You must enable the
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index a45aa27baa4..38b0fccff12 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -191,7 +191,8 @@ For a reference to old feature gates that are removed, please refer to
 | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | |
 | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
 | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
-| `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | |
+| `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | 1.26 |
+| `StatefulSetAutoDeletePVC` | `false` | Beta | 1.27 | |
 | `StatefulSetStartOrdinal` | `false` | Alpha | 1.26 | 1.26 |
 | `StatefulSetStartOrdinal` | `true` | Beta | 1.27 | |
 | `StorageVersionAPI` | `false` | Alpha | 1.20 | |

From 1b66978934745ced1df9c95d7b10c8c1c21b427b Mon Sep 17 00:00:00 2001
From: Ilya Margolin 
Date: Tue, 4 Apr 2023 18:56:11 +0200
Subject: [PATCH 110/272] Update docs for kubectl auth whoami

it is not alpha anymore
---
 .../configure-access-multiple-clusters.md                     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
index 09322248895..23402785149 100644
--- a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
+++ b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
@@ -403,8 +403,8 @@ $Env:KUBECONFIG=$ENV:KUBECONFIG_SAVED
 It is not always obvious what attributes (username, groups) you will get after authenticating to the cluster. 
 It can be even more challenging if you are managing more than one cluster at the same time.
 
-There is a `kubectl` alpha subcommand command to check subject attributes, such as username,
-for your selected Kubernetes client context: `kubectl auth whoami`.
+There is a `kubectl` subcommand to check subject attributes, such as username, for your selected Kubernetes 
+client context: `kubectl auth whoami`.
 
 Read [API access to authentication information for a client](/docs/reference/access-authn-authz/authentication/#self-subject-review)
 to learn about this in more detail.

From e8e3c2a82279d676669219ce76c06dfaadb32b8c Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Wed, 5 Apr 2023 00:39:51 +0300
Subject: [PATCH 111/272] [ja] Updated kubectl describe svc output

---
 .../services-networking/connect-applications-service.md       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/ja/docs/concepts/services-networking/connect-applications-service.md b/content/ja/docs/concepts/services-networking/connect-applications-service.md
index 17aced17830..368972cfe51 100644
--- a/content/ja/docs/concepts/services-networking/connect-applications-service.md
+++ b/content/ja/docs/concepts/services-networking/connect-applications-service.md
@@ -118,8 +118,12 @@ Labels:              run=my-nginx
 Annotations:         
 Selector:            run=my-nginx
 Type:                ClusterIP
+IP Family Policy:    SingleStack
+IP Families:         IPv4
 IP:                  10.0.162.149
+IPs:                 10.0.162.149
 Port:                 80/TCP
+TargetPort:          80/TCP
 Endpoints:           10.244.2.5:80,10.244.3.4:80
 Session Affinity:    None
 Events:              

From c1512c77ad6d428e6fd7c9df205f9c98310124a4 Mon Sep 17 00:00:00 2001
From: cailynse 
Date: Thu, 23 Feb 2023 19:58:29 -0500
Subject: [PATCH 112/272] Add Blog Post for KEP-3202-beta release

---
 .../index.md                                  | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md

diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
new file mode 100644
index 00000000000..dbc48fab399
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@@ -0,0 +1,39 @@
+---
+layout: blog 
+title: Updates to the Auto-refreshing Official CVE Feed
+date: 2023-04-04
+slug: k8s-cve-feed-beta
+---
+
+**Author**: Cailyn Edwards (Shopify)
+
+Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha`
+feature in the 1.25 release we have made signficant improvments and updates. We are excited to announce the release of the 
+`beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for 
+the `stable` release.
+
+## Updates
+| **\#** | **Title**                                                                                                    | **Issue**                                                       | **Status**                                                                                                                                                                                                                      |
+| ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1 | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | open, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)|
+| 2 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR open |
+| 3 | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open |
+| 4 | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| 5 | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| 6 | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR |
+| 7 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR |
+
+## Summary of Changes
+TODO - add details of changes
+
+## What's Next?
+
+In preparation to graduate this feature, SIG Security
+is still gathering feedback from end users who are using the updated beta feed.
+
+To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
+this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or
+let us know on
+[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY)
+Kubernetes Slack channel.
+(Join [Kubernetes Slack here](https://slack.k8s.io))
\ No newline at end of file

From d7f8476c292fa84653ef7c9fd569e196ab6866e9 Mon Sep 17 00:00:00 2001
From: Cailyn 
Date: Tue, 4 Apr 2023 19:45:15 -0400
Subject: [PATCH 113/272] Update
 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md

Co-authored-by: Nate W. 
---
 .../index.md                                                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
index dbc48fab399..8e0dd06b3c1 100644
--- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
+++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@@ -8,7 +8,7 @@ slug: k8s-cve-feed-beta
 **Author**: Cailyn Edwards (Shopify)
 
 Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha`
-feature in the 1.25 release we have made signficant improvments and updates. We are excited to announce the release of the 
+feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
 `beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for 
 the `stable` release.
 

From 5843e849046fa57f9f23a2aa0420260afd794a8d Mon Sep 17 00:00:00 2001
From: Cailyn 
Date: Tue, 4 Apr 2023 19:45:23 -0400
Subject: [PATCH 114/272] Update
 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md

Co-authored-by: Nate W. 
---
 .../index.md                                                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
index 8e0dd06b3c1..9cfa0d4b9ce 100644
--- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
+++ b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@@ -28,7 +28,7 @@ TODO - add details of changes
 
 ## What's Next?
 
-In preparation to graduate this feature, SIG Security
+In preparation for the graduation of this feature, SIG Security
 is still gathering feedback from end users who are using the updated beta feed.
 
 To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to

From 1fdaa7b46972291b72ececd91229ccd5e77f1d16 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 
Date: Thu, 30 Mar 2023 14:55:06 +0900
Subject: [PATCH 115/272] [ja] update page weights in /tasks

---
 content/ja/docs/tasks/access-application-cluster/_index.md      | 2 +-
 .../communicate-containers-same-pod-shared-volume.md            | 2 +-
 .../docs/tasks/access-application-cluster/ingress-minikube.md   | 2 +-
 content/ja/docs/tasks/configmap-secret/_index.md                | 2 +-
 content/ja/docs/tasks/configure-pod-container/_index.md         | 2 +-
 .../assign-pods-nodes-using-node-affinity.md                    | 2 +-
 .../ja/docs/tasks/configure-pod-container/assign-pods-nodes.md  | 2 +-
 .../configure-pod-container/attach-handler-lifecycle-event.md   | 2 +-
 .../configure-liveness-readiness-startup-probes.md              | 2 +-
 .../tasks/configure-pod-container/configure-pod-configmap.md    | 2 +-
 .../configure-projected-volume-storage.md                       | 2 +-
 .../tasks/configure-pod-container/configure-volume-storage.md   | 2 +-
 .../ja/docs/tasks/configure-pod-container/extended-resource.md  | 2 +-
 .../docs/tasks/configure-pod-container/quality-service-pod.md   | 2 +-
 .../ja/docs/tasks/configure-pod-container/security-context.md   | 2 +-
 .../tasks/configure-pod-container/share-process-namespace.md    | 2 +-
 content/ja/docs/tasks/configure-pod-container/static-pod.md     | 2 +-
 content/ja/docs/tasks/debug/_index.md                           | 2 +-
 .../debug/debug-application/determine-reason-pod-failure.md     | 1 +
 content/ja/docs/tasks/inject-data-application/_index.md         | 2 +-
 content/ja/docs/tasks/job/_index.md                             | 2 +-
 content/ja/docs/tasks/manage-kubernetes-objects/_index.md       | 2 +-
 content/ja/docs/tasks/network/_index.md                         | 2 +-
 content/ja/docs/tasks/run-application/_index.md                 | 2 +-
 content/ja/docs/tasks/tls/_index.md                             | 2 +-
 25 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/content/ja/docs/tasks/access-application-cluster/_index.md b/content/ja/docs/tasks/access-application-cluster/_index.md
index dc48e622465..cc0f539baa5 100644
--- a/content/ja/docs/tasks/access-application-cluster/_index.md
+++ b/content/ja/docs/tasks/access-application-cluster/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "クラスター内アプリケーションへのアクセス"
 description: クラスター内アプリケーションへアクセスできるようにするために、ロードバランシングやポートフォワーディングの設定、ファイアウォールやDNS設定のセットアップを行います。
-weight: 60
+weight: 100
 ---
diff --git a/content/ja/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md b/content/ja/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
index 8a0d37d28e3..540cbab72a1 100644
--- a/content/ja/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
+++ b/content/ja/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
@@ -1,7 +1,7 @@
 ---
 title: 共有ボリュームを使用して同じPod内のコンテナ間で通信する
 content_type: task
-weight: 110
+weight: 120
 ---
 
 
diff --git a/content/ja/docs/tasks/access-application-cluster/ingress-minikube.md b/content/ja/docs/tasks/access-application-cluster/ingress-minikube.md
index be267080996..3c3f7526642 100644
--- a/content/ja/docs/tasks/access-application-cluster/ingress-minikube.md
+++ b/content/ja/docs/tasks/access-application-cluster/ingress-minikube.md
@@ -1,7 +1,7 @@
 ---
 title: Minikube上でNGINX Ingressコントローラーを使用してIngressをセットアップする
 content_type: task
-weight: 100
+weight: 110
 ---
 
 
diff --git a/content/ja/docs/tasks/configmap-secret/_index.md b/content/ja/docs/tasks/configmap-secret/_index.md
index 18a8018ce56..39e607f6cf3 100644
--- a/content/ja/docs/tasks/configmap-secret/_index.md
+++ b/content/ja/docs/tasks/configmap-secret/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "Secretの管理"
-weight: 28
+weight: 60
 description: Secretを使用した機密設定データの管理
 ---
 
diff --git a/content/ja/docs/tasks/configure-pod-container/_index.md b/content/ja/docs/tasks/configure-pod-container/_index.md
index 324a19b22b4..c40ed206666 100644
--- a/content/ja/docs/tasks/configure-pod-container/_index.md
+++ b/content/ja/docs/tasks/configure-pod-container/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "Podとコンテナの設定"
 description: Podとコンテナの一般的な設定のタスクを行います。
-weight: 20
+weight: 30
 ---
 
diff --git a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
index 77caf9a13c4..d0599138dcd 100644
--- a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
+++ b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
@@ -2,7 +2,7 @@
 title: Node Affinityを利用してPodをノードに割り当てる
 min-kubernetes-server-version: v1.10
 content_type: task
-weight: 120
+weight: 160
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
index 4e09dbaf932..a1ed76638b8 100644
--- a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
+++ b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
@@ -1,7 +1,7 @@
 ---
 title: Podをノードに割り当てる
 content_type: task
-weight: 120
+weight: 150
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md b/content/ja/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
index 1aa194a745a..b7cfb624e7a 100644
--- a/content/ja/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
+++ b/content/ja/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
@@ -1,7 +1,7 @@
 ---
 title: コンテナライフサイクルイベントへのハンドラー紐付け
 content_type: task
-weight: 140
+weight: 180
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 0c14c79bb6b..c5dc0869c7a 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -1,7 +1,7 @@
 ---
 title: Liveness Probe、Readiness ProbeおよびStartup Probeを使用する
 content_type: task
-weight: 110
+weight: 140
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/configure-pod-configmap.md b/content/ja/docs/tasks/configure-pod-container/configure-pod-configmap.md
index 7bcacd13a4c..61c8225fe14 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-pod-configmap.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-pod-configmap.md
@@ -1,7 +1,7 @@
 ---
 title: Podを構成してConfigMapを使用する
 content_type: task
-weight: 150
+weight: 190
 card:
   name: tasks
   weight: 50
diff --git a/content/ja/docs/tasks/configure-pod-container/configure-projected-volume-storage.md b/content/ja/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
index 4c70662d424..1fd7172bc27 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
@@ -1,7 +1,7 @@
 ---
 title: ストレージにProjectedボリュームを使用するようPodを設定する
 content_type: task
-weight: 70
+weight: 100
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
index 5fb2769bdd3..140336d0db7 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -1,7 +1,7 @@
 ---
 title: ストレージにボリュームを使用するPodを構成する
 content_type: task
-weight: 50
+weight: 80
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/extended-resource.md b/content/ja/docs/tasks/configure-pod-container/extended-resource.md
index b056fc73898..7a0114582a1 100644
--- a/content/ja/docs/tasks/configure-pod-container/extended-resource.md
+++ b/content/ja/docs/tasks/configure-pod-container/extended-resource.md
@@ -1,7 +1,7 @@
 ---
 title: 拡張リソースをコンテナに割り当てる
 content_type: task
-weight: 40
+weight: 70
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/quality-service-pod.md b/content/ja/docs/tasks/configure-pod-container/quality-service-pod.md
index 012921d2bfc..ceb917d6227 100644
--- a/content/ja/docs/tasks/configure-pod-container/quality-service-pod.md
+++ b/content/ja/docs/tasks/configure-pod-container/quality-service-pod.md
@@ -1,7 +1,7 @@
 ---
 title: PodにQuality of Serviceを設定する
 content_type: task
-weight: 30
+weight: 60
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/security-context.md b/content/ja/docs/tasks/configure-pod-container/security-context.md
index c4e1523af4f..68ce416b5fa 100644
--- a/content/ja/docs/tasks/configure-pod-container/security-context.md
+++ b/content/ja/docs/tasks/configure-pod-container/security-context.md
@@ -1,7 +1,7 @@
 ---
 title: Podとコンテナにセキュリティコンテキストを設定する
 content_type: task
-weight: 80
+weight: 110
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/share-process-namespace.md b/content/ja/docs/tasks/configure-pod-container/share-process-namespace.md
index b5fd61777e6..b6be6e07e1d 100644
--- a/content/ja/docs/tasks/configure-pod-container/share-process-namespace.md
+++ b/content/ja/docs/tasks/configure-pod-container/share-process-namespace.md
@@ -2,7 +2,7 @@
 title: Pod内のコンテナ間でプロセス名前空間を共有する
 min-kubernetes-server-version: v1.10
 content_type: task
-weight: 160
+weight: 200
 ---
 
 
diff --git a/content/ja/docs/tasks/configure-pod-container/static-pod.md b/content/ja/docs/tasks/configure-pod-container/static-pod.md
index 8c5f9f67c82..851ef4e1610 100644
--- a/content/ja/docs/tasks/configure-pod-container/static-pod.md
+++ b/content/ja/docs/tasks/configure-pod-container/static-pod.md
@@ -1,6 +1,6 @@
 ---
 title: static Podを作成する
-weight: 170
+weight: 220
 content_type: task
 ---
 
diff --git a/content/ja/docs/tasks/debug/_index.md b/content/ja/docs/tasks/debug/_index.md
index 21e34075fd2..7013b3ec48b 100644
--- a/content/ja/docs/tasks/debug/_index.md
+++ b/content/ja/docs/tasks/debug/_index.md
@@ -1,7 +1,7 @@
 ---
 title: "監視、ログ、デバッグ"
 description: クラスターのトラブルシューティングや、コンテナ化したアプリケーションのデバッグのために、監視とログをセットアップします。
-weight: 20
+weight: 40
 content_type: concept
 no_list: true
 ---
diff --git a/content/ja/docs/tasks/debug/debug-application/determine-reason-pod-failure.md b/content/ja/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
index 1fbdb763aad..8f9c9c361bf 100644
--- a/content/ja/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
+++ b/content/ja/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
@@ -1,6 +1,7 @@
 ---
 title: Pod障害の原因を特定する
 content_type: task
+weight: 30
 ---
 
 
diff --git a/content/ja/docs/tasks/inject-data-application/_index.md b/content/ja/docs/tasks/inject-data-application/_index.md
index a28c380a268..46e24f4ff88 100644
--- a/content/ja/docs/tasks/inject-data-application/_index.md
+++ b/content/ja/docs/tasks/inject-data-application/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "アプリケーションへのデータ注入"
 description: ワークロードを実行するPodの構成とその他のデータを指定します。
-weight: 30
+weight: 70
 ---
diff --git a/content/ja/docs/tasks/job/_index.md b/content/ja/docs/tasks/job/_index.md
index bde073017bc..a8773cebf52 100644
--- a/content/ja/docs/tasks/job/_index.md
+++ b/content/ja/docs/tasks/job/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "Jobの実行"
 description: 並列処理を使用してJobを実行します。
-weight: 50
+weight: 90
 ---
 
diff --git a/content/ja/docs/tasks/manage-kubernetes-objects/_index.md b/content/ja/docs/tasks/manage-kubernetes-objects/_index.md
index 16150cf3d77..09c10037431 100644
--- a/content/ja/docs/tasks/manage-kubernetes-objects/_index.md
+++ b/content/ja/docs/tasks/manage-kubernetes-objects/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "Kubernetesオブジェクトの管理"
 description: Kubernetes APIと対話するための宣言型および命令型のパラダイム。
-weight: 25
+weight: 50
 ---
diff --git a/content/ja/docs/tasks/network/_index.md b/content/ja/docs/tasks/network/_index.md
index 1d5796f7b7d..09669b981b3 100644
--- a/content/ja/docs/tasks/network/_index.md
+++ b/content/ja/docs/tasks/network/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "ネットワーク"
 description: クラスターのネットワークの設定方法を学びます。
-weight: 160
+weight: 140
 ---
 
diff --git a/content/ja/docs/tasks/run-application/_index.md b/content/ja/docs/tasks/run-application/_index.md
index 17d2339e7e1..fc1a4e9de90 100644
--- a/content/ja/docs/tasks/run-application/_index.md
+++ b/content/ja/docs/tasks/run-application/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "アプリケーションの実行"
 description: ステートレスアプリケーションとステートフルアプリケーションの両方を実行および管理します。
-weight: 40
+weight: 80
 ---
 
diff --git a/content/ja/docs/tasks/tls/_index.md b/content/ja/docs/tasks/tls/_index.md
index 42234c709ea..11844cf63dc 100644
--- a/content/ja/docs/tasks/tls/_index.md
+++ b/content/ja/docs/tasks/tls/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "TLS"
-weight: 100
+weight: 120
 description: Transport Layer Security(TLS)を使用して、クラスター内のトラフィックを保護する方法について理解します。
 ---
 

From 53641dfce9a0701acf7fa15b885669ba8f7d93b1 Mon Sep 17 00:00:00 2001
From: Sascha Grunert 
Date: Fri, 10 Mar 2023 08:24:11 +0100
Subject: [PATCH 116/272] [KEP-2731] Add docs for Kubelet OpenTelemetry Tracing
 graduation

Signed-off-by: Sascha Grunert 
---
 .../cluster-administration/system-traces.md   | 22 ++++++++++++++-----
 .../feature-gates.md                          |  3 ++-
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/content/en/docs/concepts/cluster-administration/system-traces.md b/content/en/docs/concepts/cluster-administration/system-traces.md
index e43def4436a..52cf194a882 100644
--- a/content/en/docs/concepts/cluster-administration/system-traces.md
+++ b/content/en/docs/concepts/cluster-administration/system-traces.md
@@ -76,7 +76,7 @@ For more information about the `TracingConfiguration` struct, see
 
 ### kubelet traces
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 The kubelet CRI interface and authenticated http servers are instrumented to generate
 trace spans. As with the apiserver, the endpoint and sampling rate are configurable.
@@ -86,10 +86,7 @@ Enabled without a configured endpoint, the default OpenTelemetry Collector recei
 
 #### Enabling tracing in the kubelet
 
-To enable tracing, enable the `KubeletTracing`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-on the kubelet. Also, provide the kubelet with a
-[tracing configuration](https://github.com/kubernetes/component-base/blob/release-1.25/tracing/api/v1/types.go).
+To enable tracing, apply the [tracing configuration](https://github.com/kubernetes/component-base/blob/release-1.27/tracing/api/v1/types.go).
 This is an example snippet of a kubelet config that records spans for 1 in 10000 requests, and uses the default OpenTelemetry endpoint:
 
 ```yaml
@@ -103,6 +100,21 @@ tracing:
   samplingRatePerMillion: 100
 ```
 
+If the `samplingRatePerMillion` is set to one million (`1000000`), then every
+span will be sent to the exporter.
+
+The kubelet in Kubernetes v{{< skew currentVersion >}} collects spans from
+the garbage collection, pod synchronization routine as well as every gRPC
+method. Connected container runtimes like CRI-O and containerd can link the
+traces to their exported spans to provide additional context of information.
+
+Please note that exporting spans always comes with a small performance overhead
+on the networking and CPU side, depending on the overall configuration of the
+system. If there is any issue like that in a cluster which is running with
+tracing enabled, then mitigate the problem by either reducing the
+`samplingRatePerMillion` or disabling tracing completely by removing the
+configuration.
+
 ## Stability
 
 Tracing instrumentation is still under active development, and may change
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 9c31844ba18..898c623876a 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -131,7 +131,8 @@ For a reference to old feature gates that are removed, please refer to
 | `KubeletPodResourcesGetAllocatable` | `false` | Alpha | 1.21 | 1.22 |
 | `KubeletPodResourcesGetAllocatable` | `true` | Beta | 1.23 | |
 | `KubeletPodResourcesDynamicResources` | `false` | Alpha | 1.27 | |
-| `KubeletTracing` | `false` | Alpha | 1.25 | |
+| `KubeletTracing` | `false` | Alpha | 1.25 | 1.26 |
+| `KubeletTracing` | `true` | Beta | 1.27 | |
 | `LegacyServiceAccountTokenTracking` | `false` | Alpha | 1.26 | 1.26 |
 | `LegacyServiceAccountTokenTracking` | `true` | Beta | 1.27 | |
 | `LocalStorageCapacityIsolationFSQuotaMonitoring` | `false` | Alpha | 1.15 | - |

From 4e1b4f7f43a70cdb86cbcc439292cd0d7866c286 Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Wed, 5 Apr 2023 21:56:27 +0900
Subject: [PATCH 117/272] fix based on the suggestion

---
 .../_posts/2023-04-11-topology-spread-features.md  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index bd908eece73..422e8dd2869 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -11,11 +11,11 @@ evergreen: true
 In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA.
 It is the feature to control how Pods are spread to each failure-domain (regions, zones, nodes etc).
 
-As time passes, we've got further feedbacks from users,
-and we're actively working on improving the Topology Spread via three KEPs from v1.25.
-All of these features have reached beta in Kubernetes v1.27 and been enabled by default.
+As time passed, we received feedback from users,
+and, as a result, we're actively working on improving the Topology Spread feature via three KEPs.
+All of these features have reached beta in Kubernetes v1.27 and are enabled by default.
 
-This blog post is going to introduce each feature and the usecase/issue behind them.
+This blog post introduces each feature and the use case behind each of them.
 
 ## KEP-3022: min domains in Pod Topology Spread
 
@@ -27,8 +27,8 @@ Some users want to force spreading Pods over a minimum number of domains, and if
 Then, we introduced the `minDomains` parameter in the Pod Topology Spread. 
 Via `minDomains` parameter, you can define the minimum number of domains. 
 
-For example, there are 3 Nodes with the enough capacity, 
-and newly created replicaset has the following `topologySpreadConstraints` in template.
+For example, assume there are 3 Nodes with the enough capacity, 
+and a newly created replicaset has the following `topologySpreadConstraints` in template.
 
 ```yaml
 topologySpreadConstraints:
@@ -41,7 +41,7 @@ topologySpreadConstraints:
         foo: bar
 ```
 
-This case, 3 Pods will be scheduled to those 3 Nodes,
+In this case, 3 Pods will be scheduled to those 3 Nodes,
 but other 2 Pods from this replicaset will be unschedulable until more Nodes join the cluster.
 
 The cluster autoscaler provisions new Nodes based on these unschedulable Pods,

From e64805f21c3e750ec9cdba91cc1c25b2adcb876a Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 5 Apr 2023 21:33:11 +0800
Subject: [PATCH 118/272] sync determine-reason-pod-failure

sync determine-reason-pod-failure
---
 .../debug/debug-application/determine-reason-pod-failure.md   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md b/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
index 697459bb065..ce1059ecac1 100644
--- a/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
@@ -203,11 +203,11 @@ is empty and the container exited with an error. The log output is limited to
 * See the `terminationMessagePath` field in
   [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core).
 * Learn about [retrieving logs](/docs/concepts/cluster-administration/logging/).
-* Learn about [Go templates](https://golang.org/pkg/text/template/).
+* Learn about [Go templates](https://pkg.go.dev/text/template).
 -->
 
 * 参考 [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
   资源的 `terminationMessagePath` 字段。
 * 了解[检索日志](/zh-cn/docs/concepts/cluster-administration/logging/)。
-* 了解 [Go 模板](https://golang.org/pkg/text/template/)。
+* 了解 [Go 模板](https://pkg.go.dev/text/template)。
 

From 81482cfcef87e1c71a431ed140dd7006e3a63ea3 Mon Sep 17 00:00:00 2001
From: Alex Wang 
Date: Wed, 5 Apr 2023 22:59:17 +0800
Subject: [PATCH 119/272] blog: update content about matchLabelKeys

Signed-off-by: Alex Wang 
---
 .../2023-04-11-topology-spread-features.md    | 25 +++++++++++--------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 422e8dd2869..328017e2ffc 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -93,18 +93,23 @@ this feature to beta and it was enabled by default since.
 
 ## KEP-3243: Respect PodTopologySpread after rolling upgrades
 
-Pod Topology Spread uses the fields `topologyKey` or `labelSelector` to identify the group of pods over which
-spreading will be calculated. But it applies to all pods in a Deployment irrespective of their owning
-ReplicaSet. As a result, when a new revision is rolled out, spreading will apply across pods from both the
-old and new ReplicaSets, and so by the time the new ReplicaSet is completely rolled out and the old one is
-rolled back, the actual spreading we are left with may not match expectations because the deleted pods from
-the older ReplicaSet will cause skewed distribution for the remaining pods.
+Pod Topology Spread uses the field `labelSelector` to identify the group of pods over which
+spreading will be calculated. When using topology spreading with Deployments, it is common
+practice to use the `labelSelector` of the Deployment as the `labelSelector` in the topology
+spread constraints. However, this implies that all pods of a Deployment are part of the spreading
+calculation, regardless of whether they belong to different revisions. As a result, when a new revision
+is rolled out, spreading will apply across pods from both the old and new ReplicaSets, and so by the
+time the new ReplicaSet is completely rolled out and the old one is rolled back, the actual spreading
+we are left with may not match expectations because the deleted pods from the older ReplicaSet will cause
+skewed distribution for the remaining pods. To avoid this problem, in the past users needed to add a
+revision label to Deployment and update it manually at each rolling upgrade (both the label on the
+podTemplate and the `labelSelector` in the `topologySpreadConstraints`).
 
-In order to solve this problem and to make more accurate decisions in scheduling, we added a new named
+To solve this problem once and for all, and to make more accurate decisions in scheduling, we added a new named
 `matchLabelKeys` to `topologySpreadConstraints`. `matchLabelKeys` is a list of pod label keys to select
-the pods over which spreading will be calculated. The keys are used to lookup values from the pod labels,
-those key-value labels are ANDed with `labelSelector` to select the group of existing pods over
-which spreading will be calculated for the incoming pod.
+the pods over which spreading will be calculated. The keys are used to lookup values from the labels of
+the Pod being scheduled, those key-value labels are ANDed with `labelSelector` to select the group of
+existing pods over which spreading will be calculated for the incoming pod.
 
 With `matchLabelKeys`, you don't need to update the `pod.spec` between different revisions.
 The controller/operator just needs to set different values to the same label key for different revisions.

From 01e5986d92d013948012c50027ce4d5b63eae1fc Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Wed, 5 Apr 2023 23:58:33 +0530
Subject: [PATCH 120/272] Added v1.27 Release blog

---
 .../_posts/2023-04-11-kubernetes-1.27-blog.md | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index 7d933b4119d..1e6c5603314 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -31,17 +31,17 @@ Special thanks to [Britnee Laverack](https://www.instagram.com/artsyfie/) for cr
 ## Freeze `k8s.gcr.io` image registry
 
 Replacing the old image registry, [k8s.gcr.io](https://cloud.google.com/container-registry/) with [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io) which has been generally available for several months. The Kubernetes project created and runs the `registry.k8s.io` image registry, which is fully controlled by the community.
-This means that the old registry `k8s.gcr.io` will be frozen and no further images for Kubernetes and related subprojects will be pushed to the old registry. 
+This means that the old registry `k8s.gcr.io` will be frozen and no further images for Kubernetes and related sub-projects will be published to the old registry. 
 
-What does this change mean for contributors:
+What does this change mean for contributors?
 
-* If you are a maintainer of a subproject, you will need to update your manifests and Helm charts to use the new registry.
+* If you are a maintainer of a sub-project, you will need to update your manifests and Helm charts to use the new registry. For more information, checkout this [project](https://github.com/kubernetes-sigs/community-images).
 
-What does this change mean for end users:
+What does this change mean for end users?
 
-* This Kubernetes release will not be published to the old registry.
+* Kubernetes `v1.27` release will not be published to the `k8s.gcr.io` registry.
 
-* Patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry after April. 
+* Patch releases for `v1.24`, `v1.25`, and `v1.26` will no longer be published to the old registry after April. 
 
 * Starting in v1.25, the default image registry has been set to `registry.k8s.io`. This value is overridable in kubeadm and kubelet but setting it to `k8s.gcr.io` will fail for new releases after April as they won’t be present in the old registry.
 
@@ -53,7 +53,7 @@ What does this change mean for end users:
 To use seccomp profile defaulting, you must run the kubelet with the `--seccomp-default` [command line flag](/docs/reference/command-line-tools-reference/kubelet) enabled for each node where you want to use it. 
 If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. The default profiles aim to provide a strong set of security defaults while preserving the functionality of the workload. It is possible that the default profiles differ between container runtimes and their release versions.
 
-You can find more detailed information about a possible upgrade and downgrade strategy in the related Kubernetes Enhancement Proposal (KEP): [Enable seccomp by default](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2413-seccomp-by-default).
+You can find detailed information about a possible upgrade and downgrade strategy in the related Kubernetes Enhancement Proposal (KEP): [Enable seccomp by default](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2413-seccomp-by-default).
 
 ## Mutable scheduling directives for Jobs graduates to GA
 
@@ -63,7 +63,7 @@ This feature allows updating a Job's scheduling directives before it starts, whi
 the ability to influence pod placement while at the same time offloading actual pod-to-node assignment to
 kube-scheduler. This is allowed only for suspended Jobs that have never been unsuspended before.
 The fields in a Job's pod template that can be updated are node affinity, node selector, tolerations, labels
-and annotations and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/).
+,annotations, and [scheduling gates](/docs/concepts/scheduling-eviction/pod-scheduling-readiness/).
 Find more details in the KEP:
 [Allow updating scheduling directives of jobs](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/2926-job-mutable-scheduling-directives).
 
@@ -76,32 +76,32 @@ This feature graduates to stable in this release. You can find more details in t
 
 ## Pod Scheduling Readiness goes to beta 
 
-Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a _missing-essential-resources_ state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster Autoscaler) in an unnecessary manner.
+Upon creation, Pods are ready for scheduling. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a _missing-essential-resources_ state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster Autoscaler) in an unnecessary manner.
 
 By specifying/removing a Pod's `.spec.schedulingGates`, you can control when a Pod is ready to be considered for scheduling.
 
-The `schedulingGates` field contains a list of strings, and each string literal is perceived as a criteria that Pod should be satisfied before considered schedulable. This field can be initialized only when a Pod is created (either by the client, or mutated during admission). After creation, each schedulingGate can be removed in an arbitrary order, but addition of a new scheduling gate is disallowed.
+The `schedulingGates` field contains a list of strings, and each string literal is perceived as a criteria that must be satisfied before a Pod is considered schedulable. This field can be initialized only when a Pod is created (either by the client, or mutated during admission). After creation, each schedulingGate can be removed in an arbitrary order, but addition of a new scheduling gate is disallowed.
 
 ## Node log access via Kubernetes API
 
-This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use the feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled for that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. 
+This feature helps cluster administrators debug issues with services running on nodes by allowing them to query service logs. To use this feature, ensure that the `NodeLogQuery` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled on that node, and that the kubelet configuration options `enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. 
 On Linux, we assume that service logs are available via journald. On Windows, we assume that service logs are available in the application log provider. You can also fetch logs from the `/var/log/` and `C:\var\log` directories on Linux and Windows, respectively.
 
-A cluster administrator can try out this alpha feature on all their nodes, or on just a subset.
+A cluster administrator can try out this alpha feature across all nodes of their cluster, or on a subset of them.
 
 ## ReadWriteOncePod PersistentVolume access mode goes to beta 
 
-ReadWriteOncePod is a new access mode for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs) introduced in Kubernetes v1.22. This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
+Kuberentes `v1.22` introduced a new access mode `ReadWriteOncePod` for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs). This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
 
 The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 of pods that use ReadWriteOncePod PVCs.
-Scheduler preemption allows higher-priority pods to preempt lower-priority pods, for example when a pod (A) with a ReadWriteOncePod PVC is scheduled, and if another pod (B) is found using the same PVC and pod (A) has higher priority, the scheduler will return an "Unschedulable" status and attempt to preempt pod (B).
+Scheduler preemption allows higher-priority pods to preempt lower-priority pods. For example when a pod (A) with a `ReadWriteOncePod` PVC is scheduled, if another pod (B) is found using the same PVC and pod (A) has higher priority, the scheduler will return an `Unschedulable` status and attempt to preempt pod (B).
 For more context, see the KEP: [ReadWriteOncePod PersistentVolume AccessMode](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode).
 
 
 ## Respect PodTopologySpread after rolling upgrades
 
-`matchLabelKeys` is a list of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the pod labels, those key-value labels are ANDed with `labelSelector` to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the pod labels will be ignored. A null or empty list means only match against the `labelSelector`.
+`matchLabelKeys` is a list of pod label keys used to select the pods over which spreading will be calculated. The keys are used to lookup values from the pod labels. Those key-value labels are ANDed with `labelSelector` to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the pod labels will be ignored. A null or empty list means only match against the `labelSelector`.
 
 With `matchLabelKeys`, users don't need to update the `pod.spec` between different revisions. The controller/operator just needs to set different values to the same `label` key for different revisions. The scheduler will assume the values automatically based on `matchLabelKeys`. For example, if users use Deployment, they can use the label keyed with `pod-template-hash`, which is added automatically by the Deployment controller, to distinguish between different revisions in a single Deployment.
 
@@ -125,7 +125,7 @@ Get more information on this from the KEP: [Speed up SELinux volume relabeling u
 
 This is a volume manager refactoring that allows the kubelet to populate additional information about how
 existing volumes are mounted during the kubelet startup. In general, this makes volume cleanup more robust. 
-By adding `NewVolumeManagerReconstruction` feature gate and enabling it by default will enhance the discovery of mounted volumes during kubelet startup.
+If you enable the `NewVolumeManagerReconstruction` feature gate on a node, you'll get enhanced discovery of mounted volumes during kubelet startup.
 
 Before Kubernetes v1.25, the kubelet used different default behavior for discovering mounted volumes during the kubelet startup. If you disable this feature gate (it's enabled by default), you select the legacy discovery behavior.
 
@@ -133,7 +133,7 @@ In Kubernetes v1.25 and v1.26, this behavior toggle was part of the `SELinuxMoun
 
 ## Mutable Pod Scheduling Directives goes to beta
 
-This allows mutating a pod that is blocked on a scheduling readiness gate with a more constrained node affinity/selector. It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled, and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
+This allows mutating a pod that is blocked on a scheduling readiness gate with a more constrained node affinity/selector. It gives the ability to mutate a pods scheduling directives before it is allowed to be scheduled and gives an external resource controller the ability to influence pod placement while at the same time offload actual pod-to-node assignment to kube-scheduler.
 
 This opens the door for a new pattern of adding scheduling features to Kubernetes.  Specifically, building lightweight schedulers that implement features not supported by kube-scheduler, while relying on the existing kube-scheduler to support all upstream features and handle the pod-to-node binding. This pattern should be the preferred one if the custom feature doesn't require implementing a schedule plugin, which entails re-building and maintaining a custom kube-scheduler binary.
 
@@ -181,7 +181,7 @@ Kubernetes v1.27 is available for download on [GitHub](https://github.com/kubern
  
 ## Release team
 
-Kubernetes is only possible with the support, commitment, and hard work of its community. Each release team is made up of dedicated community volunteers who work together to build the many pieces that make up the Kubernetes releases you rely on. This requires the specialized skills of people from all corners of our community, from the code itself to its documentation and project management.
+Kubernetes is only possible with the support, commitment, and hard work of its community. Each release team is made up of dedicated community volunteers who work together to build the many pieces that make up the Kubernetes releases you rely on. This requires people with specialised skills from all corners of our community, from the code itself to its documentation and project management.
 
 Special thanks to our Release Lead Xander Grzywinski for guiding us through a smooth and successful release cycle and to all members of the release team for supporting one another and working so hard to produce the v1.27 release for the community.
 

From e475112590fe2e8c2b09a4c1a50dc25f1af95344 Mon Sep 17 00:00:00 2001
From: Paco Xu 
Date: Thu, 6 Apr 2023 11:42:37 +0800
Subject: [PATCH 121/272] add memory qos

---
 .../en/docs/concepts/workloads/pods/pod-qos.md   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/en/docs/concepts/workloads/pods/pod-qos.md b/content/en/docs/concepts/workloads/pods/pod-qos.md
index fa0385e11e6..d95b0815ad7 100644
--- a/content/en/docs/concepts/workloads/pods/pod-qos.md
+++ b/content/en/docs/concepts/workloads/pods/pod-qos.md
@@ -85,6 +85,22 @@ CPU limit or a CPU request.
 Containers in a Pod can request other resources (not CPU or memory) and still be classified as
 `BestEffort`.
 
+## Memory QoS with cgroup v2
+
+{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+
+Memory QoS uses the memory controller of cgroup v2 to guarantee memory resources in Kubernetes.
+Memory requests and limits of containers in pod are used to set specific interfaces `memory.min`
+and `memory.high` provided by the memory controller. When `memory.min` is set to memory requests,
+memory resources are reserved and never reclaimed by the kernel; this is how Memory QoS ensures
+memory availability for Kubernetes pods. And if memory limits are set in the container,
+this means that the system needs to limit container memory usage; Memory QoS uses `memory.high`
+to throttle workload approaching its memory limit, ensuring that the system is not overwhelmed
+by instantaneous memory allocation.
+
+Memory QoS relies on QoS class to determine which settings to apply; however, these are different
+mechanisms that both provide controls over quality of service.
+
 ## Some behavior is independent of QoS class {#class-independent-behavior}
 
 Certain behavior is independent of the QoS class assigned by Kubernetes. For example:

From a1419760642e99897ffec04010de197327b4c758 Mon Sep 17 00:00:00 2001
From: Kante Yin 
Date: Thu, 6 Apr 2023 14:49:15 +0800
Subject: [PATCH 122/272] Address the comment about NodeInclusionPolicy

Signed-off-by: Kante Yin 
---
 .../2023-04-11-topology-spread-features.md    | 41 ++++++++++---------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 328017e2ffc..44e27aaeb18 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -19,15 +19,15 @@ This blog post introduces each feature and the use case behind each of them.
 
 ## KEP-3022: min domains in Pod Topology Spread
 
-Pod Topology Spread has the `maxSkew` parameter to define the degree to which Pods may be unevenly distributed. 
+Pod Topology Spread has the `maxSkew` parameter to define the degree to which Pods may be unevenly distributed.
 
-But, there wasn't a way to control the number of domains over which we should spread. 
+But, there wasn't a way to control the number of domains over which we should spread.
 Some users want to force spreading Pods over a minimum number of domains, and if there aren't enough already present, make the cluster-autoscaler provision them.
 
-Then, we introduced the `minDomains` parameter in the Pod Topology Spread. 
-Via `minDomains` parameter, you can define the minimum number of domains. 
+Then, we introduced the `minDomains` parameter in the Pod Topology Spread.
+Via `minDomains` parameter, you can define the minimum number of domains.
 
-For example, assume there are 3 Nodes with the enough capacity, 
+For example, assume there are 3 Nodes with the enough capacity,
 and a newly created replicaset has the following `topologySpreadConstraints` in template.
 
 ```yaml
@@ -35,7 +35,7 @@ topologySpreadConstraints:
 - maxSkew: 1
   minDomains: 5 # requires 5 Nodes at least.
   whenUnsatisfiable: DoNotSchedule # minDomains is valid only when DoNotSchedule is used.
-  topologyKey: kubernetes.io/hostname 
+  topologyKey: kubernetes.io/hostname
   labelSelector:
     matchLabels:
         foo: bar
@@ -49,15 +49,16 @@ and as a result, the replicas are finally spread over 5 Nodes.
 
 ## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
 
-Before this, when we deploy a pod with `podTopologySpread` configured, we'll take all
-affinity nodes(satisfied with pod nodeAffinity and nodeSelector) into consideration
-in filtering and scoring, but a node with pod untolerated taint may also be a candidate
-because we didn't take care of node taints, which will lead to the pod pending.
+Before this enhancement, when you deploy a pod with `podTopologySpread` configured, kube-scheduler would
+take all inclined nodes(satisfied with pod nodeAffinity and nodeSelector) into consideration
+in filtering and scoring, but would not care about whether the node taints are tolerated by the incoming pod or not.
+This may lead to a node with untolerated taint best fit the pod in podTopologySpread plugin, and as a result,
+the pod will stuck in pending for it violates the nodeTaint plugin.
 
-To avoid this and make a more fine-gained decision in scheduling, we introduced two new fields in
-`TopologySpreadConstraint` to define node inclusion policies including nodeAffinity and nodeTaint.
+ To allow more fine-gained decisions about which Nodes to account for when calculating spreading skew, we introduced
+ two new fields in `TopologySpreadConstraint` to define node inclusion policies including nodeAffinity and nodeTaint.
 
-It mostly looks like:
+A manifest that applies these policies looks like the following:
 
 ```yaml
 apiVersion: v1
@@ -75,17 +76,17 @@ spec:
 ```
 
 **nodeAffinityPolicy** indicates how we'll treat Pod's nodeAffinity/nodeSelector in pod topology spreading.
-If `Honor`, we'll filter out nodes not matching nodeAffinity/nodeSelector in calculation.
-If `Ignore`, these nodes will be included instead.
+If `Honor`, kube-scheduler will filter out nodes not matching nodeAffinity/nodeSelector in the calculation of spreading skew.
+If `Ignore`, all nodes will be included, regardless of whether they match the Pod's nodeAffinity/nodeSelector or not.
 
-For backwards-compatibility, nodeAffinityPolicy is default to `Honor`.
+For backwards-compatibility, nodeAffinityPolicy defaults to `Honor`.
 
 **nodeTaintsPolicy** indicates how we'll treat node taints in pod topology spreading.
-If `Honor`, only tainted nodes for which the incoming pod has a toleration, will be included in calculation.
-If `Ignore`, we'll not consider the node taints at all in calculation, so a node with pod untolerated taint
-will also be included.
+If `Honor`, only tainted nodes for which the incoming pod has a toleration, will be included in the calculation of spreading skew.
+If `Ignore`, kube-scheduler will not consider the node taints at all in the calculation of spreading skew, so a node with
+pod untolerated taint will also be included.
 
-For backwards-compatibility, nodeTaintsPolicy is default to the `Ignore`.
+For backwards-compatibility, nodeTaintsPolicy defaults to the `Ignore`.
 
 The feature was introduced in v1.25 as alpha level. By default, it was disabled, so if you want to use this feature in v1.25,
 you have to enable the feature gate `NodeInclusionPolicyInPodTopologySpread` actively. In the following v1.26, we graduated

From 5c70b42c21e57196dc7ccfd3b552031f84e0849a Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 6 Apr 2023 18:24:52 +0800
Subject: [PATCH 123/272] sync garbage-collection

sync garbage-collection
---
 .../zh-cn/docs/concepts/architecture/garbage-collection.md    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/concepts/architecture/garbage-collection.md b/content/zh-cn/docs/concepts/architecture/garbage-collection.md
index 4c18685ec23..bcde52e62a4 100644
--- a/content/zh-cn/docs/concepts/architecture/garbage-collection.md
+++ b/content/zh-cn/docs/concepts/architecture/garbage-collection.md
@@ -351,9 +351,9 @@ configure garbage collection:
 
 * 进一步了解 [Kubernetes 对象的属主关系](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)。
 * 进一步了解 Kubernetes [finalizers](/zh-cn/docs/concepts/overview/working-with-objects/finalizers/)。
-* 进一步了解 [TTL 控制器](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/) (Beta),
+* 进一步了解 [TTL 控制器](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/),
   该控制器负责清理已完成的 Job。

From 1c376d1b74a0c811b62edabe7a8e1ed6fee24845 Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Thu, 6 Apr 2023 20:38:47 +0530
Subject: [PATCH 124/272] some nits

---
 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index 1e6c5603314..5969990535a 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -48,7 +48,7 @@ What does this change mean for end users?
 * If you want to increase the reliability of your cluster and remove dependency on the community-owned registry or you are running Kubernetes in networks where external traffic is restricted, you should consider hosting local image registry mirrors. Some cloud vendors may offer hosted solutions for this.
 
 
-## SeccompDefault graduates to stable
+## `SeccompDefault` graduates to stable
 
 To use seccomp profile defaulting, you must run the kubelet with the `--seccomp-default` [command line flag](/docs/reference/command-line-tools-reference/kubelet) enabled for each node where you want to use it. 
 If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. The default profiles aim to provide a strong set of security defaults while preserving the functionality of the workload. It is possible that the default profiles differ between container runtimes and their release versions.

From a601eb520f9ada4846875daf13e06df59ed8a3fe Mon Sep 17 00:00:00 2001
From: Nate W 
Date: Thu, 6 Apr 2023 10:42:49 -0700
Subject: [PATCH 125/272] Update schedule.yaml. Updated with correct 1.27.1
 patch and cherry pick dates

Signed-off-by: Nate W 
---
 data/releases/schedule.yaml | 66 +++++++------------------------------
 1 file changed, 12 insertions(+), 54 deletions(-)

diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index 16f1526065f..19ce450ae92 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -1,4 +1,16 @@
 schedules:
+- release: 1.27
+  releaseDate: 2024-04-11
+  maintenanceModeStartDate: 2024-04-28
+  endOfLifeDate: 2024-06-28
+  next:
+    release: 1.27.1
+    cherryPickDeadline: 2023-04-07
+    targetDate: 2023-04-12
+  previousPatches:
+    - release: 1.27.0
+      cherryPickDeadline: ""
+      targetDate: 2023-04-11
 - release: 1.26
   releaseDate: 2022-12-09
   maintenanceModeStartDate: 2023-12-28
@@ -64,57 +76,3 @@ schedules:
     - release: 1.25.0
       cherryPickDeadline: ""
       targetDate: 2022-08-23
-- release: 1.24
-  releaseDate: 2022-05-03
-  maintenanceModeStartDate: 2023-05-28
-  endOfLifeDate: 2023-07-28
-  next:
-    release: 1.24.13
-    cherryPickDeadline: 2023-04-07
-    targetDate: 2023-04-12
-  previousPatches:
-    - release: 1.24.12
-      cherryPickDeadline: 2023-03-10
-      targetDate: 2023-03-15
-    - release: 1.24.11
-      cherryPickDeadline: 2023-02-10
-      targetDate: 2023-02-15
-      note: >-
-        [Some container images might be **unsigned** due to a temporary issue with the promotion process](https://groups.google.com/a/kubernetes.io/g/dev/c/MwSx761slM0/m/4ajkeUl0AQAJ)
-    - release: 1.24.10
-      cherryPickDeadline: 2023-01-13
-      targetDate: 2023-01-18
-    - release: 1.24.9
-      cherryPickDeadline: 2022-12-02
-      targetDate: 2022-12-08
-    - release: 1.24.8
-      cherryPickDeadline: 2022-11-04
-      targetDate: 2022-11-09
-    - release: 1.24.7
-      cherryPickDeadline: 2022-10-07
-      targetDate: 2022-10-12
-    - release: 1.24.6
-      cherryPickDeadline: 2022-09-20
-      targetDate: 2022-09-21
-      note: >-
-        [Out-of-Band release to fix the regression introduced in 1.24.5](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
-    - release: 1.24.5
-      cherryPickDeadline: 2022-09-09
-      targetDate: 2022-09-14
-      note: >-
-        [Regression](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
-    - release: 1.24.4
-      cherryPickDeadline: 2022-08-12
-      targetDate: 2022-08-17
-    - release: 1.24.3
-      cherryPickDeadline: 2022-07-08
-      targetDate: 2022-07-13
-    - release: 1.24.2
-      cherryPickDeadline: 2022-06-10
-      targetDate: 2022-06-15
-    - release: 1.24.1
-      cherryPickDeadline: 2022-05-20
-      targetDate: 2022-05-24
-    - release: 1.24.0
-      cherryPickDeadline: ""
-      targetDate: 2022-05-03

From 4b91b4abde1fb9fad6c0a92d848a85abf9e9091a Mon Sep 17 00:00:00 2001
From: harshitasao 
Date: Fri, 7 Apr 2023 00:20:03 +0530
Subject: [PATCH 126/272] added release webinar date and time

---
 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index 5969990535a..128c03ceac4 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -198,7 +198,7 @@ In the v1.27 release cycle, which [ran for 14 weeks](https://github.com/kubernet
 
 ## Upcoming release webinar
 
-Join members of the Kubernetes v1.27 release team on  to learn about the major features of this release, as well as deprecations and removals to help plan for upgrades. For more information and registration, visit the [event page](#) on the CNCF Online Programs site.
+Join members of the Kubernetes v1.27 release team on Friday, April 14, 2023, at 10 a.m. PDT to learn about the major features of this release, as well as deprecations and removals to help plan for upgrades. For more information and registration, visit the [event page](https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cncf-live-webinar-kubernetes-v127-release/) on the CNCF Online Programs site.
 
 ## Get Involved
 

From 249dfc0d1cdd74517400aa78f72d289ed1b02fbc Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Fri, 7 Apr 2023 00:27:31 +0300
Subject: [PATCH 127/272] [id] Updated kubectl describe svc output

---
 .../services-networking/connect-applications-service.md       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/id/docs/concepts/services-networking/connect-applications-service.md b/content/id/docs/concepts/services-networking/connect-applications-service.md
index f2264ed9aa6..5fcd5593b34 100644
--- a/content/id/docs/concepts/services-networking/connect-applications-service.md
+++ b/content/id/docs/concepts/services-networking/connect-applications-service.md
@@ -93,8 +93,12 @@ Labels:              run=my-nginx
 Annotations:         
 Selector:            run=my-nginx
 Type:                ClusterIP
+IP Family Policy:    SingleStack
+IP Families:         IPv4
 IP:                  10.0.162.149
+IPs:                 10.0.162.149
 Port:                 80/TCP
+TargetPort:          80/TCP
 Endpoints:           10.244.2.5:80,10.244.3.4:80
 Session Affinity:    None
 Events:              

From ae626b96c61d9e397d98b140853e2fff149cbb0f Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Fri, 7 Apr 2023 08:54:39 +0900
Subject: [PATCH 128/272] fix based on reviews

---
 .../_posts/2023-04-11-topology-spread-features.md    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
index 44e27aaeb18..f8fa99cdc5c 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-11-topology-spread-features.md
@@ -9,7 +9,7 @@ evergreen: true
 **Authors:** [Alex Wang](https://github.com/denkensk)(Shopee), [Kante Yin](https://github.com/kerthcet)(DaoCloud), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
 
 In Kubernetes v1.19, [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA.
-It is the feature to control how Pods are spread to each failure-domain (regions, zones, nodes etc).
+It is the feature to control how Pods are spread in the cluster topology or failure domains (regions, zones, nodes etc).
 
 As time passed, we received feedback from users,
 and, as a result, we're actively working on improving the Topology Spread feature via three KEPs.
@@ -50,10 +50,10 @@ and as a result, the replicas are finally spread over 5 Nodes.
 ## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
 
 Before this enhancement, when you deploy a pod with `podTopologySpread` configured, kube-scheduler would
-take all inclined nodes(satisfied with pod nodeAffinity and nodeSelector) into consideration
+take the Nodes that satisfy the Pod's nodeAffinity and nodeSelector into consideration
 in filtering and scoring, but would not care about whether the node taints are tolerated by the incoming pod or not.
-This may lead to a node with untolerated taint best fit the pod in podTopologySpread plugin, and as a result,
-the pod will stuck in pending for it violates the nodeTaint plugin.
+This may lead to a node with untolerated taint as the only candidate for spreading, and as a result,
+the pod will stuck in Pending if it doesn't tolerate the taint.
 
  To allow more fine-gained decisions about which Nodes to account for when calculating spreading skew, we introduced
  two new fields in `TopologySpreadConstraint` to define node inclusion policies including nodeAffinity and nodeTaint.
@@ -106,14 +106,14 @@ skewed distribution for the remaining pods. To avoid this problem, in the past u
 revision label to Deployment and update it manually at each rolling upgrade (both the label on the
 podTemplate and the `labelSelector` in the `topologySpreadConstraints`).
 
-To solve this problem once and for all, and to make more accurate decisions in scheduling, we added a new named
+To solve this problem with a simpler API, we added a new field named
 `matchLabelKeys` to `topologySpreadConstraints`. `matchLabelKeys` is a list of pod label keys to select
 the pods over which spreading will be calculated. The keys are used to lookup values from the labels of
 the Pod being scheduled, those key-value labels are ANDed with `labelSelector` to select the group of
 existing pods over which spreading will be calculated for the incoming pod.
 
 With `matchLabelKeys`, you don't need to update the `pod.spec` between different revisions.
-The controller/operator just needs to set different values to the same label key for different revisions.
+The controller or operator managing rollouts just needs to set different values to the same label key for different revisions.
 The scheduler will assume the values automatically based on `matchLabelKeys`.
 For example, if you are configuring a Deployment, you can use the label keyed with
 [pod-template-hash](https://kubernetes.io//docs/concepts/workloads/controllers/deployment/#pod-template-hash-label),

From 43f5b0cd1a76f128d996965a0e0848660fbb6fb1 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 5 Apr 2023 21:44:11 +0800
Subject: [PATCH 129/272] sync rbac

sync rbac
---
 .../docs/reference/access-authn-authz/rbac.md | 64 +++++++++++--------
 1 file changed, 36 insertions(+), 28 deletions(-)

diff --git a/content/zh-cn/docs/reference/access-authn-authz/rbac.md b/content/zh-cn/docs/reference/access-authn-authz/rbac.md
index 482be53b4dc..604af3ea733 100644
--- a/content/zh-cn/docs/reference/access-authn-authz/rbac.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/rbac.md
@@ -431,19 +431,19 @@ There are two reasons for this restriction:
 
 
 1. 将 `roleRef` 设置为不可以改变,这使得可以为用户授予对现有绑定对象的 `update` 权限,
    这样可以让他们管理主体列表,同时不能更改被授予这些主体的角色。
 
 
 2. 针对不同角色的绑定是完全不一样的绑定。要求通过删除/重建绑定来更改 `roleRef`,
    这样可以确保要赋予绑定的所有主体会被授予新的角色(而不是在允许或者不小心修改了
@@ -559,17 +559,19 @@ For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap
 {{< /note >}}
 
 
-使用通配符 `*` 可以批量引用所有的 `resources` 和 `verbs` 对象,无需逐一引用。
-对于 `nonResourceURLs`,可以将通配符 `*` 作为后缀实现全局通配,
-对于 `apiGroups` 和 `resourceNames`,空集表示没有任何限制。
-下面的示例允许对所有当前和未来资源执行所有动作(注意,这类似于内置的 `cluster-admin`)。
+你可愈使用通配符 `*` 可以批量引用所有的 `resources`、`apiGroups` 和 `verbs` 对象, 无需逐一引用。
+对于 `nonResourceURLs`,你可以将通配符 `*` 作为后缀实现全局通配,
+对于 `resourceNames`,空集表示没有任何限制。
+下面的示例对 `example.com` API 组中所有当前和未来资源执行所有动作。
+这类似于内置的 `cluster-admin`。
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -585,14 +587,13 @@ rules:
 
 {{< caution >}}
 
 在 resources 和 verbs 条目中使用通配符会为敏感资源授予过多的访问权限。
 例如,如果添加了新的资源类型、新的子资源或新的自定义动词,
@@ -953,7 +954,7 @@ Subjects can be groups, users or
 
 Kubernetes represents usernames as strings.
 These can be: plain names, such as "alice"; email-style names, like "bob@example.com";
-or numeric user IDs represented as a string.  It is up to you as a cluster administrator
+or numeric user IDs represented as a string. It is up to you as a cluster administrator
 to configure the [authentication modules](/docs/reference/access-authn-authz/authentication/)
 so that authentication produces usernames in the format you want.
 -->
@@ -1168,7 +1169,10 @@ Auto-reconciliation is enabled by default if the RBAC authorizer is active.
 
@@ -1717,8 +1721,9 @@ RBAC API 会阻止用户通过编辑角色或者角色绑定来提升权限。
 You can only create/update a role if at least one of the following things is true:
 
 1. You already have all the permissions contained in the role, at the same scope as the object being modified
-(cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
-2. You are granted explicit permission to perform the `escalate` verb on the `roles` or `clusterroles` resource in the `rbac.authorization.k8s.io` API group.
+   (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
+2. You are granted explicit permission to perform the `escalate` verb on the `roles` or
+   `clusterroles` resource in the `rbac.authorization.k8s.io` API group.
 -->
 ### 对角色创建或更新的限制 {#restrictions-on-role-creation-or-update}
 
@@ -1735,8 +1740,11 @@ containing that permission. To allow a user to create/update roles:
 
 1. Grant them a role that allows them to create/update Role or ClusterRole objects, as desired.
 2. Grant them permission to include specific permissions in the roles they create/update:
-    * implicitly, by giving them those permissions (if they attempt to create or modify a Role or ClusterRole with permissions they themselves have not been granted, the API request will be forbidden)
-    * or explicitly allow specifying any permission in a `Role` or `ClusterRole` by giving them permission to perform the `escalate` verb on `roles` or `clusterroles` resources in the `rbac.authorization.k8s.io` API group
+    * implicitly, by giving them those permissions (if they attempt to create or modify a Role or
+     ClusterRole with permissions they themselves have not been granted, the API request will be forbidden)
+    * or explicitly allow specifying any permission in a `Role` or `ClusterRole` by giving them
+     permission to perform the `escalate` verb on `roles` or `clusterroles` resources in the
+     `rbac.authorization.k8s.io` API group
 -->
 例如,如果 `user-1` 没有列举集群范围所有 Secret 的权限,他将不能创建包含该权限的 ClusterRole。
 若要允许用户创建/更新角色:

From 4343803804c9b2eb541eb82f3d5fafa0d9a8ecb3 Mon Sep 17 00:00:00 2001
From: Swati Sehgal 
Date: Fri, 7 Apr 2023 06:51:14 +0530
Subject: [PATCH 130/272] node: topologymgr: docs: Kubelet Topology Manager
 graduation to GA (#40044)

* node: topologymgr: docs: Kubelet Topology Manager graduation to GA

Signed-off-by: Swati Sehgal 

* Update content/en/docs/reference/command-line-tools-reference/feature-gates.md

---------

Signed-off-by: Swati Sehgal 
Co-authored-by: Qiming Teng 
---
 .../command-line-tools-reference/feature-gates.md         | 5 +++--
 .../en/docs/tasks/administer-cluster/topology-manager.md  | 8 +-------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 898c623876a..8441f0bc186 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -206,8 +206,6 @@ For a reference to old feature gates that are removed, please refer to
 | `TopologyAwareHints` | `false` | Alpha | 1.21 | 1.22 |
 | `TopologyAwareHints` | `false` | Beta | 1.23 | 1.23 |
 | `TopologyAwareHints` | `true` | Beta | 1.24 | |
-| `TopologyManager` | `false` | Alpha | 1.16 | 1.17 |
-| `TopologyManager` | `true` | Beta | 1.18 | |
 | `TopologyManagerPolicyAlphaOptions` | `false` | Alpha | 1.26 | |
 | `TopologyManagerPolicyBetaOptions` | `false` | Beta | 1.26 | |
 | `TopologyManagerPolicyOptions` | `false` | Alpha | 1.26 | |
@@ -348,6 +346,9 @@ For a reference to old feature gates that are removed, please refer to
 | `StatefulSetMinReadySeconds` | `false` | Alpha | 1.22 | 1.22 |
 | `StatefulSetMinReadySeconds` | `true` | Beta | 1.23 | 1.24 |
 | `StatefulSetMinReadySeconds` | `true` | GA | 1.25 | - |
+| `TopologyManager` | `false` | Alpha | 1.16 | 1.17 |
+| `TopologyManager` | `true` | Beta | 1.18 | 1.26 |
+| `TopologyManager` | `true` | GA | 1.27 | - |
 | `WatchBookmark` | `false` | Alpha | 1.15 | 1.15 |
 | `WatchBookmark` | `true` | Beta | 1.16 | 1.16 |
 | `WatchBookmark` | `true` | GA | 1.17 | - |
diff --git a/content/en/docs/tasks/administer-cluster/topology-manager.md b/content/en/docs/tasks/administer-cluster/topology-manager.md
index 7dac6b42562..7d06ebe14c8 100644
--- a/content/en/docs/tasks/administer-cluster/topology-manager.md
+++ b/content/en/docs/tasks/administer-cluster/topology-manager.md
@@ -15,7 +15,7 @@ weight: 150
 
 
 
-{{< feature-state state="beta" for_k8s_version="v1.18" >}}
+{{< feature-state state="stable" for_k8s_version="v1.27" >}}
 
 An increasing number of systems leverage a combination of CPUs and hardware accelerators to
 support latency-critical execution and high-throughput parallel computation. These include
@@ -60,12 +60,6 @@ the pod can be accepted or rejected from the node based on the selected hint.
 The hint is then stored in the Topology Manager for use by the *Hint Providers* when making the
 resource allocation decisions.
 
-### Enable the Topology Manager feature
-
-Support for the Topology Manager requires `TopologyManager`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to be enabled.
-It is enabled by default starting with Kubernetes 1.18.
-
 ## Topology Manager Scopes and Policies
 
 The Topology Manager currently:

From b15fe215660258f9efcbffc7302ec4044e5bb23b Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Thu, 23 Mar 2023 23:38:25 +0800
Subject: [PATCH 131/272] [zh] sync /workloads/pods/pod-qos.md

---
 .../docs/concepts/workloads/pods/pod-qos.md   | 213 ++++++++++++++++++
 1 file changed, 213 insertions(+)
 create mode 100644 content/zh-cn/docs/concepts/workloads/pods/pod-qos.md

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md b/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md
new file mode 100644
index 00000000000..10647dfc16f
--- /dev/null
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md
@@ -0,0 +1,213 @@
+---
+title: Pod QoS 类
+content_type: concept
+weight: 85
+---
+
+
+
+
+
+本页介绍 Kubernetes 中的 **服务质量(Quality of Service,QoS)** 类,
+阐述 Kubernetes 如何根据为 Pod 中的容器指定的资源约束为每个 Pod 设置 QoS 类。
+Kubernetes 依赖这种分类来决定当 Node 上没有足够可用资源时要驱逐哪些 Pod。
+
+
+
+
+## QoS 类   {#qos-class}
+
+
+Kubernetes 对你运行的 Pod 进行分类,并将每个 Pod 分配到特定的 **QoS 类**中。
+Kubernetes 使用这种分类来影响不同 Pod 被处理的方式。Kubernetes 基于 Pod
+中{{< glossary_tooltip text="容器" term_id="container" >}}的[资源请求](/zh-cn/docs/concepts/configuration/manage-resources-containers/)进行分类,
+同时确定这些请求如何与资源限制相关。
+这称为{{< glossary_tooltip text="服务质量" term_id="qos-class" >}} (QoS) 类。
+Kubernetes 基于每个 Pod 中容器的资源请求和限制为 Pod 设置 QoS 类。Kubernetes 使用 QoS
+类来决定从遇到[节点压力](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)的
+Node 中驱逐哪些 Pod。可选的 QoS 类有 `Guaranteed`、`Burstable` 和 `BestEffort`。
+当一个 Node 耗尽资源时,Kubernetes 将首先驱逐在该 Node 上运行的 `BestEffort` Pod,
+然后是 `Burstable` Pod,最后是 `Guaranteed` Pod。当这种驱逐是由于资源压力时,
+只有超出资源请求的 Pod 才是被驱逐的候选对象。
+
+### Guaranteed
+
+
+`Guaranteed` Pod 具有最严格的资源限制,并且最不可能面临驱逐。
+在这些 Pod 超过其自身的限制或者从 Node 上没有可以抢占的低优先级 Pod 之前,
+这些 Pod 保证不会被杀死。这些 Pod 不可以获得超出其指定 limit 的资源。这些 Pod 也可以使用
+[`static`](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/#static-policy)
+CPU 管理策略来使用独占的 CPU。
+
+
+#### 判据
+
+Pod 被赋予 `Guaranteed` QoS 类的几个判据:
+
+
+* Pod 中的每个容器必须有内存 limit 和内存 request。
+* 对于 Pod 中的每个容器,内存 limit 必须等于内存 request。
+* Pod 中的每个容器必须有 CPU limit 和 CPU request。
+* 对于 Pod 中的每个容器,CPU limit 必须等于 CPU request。
+
+### Burstable
+
+
+`Burstable` Pod 有一些基于 request 的资源下限保证,但不需要特定的 limit。
+如果未指定 limit,则默认为其 limit 等于 Node 容量,这允许 Pod 在资源可用时灵活地增加其资源。
+在由于 Node 资源压力导致 Pod 被驱逐的情况下,只有在所有 `BestEffort` Pod 被驱逐后
+这些 Pod 才会被驱逐。因为 `Burstable` Pod 可以包括没有资源 limit 或资源 request 的容器,
+所以 `Burstable` Pod 可以尝试使用任意数量的节点资源。
+
+
+#### 判据
+
+Pod 被赋予 `Burstable` QoS 类的几个判据:
+
+* Pod 不满足针对 QoS 类 `Guaranteed` 的判据。
+* Pod 中至少一个容器有内存或 CPU request 或 limit。
+
+### BestEffort
+
+
+`BestEffort` QoS 类中的 Pod 可以使用未专门分配给其他 QoS 类中的 Pod 的节点资源。
+例如若你有一个节点有 16 核 CPU 可供 kubelet 使用,并且你将 4 核 CPU 分配给一个 `Guaranteed` Pod,
+那么 `BestEffort` QoS 类中的 Pod 可以尝试任意使用剩余的 12 核 CPU。
+
+如果节点遇到资源压力,kubelet 将优先驱逐 `BestEffort` Pod。
+
+
+#### 判据
+
+如果 Pod 不满足 `Guaranteed` 或 `Burstable` 的判据,则它的 QoS 类为 `BestEffort`。
+换言之,只有当 Pod 中的所有容器没有内存 limit 或内存 request,也没有 CPU limit 或
+CPU request 时,Pod 才是 `BestEffort`。Pod 中的容器可以请求(除 CPU 或内存之外的)
+其他资源并且仍然被归类为 `BestEffort`。
+
+
+## 某些行为独立于 QoS 类 {#class-independent-behavior}
+
+某些行为独立于 Kubernetes 分配的 QoS 类。例如:
+
+
+* 所有超过资源 limit 的容器都将被 kubelet 杀死并重启,而不会影响该 Pod 中的其他容器。
+* 如果一个容器超出了自身的资源 request,且该容器运行的节点面临资源压力,则该容器所在的 Pod
+  就会成为被[驱逐](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)的候选对象。
+  如果出现这种情况,Pod 中的所有容器都将被终止。Kubernetes 通常会在不同的节点上创建一个替代的 Pod。
+
+* Pod 的资源 request 等于其成员容器的资源 request 之和,Pod 的资源 limit 等于其组成容器的资源 limit 之和。
+* kube-scheduler 在选择要[抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption)的
+  Pod 时不考虑 QoS 类。当集群没有足够的资源来运行你所定义的所有 Pod 时,就会发生抢占。
+
+## {{% heading "whatsnext" %}}
+
+
+* 进一步了解[为 Pod 和容器管理资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)。
+* 进一步了解[节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
+* 进一步了解 [Pod 优先级和抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)。
+* 进一步了解 [Pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/)。
+* 进一步了解如何[为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)。
+* 进一步了解如何[为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)。
+* 进一步了解如何[配置 Pod 的服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)。

From b8651be9c2e8dc42a6825a752d4cbfb904bdbf1d Mon Sep 17 00:00:00 2001
From: Madhav Jivrajani 
Date: Tue, 7 Mar 2023 10:22:43 +0530
Subject: [PATCH 132/272] reference/kubectl: Update docs for moving feaature to
 beta

Signed-off-by: Madhav Jivrajani 
---
 content/en/docs/reference/kubectl/conventions.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/reference/kubectl/conventions.md b/content/en/docs/reference/kubectl/conventions.md
index 2b2cb34ceca..0aaf4ef3daf 100644
--- a/content/en/docs/reference/kubectl/conventions.md
+++ b/content/en/docs/reference/kubectl/conventions.md
@@ -22,9 +22,11 @@ For a stable output in a script:
 
 ## Subresources
 
-* You can use the `--subresource` alpha flag for kubectl commands like `get`, `patch`,
+* You can use the `--subresource` beta flag for kubectl commands like `get`, `patch`,
 `edit` and `replace` to fetch and update subresources for all resources that
 support them. Currently, only the `status` and `scale` subresources are supported.
+  * For `kubectl edit`, the `scale` subresource is not supported. If you use  `--subresource` with
+    `kubectl edit` and specify `scale` as the subresource, the command will error out.
 * The API contract against a subresource is identical to a full resource. While updating the
 `status` subresource to a new value, keep in mind that the subresource could be potentially
 reconciled by a controller to a different value.

From 10681a686fd24909aea8ee126ecd19ad8829d238 Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Thu, 6 Apr 2023 15:50:13 +0800
Subject: [PATCH 133/272] [zh-cn] Sync and add anchors for
 tasks/access-application-cluster/*

Signed-off-by: Guangwen Feng 
---
 ...icate-containers-same-pod-shared-volume.md |  4 +--
 .../connecting-frontend-backend.md            |  8 +++---
 .../list-all-running-container-images.md      | 12 ++++----
 ...port-forward-access-application-cluster.md |  8 +++---
 .../web-ui-dashboard.md                       | 28 +++++++++----------
 5 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
index ed057170d86..21ca5b0a649 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
@@ -33,7 +33,7 @@ In this exercise, you create a Pod that runs two Containers. The two containers
 share a Volume that they can use to communicate. Here is the configuration file
 for the Pod:
 -->
-## 创建一个包含两个容器的 Pod
+## 创建一个包含两个容器的 Pod   {#creating-a-pod-that-runs-two-containers}
 
 在这个练习中,你会创建一个包含两个容器的 Pod。两个容器共享一个卷用于他们之间的通信。
 Pod 的配置文件如下:
@@ -184,7 +184,7 @@ Typically this is done through a shared filesystem, as shown in this exercise,
 or through the loopback network interface, localhost. An example of this pattern is a
 web server along with a helper program that polls a Git repository for new updates.
 -->
-## 讨论
+## 讨论   {#discussion}
 
 Pod 能有多个容器的主要原因是为了支持辅助应用(helper applications),以协助主应用(primary application)。
 辅助应用的典型例子是数据抽取,数据推送和代理。辅助应用和主应用经常需要相互通信。
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md b/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
index 90583761edc..f66af51711d 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
@@ -61,7 +61,7 @@ require a supported environment. If your environment does not support this, you
 The backend is a simple hello greeter microservice. Here is the configuration
 file for the backend Deployment:
 -->
-### 使用部署对象(Deployment)创建后端
+### 使用部署对象(Deployment)创建后端   {#creating-the-backend-using-a-deployment}
 
 后端是一个简单的 hello 欢迎微服务应用。这是后端应用的 Deployment 配置文件:
 
@@ -136,7 +136,7 @@ the Pods that it routes traffic to.
 
 First, explore the Service configuration file:
 -->
-### 创建 `hello` Service 对象
+### 创建 `hello` Service 对象   {#creating-the-hello-service-object}
 
 将请求从前端发送到后端的关键是后端 Service。Service 创建一个固定 IP 和 DNS 解析名入口,
 使得后端微服务总是可达。Service 使用
@@ -185,7 +185,7 @@ configuration file.
 The Pods in the frontend Deployment run a nginx image that is configured
 to proxy requests to the `hello` backend Service. Here is the nginx configuration file:
 -->
-### 创建前端应用
+### 创建前端   {#creating-the-frontend}
 
 现在你已经有了运行中的后端应用,你可以创建一个可在集群外部访问的前端,并通过代理
 前端的请求连接到后端。
@@ -299,7 +299,7 @@ cluster.
 The frontend and backend are now connected. You can hit the endpoint
 by using the curl command on the external IP of your frontend Service.
 -->
-### 通过前端发送流量
+### 通过前端发送流量   {#send-traffic-through-the-frontend}
 
 前端和后端已经完成连接了。你可以使用 curl 命令通过你的前端 Service 的外部
 IP 访问服务端点。
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md b/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
index 3ae5e5cee81..571b51b5dda 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
@@ -45,7 +45,7 @@ of Containers for each.
   - Use `sort` to sort the results
   - Use `uniq` to aggregate image counts
 -->
-## 列出所有命名空间下的所有容器镜像
+## 列出所有命名空间下的所有容器镜像   {#list-all-container-images-in-all-namespaces}
 
 - 使用 `kubectl get pods --all-namespaces` 获取所有命名空间下的所有 Pod
 - 使用 `-o jsonpath={.items[*].spec.containers[*].image}` 来格式化输出,以仅包含容器镜像名称。
@@ -95,7 +95,7 @@ Pod is returned instead of a list of items.
 The formatting can be controlled further by using the `range` operation to
 iterate over elements individually.
 -->
-## 按 Pod 列出容器镜像
+## 按 Pod 列出容器镜像   {#list-container-images-by-pod}
 
 可以使用 `range` 操作进一步控制格式化,以单独操作每个元素。
 
@@ -110,7 +110,7 @@ sort
 To target only Pods matching a specific label, use the -l flag.  The
 following matches only Pods with labels matching `app=nginx`.
 -->
-## 列出以标签过滤后的 Pod 的所有容器镜像
+## 列出以标签过滤后的 Pod 的所有容器镜像   {#list-container-images-filtering-by-pod-label}
 
 要获取匹配特定标签的 Pod,请使用 -l 参数。以下匹配仅与标签 `app=nginx` 相符的 Pod。
 
@@ -124,7 +124,7 @@ kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].ima
 To target only pods in a specific namespace, use the namespace flag. The
 following matches only Pods in the `kube-system` namespace.
 -->
-## 列出以命名空间过滤后的 Pod 的所有容器镜像
+## 列出以命名空间过滤后的 Pod 的所有容器镜像   {#list-container-images-filtering-by-pod-namespace}
 
 要获取匹配特定命名空间的 Pod,请使用 namespace 参数。以下仅匹配 `kube-system` 命名空间下的 Pod。
 
@@ -138,7 +138,7 @@ kubectl get pods --namespace kube-system -o jsonpath="{.items[*].spec.containers
 As an alternative to jsonpath, Kubectl supports using [go-templates](https://pkg.go.dev/text/template)
 for formatting the output:
 -->
-## 使用 go-template 代替 jsonpath 来获取容器镜像
+## 使用 go-template 代替 jsonpath 来获取容器镜像   {#list-container-images-using-a-go-template-instead-of-jsonpath}
 
 作为 jsonpath 的替代,Kubectl 支持使用 [go-templates](https://pkg.go.dev/text/template) 来格式化输出:
 
@@ -154,7 +154,7 @@ kubectl get pods --all-namespaces -o go-template --template="{{range .items}}{{r
 * [Jsonpath](/docs/reference/kubectl/jsonpath/) reference guide
 * [Go template](https://pkg.go.dev/text/template) reference guide
 -->
-### 参考
+### 参考   {#reference}
 
 * [Jsonpath](/zh-cn/docs/reference/kubectl/jsonpath/) 参考指南
 * [Go template](https://pkg.go.dev/text/template) 参考指南
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
index 69a376cfa2d..1f67c2d9dbe 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
@@ -36,7 +36,7 @@ for database debugging.
 
 1. Create a Deployment that runs MongoDB:
 -->
-## 创建 MongoDB Deployment 和服务
+## 创建 MongoDB Deployment 和服务   {#creating-mongodb-deployment-and-service}
 
 1. 创建一个运行 MongoDB 的 Deployment:
 
@@ -183,7 +183,7 @@ for database debugging.
 
 1. `kubectl port-forward` allows using resource name, such as a pod name, to select a matching pod to port forward to.
 -->
-## 转发一个本地端口到 Pod 端口
+## 转发一个本地端口到 Pod 端口   {#forward-a-local-port-to-a-port-on-the-pod}
 
 1. `kubectl port-forward` 允许使用资源名称
    (例如 Pod 名称)来选择匹配的 Pod 来进行端口转发。
@@ -237,7 +237,7 @@ for database debugging.
    ```
    Forwarding from 127.0.0.1:28015 -> 27017
    Forwarding from [::1]:28015 -> 27017
-    ```
+   ```
 
    {{< note >}}
    
 3. 在 MongoDB 命令行提示符下,输入 `ping` 命令:
 
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md b/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
index 654c5d11a19..c76c95bd0cd 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
@@ -56,7 +56,7 @@ Dashboard 同时展示了 Kubernetes 集群中的资源状态信息和所有报
 
 The Dashboard UI is not deployed by default. To deploy it, run the following command:
 -->
-## 部署 Dashboard UI
+## 部署 Dashboard UI   {#deploying-the-dashboard-ui}
 默认情况下不会部署 Dashboard。可以通过以下命令部署:
 
 ```
@@ -71,7 +71,7 @@ Currently, Dashboard only supports logging in with a Bearer Token.
 To create a token for this demo, you can follow our guide on
 [creating a sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md).
 -->
-## 访问 Dashboard 用户界面
+## 访问 Dashboard 用户界面   {#accessing-the-dashboard-ui}
 
 为了保护你的集群数据,默认情况下,Dashboard 会使用最少的 RBAC 配置进行部署。
 当前,Dashboard 仅支持使用 Bearer 令牌登录。
@@ -92,7 +92,7 @@ The sample user created in the tutorial will have administrative privileges and
 You can enable access to the Dashboard using the `kubectl` command-line tool,
 by running the following command:
 -->
-### 命令行代理
+### 命令行代理   {#command-line-proxy}
 
 你可以使用 `kubectl` 命令行工具来启用 Dashboard 访问,命令如下:
 
@@ -121,7 +121,7 @@ Kubeconfig 身份验证方法**不**支持外部身份提供程序或基于 x509
 
-## 欢迎界面
+## 欢迎界面   {#welcome-view}
 
 
-## 部署容器化应用
+## 部署容器化应用   {#deploying-containerized-applications}
 
 通过一个简单的部署向导,你可以使用 Dashboard 将容器化应用作为一个 Deployment 和可选的
 Service 进行创建和部署。你可以手工指定应用的详细配置,或者上传一个包含应用配置的 YAML
@@ -161,7 +161,7 @@ Click the **CREATE** button in the upper right corner of any page to begin.
 
 The deploy wizard expects that you provide the following information:
 -->
-### 指定应用的详细配置
+### 指定应用的详细配置   {#specifying-application-details}
 
 部署向导需要你提供以下信息:
 
@@ -380,7 +380,7 @@ Kubernetes supports declarative configuration.
 In this style, all configuration is stored in manifests (YAML or JSON configuration files).
 The manifests use Kubernetes [API](/docs/concepts/overview/kubernetes-api/) resource schemas.
 -->
-### 上传 YAML 或者 JSON 文件
+### 上传 YAML 或者 JSON 文件   {#uploading-a-yaml-or-json-file}
 
 Kubernetes 支持声明式配置。所有的配置都存储在清单文件
 (YAML 或者 JSON 配置文件)中。这些
@@ -398,7 +398,7 @@ Dashboard 上传文件。
 
 Following sections describe views of the Kubernetes Dashboard UI; what they provide and how can they be used.
 -->
-## 使用 Dashboard
+## 使用 Dashboard   {#using-dashboard}
 
 以下各节描述了 Kubernetes Dashboard UI 视图;包括它们提供的内容,以及怎么使用它们。
 
@@ -409,7 +409,7 @@ When there are Kubernetes objects defined in the cluster, Dashboard shows them i
 By default only objects from the _default_ namespace are shown and
 this can be changed using the namespace selector located in the navigation menu.
 -->
-### 导航
+### 导航   {#navigation}
 
 当在集群中定义 Kubernetes 对象时,Dashboard 会在初始视图中显示它们。
 默认情况下只会显示 _默认_ 名字空间中的对象,可以通过更改导航栏菜单中的名字空间筛选器进行改变。
@@ -427,7 +427,7 @@ Node list view contains CPU and memory usage metrics aggregated across all Nodes
 The details view shows the metrics for a Node, its specification, status,
 allocated resources, events and pods running on the node.
 -->
-#### 管理概述
+#### 管理概述   {#admin-overview}
 
 集群和名字空间管理的视图,Dashboard 会列出节点、名字空间和持久卷,并且有它们的详细视图。
 节点列表视图包含从所有节点聚合的 CPU 和内存使用的度量值。
@@ -442,7 +442,7 @@ Each workload kind can be viewed separately.
 The lists summarize actionable information about the workloads,
 such as the number of ready pods for a ReplicaSet or current memory usage for a Pod.
  -->
-#### 负载
+#### 负载   {#workloads}
 
 显示选中的名字空间中所有运行的应用。
 视图按照负载类型(例如:Deployment、ReplicaSet、StatefulSet)罗列应用,并且每种负载都可以单独查看。
@@ -465,7 +465,7 @@ discovering them within a cluster.
 For that reason, Service and Ingress views show Pods targeted by them,
 internal endpoints for cluster connections and external endpoints for external users.
 -->
-#### 服务
+#### 服务   {#services}
 
 展示允许暴露给外网服务和允许集群内部发现的 Kubernetes 资源。
 因此,Service 和 Ingress 视图展示他们关联的 Pod、给集群连接使用的内部端点和给外部用户使用的外部端点。
@@ -475,7 +475,7 @@ internal endpoints for cluster connections and external endpoints for external u
 
 Storage view shows PersistentVolumeClaim resources which are used by applications for storing data.
 -->
-#### 存储
+#### 存储   {#storage}
 
 存储视图展示持久卷申领(PVC)资源,这些资源被应用程序用来存储数据。
 
@@ -496,7 +496,7 @@ The view allows for editing and managing config objects and displays secrets hid
 Pod lists and detail pages link to a logs viewer that is built into Dashboard.
 The viewer allows for drilling down logs from containers belonging to a single Pod.
 -->
-#### 日志查看器
+#### 日志查看器   {#logs-viewer}
 
 Pod 列表和详细信息页面可以链接到 Dashboard 内置的日志查看器。
 查看器可以深入查看属于同一个 Pod 的不同容器的日志。

From c1f4c5c4a2802dab33cf4ee605298d96bafdaaf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=B1=E6=AD=A3=E6=B5=A9=2CZhu=20Zhenghao?=
 
Date: Wed, 5 Apr 2023 22:36:28 +0800
Subject: [PATCH 134/272] Cleanup page rbac

---
 content/en/docs/reference/access-authn-authz/rbac.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
index a5bb85f5029..06d84c8e06f 100644
--- a/content/en/docs/reference/access-authn-authz/rbac.md
+++ b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -929,8 +929,8 @@ to a role that grants that permission. To allow a user to create/update role bin
 
 1. Grant them a role that allows them to create/update RoleBinding or ClusterRoleBinding objects, as desired.
 2. Grant them permissions needed to bind a particular role:
-    * implicitly, by giving them the permissions contained in the role.
-    * explicitly, by giving them permission to perform the `bind` verb on the particular Role (or ClusterRole).
+   * implicitly, by giving them the permissions contained in the role.
+   * explicitly, by giving them permission to perform the `bind` verb on the particular Role (or ClusterRole).
 
 For example, this ClusterRole and RoleBinding would allow `user-1` to grant other users the `admin`, `edit`, and `view` roles in the namespace `user-1-namespace`:
 
@@ -1105,7 +1105,7 @@ Examples:
 
 * Test applying a manifest file of RBAC objects, displaying changes that would be made:
 
-  ```
+  ```shell
   kubectl auth reconcile -f my-rbac-rules.yaml --dry-run=client
   ```
 
@@ -1260,7 +1260,7 @@ Here are two approaches for managing this transition:
 Run both the RBAC and ABAC authorizers, and specify a policy file that contains
 the [legacy ABAC policy](/docs/reference/access-authn-authz/abac/#policy-file-format):
 
-```
+```shell
 --authorization-mode=...,RBAC,ABAC --authorization-policy-file=mypolicy.json
 ```
 

From 19718a26feee94756ea8afe6d9057ff79f407abb Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 6 Apr 2023 20:08:32 +0800
Subject: [PATCH 135/272] localize blog:
 2023-04-06-keeping-kubernetes-secure-with-updated-go-versions

localize blog: 2023-04-06-keeping-kubernetes-secure-with-updated-go-versions
---
 ...ernetes-secure-with-updated-go-versions.md | 177 ++++++++++++++++++
 1 file changed, 177 insertions(+)
 create mode 100644 content/zh-cn/blog/_posts/2023-04-06-keeping-kubernetes-secure-with-updated-go-versions.md

diff --git a/content/zh-cn/blog/_posts/2023-04-06-keeping-kubernetes-secure-with-updated-go-versions.md b/content/zh-cn/blog/_posts/2023-04-06-keeping-kubernetes-secure-with-updated-go-versions.md
new file mode 100644
index 00000000000..9376d9410fc
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2023-04-06-keeping-kubernetes-secure-with-updated-go-versions.md
@@ -0,0 +1,177 @@
+---
+layout: blog
+title: “使用更新后的 Go 版本保持 Kubernetes 安全”
+date: 2023-04-06
+slug: keeping-kubernetes-secure-with-updated-go-versions
+---
+
+
+
+
+**作者**:[Jordan Liggitt](https://github.com/liggitt) (Google)
+
+**译者**:顾欣 (ICBC)
+
+### 问题 {#the-problem}
+
+
+从 2020 年发布的 v1.19 版本以来,Kubernetes 项目为每个次要版本提供 12-14 个月的补丁维护期。
+这使得用户可以按照年度升级周期来评估和选用 Kubernetes 版本,并持续一年获得安全修复。
+
+
+[Go 项目](https://github.com/golang/go/wiki/Go-Release-Cycle#release-maintenance)每年发布两个新的次要版本,
+并为最近的两个版本提供安全修复,每个 Go 版本的维护期约为一年。
+尽管每个新的 Kubernetes 次要版本在最初发布时都是使用受支持的 Go 版本编译构建的,
+但在这一 Kubernetes 次要版本被停止支持之前,对应的 Go 版本就已经不被支持,
+并且由于 Kubernetes 从 v1.19 开始延长了补丁支持期,这个差距被进一步扩大。
+
+
+在编写本文时,包含了可能对安全产生影响的问题修复的 [Go 补丁发布版本](https://go.dev/doc/devel/release)
+刚刚过半(88/171)。尽管这些问题中很多都与 Kubernetes 无关,但有些确实相关,
+因此使用受支持的、已包含了这类修复的 Go 版本是非常重要的。
+
+
+显而易见的解决方案之一是直接更新 Kubernetes 的发布分支,使用 Go 的新次要版本。
+然而,Kubernetes 避免在[补丁发布中引入破坏稳定性的变更](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md#what-kind-of-prs-are-good-for-cherry-picks),
+过去,因为这些变更被认为包含过高的复杂性、风险或破坏性,不适合包含在补丁发布中,
+所以不能将现有发布分支更新到 Go 的新次要版本。
+示例包括:
+
+
+* Go 1.6: 默认支持 http/2
+* Go 1.14: EINTR 问题处理
+* Go 1.17: 取消 x509 CN 支持, ParseIP 更改
+* Go 1.18: 默认禁用 x509 SHA-1 证书支持
+* Go 1.19: 取消当前目录 LookPath 行为
+
+
+其中一些更改可以基本不会影响 Kubernetes 代码,
+有些只能通过用户指定的 `GODEBUG` 环境变量来选择放弃更新,
+而其他变更则需要侵入式的代码变更或完全无法避免。
+由于这种不一致性,Kubernetes 的发布分支通常保持使用某个固定的 Go 次要版本,
+并在每个 Kubernetes 次要版本支持生命周期的最后几个月内,面临无法得到重要的 Go 安全修复的风险。
+
+
+当某项重要的 Go 安全修复仅出现在较新的 Kubernetes 次要版本时,
+用户必须在旧的 Kubernetes 次要版本的 12-14 个月支持期结束之前完成升级,以获取这些修复。
+如果用户没有准备好升级,可能导致 Kubernetes 集群的安全漏洞。
+即使用户可以接受这种意外升级,这种不确定性也使得 Kubernetes 在年度支持从规划角度看变得不太可靠。
+
+### 解决方案 {#the-solution}
+
+
+我们很高兴地宣布,自2023年1月起,受支持的 Kubernetes 版本与受支持的 Go 版本之间的差距已得到解决。
+
+
+在过去的一年里,我们与 Go 团队密切合作,以解决采用新的 Go 版本的困难。
+这些工作推动了一场[讨论](https://github.com/golang/go/discussions/55090)、
+[提案](https://github.com/golang/go/issues/56986)、
+[GopherCon 演讲](https://www.youtube.com/watch?v=v24wrd3RwGo)和[设计](https://go.dev/design/56986-godebug),
+以提高 Go 的向后兼容性,
+确保新的 Go 版本至少在两年(四个 Go 版本)内能够与之前的 Go 版本保持兼容的运行时行为。
+这使得像 Kubernetes 这样的项目能够将发布分支更新到受支持的 Go 版本,
+而不是将行为上的变更暴露给用户。
+
+
+所提议的改进正按计划[包含在 Go 1.21 中](https://tip.golang.org/doc/godebug),
+而且 Go 团队已经在 2022 年底的 Go 1.19 补丁发布中提供了针对兼容性的改进。
+这些更改使 Kubernetes 1.23+ 在 2023 年 1 月升级到 Go 1.19,并避免了任何用户可见的配置或行为变化。
+现在所有受支持的 Kubernetes 发布分支都使用受支持的 Go 版本,
+并且可以使用包含可用的安全修复的、新的 Go 补丁发布。
+
+
+展望未来,Kubernetes 维护者仍致力于使 Kubernetes 补丁发布尽可能安全且不会造成破坏,
+因此在现有的 Kubernetes 发布分支更新使用新的 Go 次要版本之前,新的 Go 次要版本必须满足几个要求:
+
+
+1. 新的 Go 版本必须至少已经推出 3 个月。
+   这给了 Go 社区足够的时间进行报告并解决问题。
+2. 新的 Go 版本在新的 Kubernetes 次要版本中至少已经使用了 1 个月。
+   这确保 Kubernetes 所有可能阻塞发布的测试都需要能在新的 Go 版本下通过,
+   并在早期为 Kubernetes 社区对发布候选版本和新次要版本提供反馈时间。
+3. 与先前的 Go 版本相比,不能出现新的已知会影响 Kubernetes 的问题。
+4. 默认情况下必须保持运行时行为,而无需 Kubernetes 用户/管理员采取任何操作。
+5. Kubernetes 库,如 `k8s.io/client-go` 必须与每个次要版本最初使用的 Go 版本保持兼容,
+   以便在获取库补丁时,用户不必更新 Go 版本(不过还是鼓励他们使用受支持的 Go 版本构建,
+   因为 Go 1.21 计划中的[兼容性改进](https://go.dev/design/56986-godebug)会使得这一操作变简单)。
+
+
+所有这些工作的目标是在不引人注意的情况下使 Kubernetes 补丁发布更加安全可靠,
+并确保在整个支持周期内 Kubernetes 次要版本用起来都是安全的。
+
+
+非常感谢 Go 团队,尤其是 Russ Cox,他们推动了这些改进,
+使所有 Go 用户受益,而不仅仅是 Kubernetes。
+

From 32fb48222db3cedd2c8cb9e6a8046f73d48146c8 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Fri, 7 Apr 2023 19:31:17 +0200
Subject: [PATCH 136/272] Make meaning of "you" on the main page consistent

---
 data/i18n/de/de.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/i18n/de/de.toml b/data/i18n/de/de.toml
index cd4c3d79242..e6f10daaab4 100644
--- a/data/i18n/de/de.toml
+++ b/data/i18n/de/de.toml
@@ -79,7 +79,7 @@ other = "Kubernetes Features"
 other = """Wir sind ein CNCF Abschlussprojekt
"""
 
 [main_kubeweekly_baseline]
-other = "Möchten Sie die neuesten Nachrichten von Kubernetes erhalten? Melden Sie sich für KubeWeekly an."
+other = "Möchtest du die neuesten Nachrichten von Kubernetes erhalten? Melde dich für KubeWeekly an."
 
 [main_kubernetes_past_link]
 other = "Frühere Newsletter anzeigen"

From 393919cca5c0a46e97a08b424904073960ab22e1 Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Sat, 8 Apr 2023 02:22:41 +0300
Subject: [PATCH 137/272] [id] Update branch name in ingress-nginx github link

---
 content/id/docs/concepts/services-networking/ingress.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/id/docs/concepts/services-networking/ingress.md b/content/id/docs/concepts/services-networking/ingress.md
index 6baae2adc96..84db01b37e8 100644
--- a/content/id/docs/concepts/services-networking/ingress.md
+++ b/content/id/docs/concepts/services-networking/ingress.md
@@ -91,7 +91,7 @@ spec:
  Seperti layaknya *resource* Kubernetes yang lain, sebuah Ingress membutuhkan *field* `apiVersion`, `kind`, dan `metadata`.
  Untuk informasi umum soal bagaimana cara bekerja dengan menggunakan berkas konfigurasi, silahkan merujuk pada [melakukan deploy aplikasi](/docs/tasks/run-application/run-stateless-application-deployment/), [konfigurasi kontainer](/id/docs/tasks/configure-pod-container/configure-pod-configmap/), [mengatur *resource*](/id/docs/concepts/cluster-administration/manage-deployment/).
  Ingress seringkali menggunakan anotasi untuk melakukan konfigurasi beberapa opsi yang ada bergantung pada kontroler Ingress yang digunakan, sebagai contohnya
- adalah [anotasi rewrite-target](https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/rewrite/README.md).
+ adalah [anotasi rewrite-target](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md).
  [Kontroler Ingress](/id/docs/concepts/services-networking/ingress-controllers) yang berbeda memiliki jenis anotasi yang berbeda. Pastikan kamu sudah terlebih dahulu memahami dokumentasi
  kontroler Ingress yang akan kamu pakai untuk mengetahui jenis anotasi apa sajakah yang disediakan.
 

From 937d9b472d1d5a0a7fb6cc66a8b3976fe7828e38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=B1=E6=AD=A3=E6=B5=A9=2CZhu=20Zhenghao?=
 
Date: Wed, 5 Apr 2023 22:04:22 +0800
Subject: [PATCH 138/272] [zh] translate page validating-admission-policy

---
 .../validating-admission-policy.md            | 562 ++++++++++++++++++
 1 file changed, 562 insertions(+)
 create mode 100644 content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md

diff --git a/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md b/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md
new file mode 100644
index 00000000000..a470aa45db2
--- /dev/null
+++ b/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md
@@ -0,0 +1,562 @@
+---
+title: 验证准入策略(ValidatingAdmissionPolicy)
+content_type: concept
+---
+
+
+
+
+{{< feature-state state="alpha" for_k8s_version="v1.26" >}}
+
+
+
+本页面提供验证准入策略(Validating Admission Policy)的概述。
+
+
+
+
+## 什么是验证准入策略? {#what-is-validating-admission-policy}
+
+验证准入策略提供一种声明式的、进程内的替代方案来验证准入 Webhook。
+
+验证准入策略使用通用表达语言 (Common Expression Language,CEL) 来声明策略的验证规则。
+验证准入策略是高度可配置的,使配置策略的作者能够根据集群管理员的需要,
+定义可以参数化并限定到资源的策略。
+
+
+## 哪些资源构成策略  {#what-resources-make-a-policy}
+
+策略通常由三种资源构成:
+
+
+
+- `ValidatingAdmissionPolicy` 描述策略的抽象逻辑(想想看:“这个策略确保一个特定标签被设置为一个特定值”)。
+
+- 一个 `ValidatingAdmissionPolicyBinding` 将上述资源联系在一起,并提供作用域。
+  如果你只想为 `Pods` 设置一个 `owner` 标签,你就需要在这个绑定中指定这个限制。
+
+- 参数资源为 `ValidatingAdmissionPolicy` 提供信息,使其成为一个具体的声明
+  (想想看:“`owner` 标签必须被设置为以 `.company.com` 结尾的形式")。
+  参数资源的模式(Schema)使用诸如 ConfigMap 或 CRD 这类原生类型定义。
+  `ValidatingAdmissionPolicy` 对象指定它们期望参数资源所呈现的类型。
+
+
+至少要定义一个 `ValidatingAdmissionPolicy` 和一个相对应的 `ValidatingAdmissionPolicyBinding` 才能使策略生效。
+
+如果 `ValidatingAdmissionPolicy` 不需要参数配置,不设置 `ValidatingAdmissionPolicy` 中的
+`spec.paramKind` 即可。
+
+## {{% heading "prerequisites" %}}
+
+
+- 确保 `ValidatingAdmissionPolicy` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用。
+- 确保 `admissionregistration.k8s.io/v1alpha1` API 被启用。
+
+
+
+## 开始使用验证准入策略  {#getting-started-with-validating-admission-policy}
+
+验证准入策略是集群控制平面的一部分。你应该非常谨慎地编写和部署它们。下面介绍如何快速试验验证准入策略。
+
+
+### 创建一个 ValidatingAdmissionPolicy
+
+以下是一个 ValidatingAdmissionPolicy 的示例:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "demo-policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["apps"]
+      apiVersions: ["v1"]
+      operations: ["CREATE", "UPDATE"]
+      resources: ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 5"
+```
+
+
+`spec.validations` 包含使用[通用表达式语言 (CEL)](https://github.com/google/cel-spec)
+来验证请求的 CEL 表达式。
+如果表达式的计算结果为 false,则根据 `spec.failurePolicy` 字段强制执行验证检查处理。
+
+要配置一个在某集群中使用的验证准入策略,需要一个绑定。
+以下是一个 ValidatingAdmissionPolicyBinding 的示例:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "demo-binding-test.example.com"
+spec:
+  policyName: "demo-policy.example.com"
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test
+```
+
+
+尝试创建副本集合不满足验证表达式的 Deployment 时,将返回包含以下消息的错误:
+
+```none
+ValidatingAdmissionPolicy 'demo-policy.example.com' with binding 'demo-binding-test.example.com' denied request: failed expression: object.spec.replicas <= 5
+```
+
+
+上面提供的是一个简单的、无配置参数的 ValidatingAdmissionPolicy。
+
+
+#### 参数资源
+
+参数资源允许策略配置与其定义分开。
+一个策略可以定义 paramKind,给出参数资源的 GVK,
+然后一个策略绑定可以通过名称(通过 policyName)将某策略与某特定的参数资源(通过 paramRef)联系起来。
+
+如果需要参数配置,下面是一个带有参数配置的 ValidatingAdmissionPolicy 的例子:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "replicalimit-policy.example.com"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: rules.example.com/v1
+    kind: ReplicaLimit
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["apps"]
+      apiVersions: ["v1"]
+      operations: ["CREATE", "UPDATE"]
+      resources: ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= params.maxReplicas"
+      reason: Invalid
+```
+
+
+ValidatingAdmissionPolicy 的 `spec.paramKind` 字段指定用于参数化此策略的资源类型。
+在这个例子中,它是由自定义资源 ReplicaLimit 配置的。
+在这个例子中请注意 CEL 表达式是如何通过 CEL params 变量引用参数的,如:`params.maxReplicas`。
+`spec.matchConstraints` 指定此策略要检查哪些资源。
+请注意,诸如 `ConfigMap` 之类的原生类型也可以用作参数引用。
+
+
+`spec.validations` 字段包含 CEL 表达式。
+如果表达式的计算结果为 false,则根据 `spec.failurePolicy` 字段强制执行验证检查操作。
+
+验证准入策略的作者负责提供 ReplicaLimit 参数 CRD。
+
+要配置一个在某集群中使用的验证准入策略,需要创建绑定和参数资源。
+以下是 ValidatingAdmissionPolicyBinding 的示例:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-test.example.com"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  paramRef:
+    name: "replica-limit-test.example.com"
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test
+```
+
+
+参数资源可以如下:
+
+```yaml
+apiVersion: rules.example.com/v1
+kind: ReplicaLimit
+metadata:
+  name: "replica-limit-test.example.com"
+maxReplicas: 3
+```
+
+
+此策略参数资源将限制测试环境所有名字空间中的 Deployment 最多有 3 个副本。
+一个准入策略可以有多个绑定。
+要绑定所有的其他环境,限制 maxReplicas 为 100,请创建另一个 ValidatingAdmissionPolicyBinding:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-nontest"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  paramRef:
+    name: "replica-limit-clusterwide.example.com"
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: environment
+        operator: NotIn
+        values:
+        - test
+```
+
+
+并有一个参数资源,如下:
+
+```yaml
+apiVersion: rules.example.com/v1
+kind: ReplicaLimit
+metadata:
+  name: "replica-limit-clusterwide.example.com"
+maxReplicas: 100
+```
+
+
+绑定可以包含相互重叠的匹配条件。策略会针对每个匹配的绑定进行计算。
+在上面的例子中,`nontest` 策略绑定可以被定义为一个全局策略:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-global"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  params: "replica-limit-clusterwide.example.com"
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: environment
+        operator: Exists
+```
+
+
+如果参数资源尚未被绑定,代表参数资源的 params 对象将不会被设置,
+所以对于需要参数资源的策略,添加一个检查来确保参数资源被绑定,这会很有用。
+
+对于需要参数配置的场景,我们建议在 `spec.validations[0].expression` 中添加一个参数检查:
+
+```
+- expression: "params != null"
+  message: "params missing but required to bind to this policy"
+```
+
+
+将可选参数作为参数资源的一部分,并且只在参数存在时执行检查操作,这样做会比较方便。
+CEL 提供了 `has()` 方法,它检查传递给它的键是否存在。CEL 还实现了布尔短路逻辑。
+如果逻辑 OR 的前半部分计算为 true,则不会计算另一半(因为无论如何整个 OR 的结果都为真)。
+
+结合这两者,我们可以提供一种验证可选参数的方法:
+
+`!has(params.optionalNumber) || (params.optionalNumber >= 5 && params.optionalNumber <= 10)`
+
+
+在这里,我们首先用 `!has(params.optionalNumber)` 检查可选参数是否存在。
+
+- 如果 `optionalNumber` 没有被定义,那么表达式就会短路,因为 `!has(params.optionalNumber)` 的计算结果为 true。
+- 如果 `optionalNumber` 被定义了,那么将计算 CEL 表达式的后半部分,
+  并且 `optionalNumber` 将被检查以确保它包含一个 5 到 10 之间的值(含 5 到 10)。
+
+
+#### 鉴权检查
+
+我们为参数资源引入了鉴权检查。
+用户应该对 `ValidatingAdmissionPolicy` 中的 `paramKind`
+和 `ValidatingAdmissionPolicyBinding` 中的 `paramRef` 所引用的资源有 `read` 权限。
+
+请注意,如果 `paramKind` 中的资源没能通过 restmapper 解析,则用户需要拥有对组的所有资源的
+`read` 访问权限。
+
+
+### 失效策略
+
+`failurePolicy` 定义了如何处理错误配置和准入策略的 CEL 表达式取值为 error 的情况。
+
+允许的值是 `Ignore` 或 `Fail`。
+
+- `Ignore` 意味着调用 ValidatingAdmissionPolicy 的错误被忽略,允许 API 请求继续。
+- `Fail` 意味着调用 ValidatingAdmissionPolicy 的错误导致准入失败并拒绝 API 请求。
+
+请注意,`failurePolicy` 是在 `ValidatingAdmissionPolicy` 中定义的:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+spec:
+...
+failurePolicy: Ignore # 默认值是 "Fail"
+validations:
+- expression: "object.spec.xyz == params.x"
+```
+
+
+### 检查表达式
+
+`spec.validations[i].expression` 代表将使用 CEL 来计算表达式。
+要了解更多信息,请参阅 [CEL 语言规范](https://github.com/google/cel-spec)。
+CEL 表达式可以访问按 CEL 变量来组织的 Admission 请求/响应的内容,以及其他一些有用的变量 :
+
+- 'object' - 来自传入请求的对象。对于 DELETE 请求,该值为 null。
+- 'oldObject' - 现有对象。对于 CREATE 请求,该值为 null。
+- 'request' - [准入请求](/zh-cn/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest)的属性。
+- 'params' - 被计算的策略绑定引用的参数资源。如果未设置 `paramKind`,该值为 null。
+
+
+总是可以从对象的根访问的属性有 `apiVersion`、`kind`、`metadata.name` 和 `metadata.generateName`。
+其他元数据属性不能访问。
+
+只有符合 `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` 形式的属性名称是可访问的。
+可访问的属性名称在表达式中被访问时,根据以下规则进行转义:
+
+| 转义序列                | 属性名称等效            |
+| ----------------------- | -----------------------|
+| `__underscores__`       | `__`                  |
+| `__dot__`               | `.`                   |
+| `__dash__`              | `-`                   |
+| `__slash__`             | `/`                   |
+| `__{keyword}__`         | [CEL 保留关键字](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax)       |
+
+{{< note >}}
+
+**CEL 保留**关键字仅在字符串与保留关键字完全匹配时才需要转义。
+例如,单词 “sprint” 中的 `int` 不需要被转义。
+{{< /note >}}
+
+
+转义示例:
+
+| 属性名      | 具有转义属性名称的规则            |
+| ----------- | --------------------------------- |
+| namespace   | `self.__namespace__ > 0`          |
+| x-prop      | `self.x__dash__prop > 0`          |
+| redact\_\_d | `self.redact__underscores__d > 0` |
+| string      | `self.startsWith('kube')`         |
+
+
+列表类型为 "set" 或 "map" 的数组上的等价关系比较会忽略元素顺序,即 [1, 2] == [2, 1]。
+使用 x-kubernetes-list-type 连接数组时使用列表类型的语义:
+
+- 'set': `X + Y` 执行并集,其中 `X` 中所有元素的数组位置被保留,`Y` 中不相交的元素被追加,保留其元素的偏序关系。
+- 'map':`X + Y` 执行合并,保留 `X` 中所有键的数组位置,但是当 `X` 和 `Y` 的键集相交时,其值被 `Y` 的值覆盖。
+  `Y` 中键值不相交的元素被追加,保留其元素之间的偏序关系。
+
+
+#### 检查表达式示例
+
+| 表达式                                                                                        | 目的                                                                     |
+| --------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
+| `object.minReplicas <= object.replicas && object.replicas <= object.maxReplicas`              | 检查定义副本的三个字段是否大小关系正确                                   |
+| `'Available' in object.stateCounts`                                                           | 检查映射中是否存在键为 `Available` 的条目                                |
+| `(size(object.list1) == 0) != (size(object.list2) == 0)`                                      | 检查两个列表是否有且只有一个非空                                         |
+| !('MY_KEY' in object.map1) || object['MY_KEY'].matches('^[a-zA-Z]\*$') | 检查映射中存在特定的键时其取值符合某规则                                 |
+| `object.envars.filter(e, e.name == 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')`           | 验证 listMap 中所有键名为 "MY_ENV" 的条目的 “value” 字段,确保其符合规则 |
+| `has(object.expired) && object.created + object.ttl < object.expired`                         | 检查 expired 日期在 create 日期加上 ttl 时长之后                         |
+| `object.health.startsWith('ok')`                                                              | 检查 health 字符串字段的取值有 “ok” 前缀                                 |
+| `object.widgets.exists(w, w.key == 'x' && w.foo < 10)`                                        | 对于 listMap 中键为 “x” 的条目,检查该条目的 "foo" 属性的值是否小于 10   |
+| `type(object) == string ? object == '100%' : object == 1000`                                  | 对于 int-or-string 字段,分别处理类型为 int 或 string 的情况             |
+| `object.metadata.name.startsWith(object.prefix)`                                              | 检查对象名称是否以另一个字段值为前缀                                     |
+| `object.set1.all(e, !(e in object.set2))`                                                     | 检查两个 listSet 是否不相交                                              |
+| `size(object.names) == size(object.details) && object.names.all(n, n in object.details)`      | 检查映射 “details” 所有的键和 listSet “names” 中的条目是否一致           |
+| `size(object.clusters.filter(c, c.name == object.primary)) == 1`                              | 检查 “primary” 字段的值在 listMap “clusters” 中只出现一次                |
+
+
+了解关于 CEL 规则的更多信息, 请阅读
+[CEL 支持的求值表达式](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#evaluation)。
+
+
+`spec.validation[i].reason` 表示一个机器可读的描述,说明为什么这次检查失败。
+如果这是列表中第一个失败的检查,其原因以及相应的 HTTP 响应代码会被用在给客户端的 HTTP 响应中。
+目前支持的原因有:`Unauthorized`、`Forbidden`、`Invalid`、`RequestEntityTooLarge`。
+如果未设置,将在对客户端的响应中使用 `StatusReasonInvalid`。

From 4bb17a912cbb210c0044e92a41fdbdd50e875480 Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Sun, 9 Apr 2023 01:05:52 +0300
Subject: [PATCH 139/272] [fr] Update branch name in ingress-nginx github link

---
 content/fr/docs/concepts/services-networking/ingress.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/fr/docs/concepts/services-networking/ingress.md b/content/fr/docs/concepts/services-networking/ingress.md
index d8b489aa51b..f7a1f0c2404 100644
--- a/content/fr/docs/concepts/services-networking/ingress.md
+++ b/content/fr/docs/concepts/services-networking/ingress.md
@@ -94,7 +94,7 @@ spec:
 Comme pour toutes les autres ressources Kubernetes, un Ingress (une entrée) a besoin des champs `apiVersion`, `kind` et `metadata`.
  Pour des informations générales sur l'utilisation des fichiers de configuration, voir [déployer des applications](/docs/tasks/run-application/run-stateless-application-deployment/), [configurer des conteneurs](/docs/tasks/configure-pod-container/configure-pod-configmap/), [gestion des ressources](/docs/concepts/cluster-administration/manage-deployment/).
  Ingress utilise fréquemment des annotations pour configurer certaines options en fonction du contrôleur Ingress, dont un exemple
- est l'annotation [rewrite-target](https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/rewrite/README.md).
+ est l'annotation [rewrite-target](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md).
  Différents [Ingress controller](/docs/concepts/services-networking/ingress-controllers) prennent en charge différentes annotations. Consultez la documentation du contrôleur Ingress de votre choix pour savoir quelles annotations sont prises en charge.
 
 La [spécification de la ressource Ingress](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) dispose de toutes les informations nécessaires pour configurer un loadbalancer ou un serveur proxy. Plus important encore, il

From 5ba37294055d985a3f617362e0b9a737eb4d6756 Mon Sep 17 00:00:00 2001
From: Khush Patibandha <104303438+KhushPatibandha@users.noreply.github.com>
Date: Sun, 9 Apr 2023 04:49:14 +0530
Subject: [PATCH 140/272] Explain env vs envFrom for page Define Environment
 Variables for a Container (#40055)

* 'Define Environment Variables for a Container' does not explain env vs envFrom #39873

* suggested review changes done.

* tengqm suggested changes done.
---
 .../define-environment-variable-container.md     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md b/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md
index 50cc57f1e5d..ba226f8f9f3 100644
--- a/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md
+++ b/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md
@@ -21,6 +21,22 @@ When you create a Pod, you can set environment variables for the containers
 that run in the Pod. To set environment variables, include the `env` or
 `envFrom` field in the configuration file.
 
+The `env` and `envFrom` fields have different effects.
+
+`env`
+: allows you to set environment variables for a container, specifying a value directly for each variable that you name.
+
+`envFrom`
+: allows you to set environment variables for a container by referencing either a ConfigMap or a Secret.
+ When you use `envFrom`, all the key-value pairs in the referenced ConfigMap or Secret
+ are set as environment variables for the container.
+ You can also specify a common prefix string.
+
+You can read more about [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables)
+and [Secret](/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables).
+
+This page explains how to use `env`.
+
 In this exercise, you create a Pod that runs one container. The configuration
 file for the Pod defines an environment variable with name `DEMO_GREETING` and
 value `"Hello from the environment"`. Here is the configuration manifest for the

From 76729f07024faeee70e2bc97f949af5bc1d1249c Mon Sep 17 00:00:00 2001
From: "xin.li" 
Date: Sun, 9 Apr 2023 11:55:25 +0800
Subject: [PATCH 141/272] [zh-cn] sync statefulset conventions.md

Signed-off-by: xin.li 
---
 content/zh-cn/docs/reference/glossary/statefulset.md | 6 ++----
 content/zh-cn/docs/reference/kubectl/conventions.md  | 8 ++++++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/content/zh-cn/docs/reference/glossary/statefulset.md b/content/zh-cn/docs/reference/glossary/statefulset.md
index e94318e78ae..de43a53988c 100644
--- a/content/zh-cn/docs/reference/glossary/statefulset.md
+++ b/content/zh-cn/docs/reference/glossary/statefulset.md
@@ -14,13 +14,12 @@ tags:
 ---
 
 
 
  
 
 
 
 和 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 类似,
diff --git a/content/zh-cn/docs/reference/kubectl/conventions.md b/content/zh-cn/docs/reference/kubectl/conventions.md
index 2f6cc0f1908..1f67fdb2823 100644
--- a/content/zh-cn/docs/reference/kubectl/conventions.md
+++ b/content/zh-cn/docs/reference/kubectl/conventions.md
@@ -46,16 +46,20 @@ For a stable output in a script:
 ## 子资源    {#subresources}
 
 
 
-* 你可以将 `--subresource` alpha 标志用于 kubectl 命令,例如 `get`、`patch`、`edit` 和 `replace`
+* 你可以将 `--subresource` Beta 标志用于 kubectl 命令,例如 `get`、`patch`、`edit` 和 `replace`
   来获取和更新所有支持子资源的资源的子资源。目前,仅支持 `status` 和 `scale` 子资源。
+  * 对于 `kubectl edit`,不支持 `scale` 子资源。如果将 `--subresource` 与 `kubectl edit` 一起使用,
+    并指定 `scale` 作为子资源,则命令将会报错。
 * 针对子资源的 API 协定与完整资源相同。在更新 `status` 子资源为一个新值时,请记住,
   子资源可能是潜在的由控制器调和为不同的值。
 

From 9ad93738bbf846a36b3a91bb5193c6375e179269 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Sun, 9 Apr 2023 21:33:51 +0800
Subject: [PATCH 142/272] sync konnectivity-agent.yaml

sync konnectivity-agent.yaml
---
 .../zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml b/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
index 2d34c2d69c8..0f7477e8d68 100644
--- a/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
+++ b/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
@@ -22,7 +22,7 @@ spec:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
       containers:
-        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.16
+        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.37
           name: konnectivity-agent
           command: ["/proxy-agent"]
           args: [

From 8124e23890aa82b6dd8685c09f3ca04e2558f7ef Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Sun, 9 Apr 2023 21:37:03 +0800
Subject: [PATCH 143/272] sync konnectivity-server.yaml

sync konnectivity-server.yaml
---
 .../zh-cn/examples/admin/konnectivity/konnectivity-server.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml b/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
index df5ca13d410..9c24a63dc59 100644
--- a/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
+++ b/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
@@ -8,12 +8,13 @@ spec:
   hostNetwork: true
   containers:
   - name: konnectivity-server-container
-    image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32
+    image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.37
     command: ["/proxy-server"]
     args: [
             "--logtostderr=true",
             # 下一行需与 egressSelectorConfiguration 中设置的值一致。
             "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
+            "--delete-existing-uds-file",
             # 下面两行假定 Konnectivity 服务器被部署在与 apiserver 相同的机器上,
             # 并且该 API 服务器的证书和密钥位于指定的位置。
             "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",

From 8377a675cd4beef6da89eba9829a05c14b19a60f Mon Sep 17 00:00:00 2001
From: Tim Bannister 
Date: Thu, 16 Mar 2023 13:00:31 -0700
Subject: [PATCH 144/272] ClusterTrustBundles: Add section to certificates page

Document the API types as they exist today, plus a hint of the future
integrations that will be available.

Co-Authored-By: Taahir Ahmed 
---
 .../certificate-signing-requests.md           | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
index aa95223bb05..ed61a6e3c51 100644
--- a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
+++ b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
@@ -459,6 +459,95 @@ status:
   certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS..."
 ```
 
+## ClusterTrustBundles (Alpha Feature) {#ctb}
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+{{< note >}}
+Gated by the `ClusterTrustBundles` feature gate.
+{{< /note >}}
+
+ClusterTrustBundles are a cluster-scoped object for distributing X.509 trust
+anchors (root certificates) to workloads within the cluster.  They're designed
+to work well with the existing signer concept.
+
+Future Kubernetes releases will build on them with integrations like the ability
+to project their contents into the pod filesystem.
+
+ClusterTrustBundles can be used in two modes: signer-linked and signer-unlinked.
+
+### Common properties and validation {#ctb-common}
+
+All ClusterTrustBundle objects have strong validation on the contents of their
+`trustBundle` field.  It must contain one or more X.509 certificates,
+DER-serialized, each wrapped in a PEM `CERTIFICATE` block.  The certificates
+must parse as valid X.509 certificates.
+
+Esoteric PEM features like inter-block data and intra-block headers are either
+rejected during object validation, or filtered by consumers of the object
+(primarily Kubelet).  Additionally, consumers will reorder the certificates in
+the bundle with their own arbitrary but stable ordering.
+
+ClusterTrustBundle objects should be considered world-readable within the
+cluster.  All serviceaccounts have a default RBAC grant to get, list, and watch
+all ClusterTrustBundle objects.
+
+### Signer-linked ClusterTrustBundles {#ctb-signer-linked}
+
+Signer-linked ClusterTrustBundles are associated with a signer name, like this:
+
+```yaml
+apiVersion: certificates.k8s.io/v1alpha1
+kind: ClusterTrustBundle
+metadata:
+  name: example.com:mysigner:foo
+spec:
+  signerName: example.com/mysigner
+  trustBundle: "<... PEM data ...>"
+```
+
+These ClusterTrustBundles are intended to be maintained by a signer-specific
+controller in the cluster, so they have several security features:
+
+* To create or update a signer-linked ClusterTrustBundle, you must have the
+  `attest` verb on the signer (verbs: `attest`, group: `certificates.k8s.io`,
+  resource: `signers`, resourceName: `/` or
+  `/*`).
+* Signer-linked ClusterTrustBundles must be named with a prefix derived from
+  their `spec.signerName` field.  Slashes (`/`) are replaced with colons (`:`),
+  and a final colon is appended.  This is followed by an arbitary name.  For
+  example, the signer `example.com/mysigner` becomes
+  `example.com:mysigner:`.
+
+Signer-linked ClusterTrustBundles will be consumed in workloads by a combination
+of field selector on the signer name and a label selector.  If this query
+matches multiple ClusterTrustBundle objects, their contents will be merged,
+deduplicated, and sorted before being provided to the workload.
+
+### Signer-unlinked ClusterTrustBundles {#ctb-signer-unlinked}
+
+Signer-unlinked ClusterTrustBundles have an empty `spec.signerName` field, like this:
+
+```yaml
+apiVersion: certificates.k8s.io/v1alpha1
+kind: ClusterTrustBundle
+metadata:
+  name: foo
+spec:
+  signerName: ""
+  trustBundle: "<... PEM data ...>"
+```
+
+They are primarily intended for cluster configuration use cases.  Each
+signer-unlinked ClusterTrustBundle is an independent object, in contrast to the
+customary grouping behavior of signer-linked ClusterTrustBundles.
+
+Signer-unlinked ClusterTrustBundles have no `attest` verb requirement.  Instead,
+control access to them using the standard RBAC verbs.
+
+To distinguish them from signer-linked ClusterTrustBundles, the names of
+signer-unlinked ClusterTrustBundles must not contain a colon (`:`).
+
 ## {{% heading "whatsnext" %}}
 
 * Read [Manage TLS Certificates in a Cluster](/docs/tasks/tls/managing-tls-in-a-cluster/)

From e95deae997ac01540211e0666e2b453a3829f3b2 Mon Sep 17 00:00:00 2001
From: Tim Bannister 
Date: Sun, 9 Apr 2023 18:17:50 +0100
Subject: [PATCH 145/272] Update CSR page to encompass CSRs and trust bundles

Rather than mention trust bundles as a subtopic of certificate signing
requests, reshape the page so that:
- it's clear that CSRs are stable but ClusterTrustBundles are alpha
- the task for issuing a certificate to a user stands separately from
  the concepts explained elsewhere in the page
- it's clear that signers are relevant to both CSRs and
  ClusterTrustBundles
---
 .../certificate-signing-requests.md           | 517 ++++++++++--------
 1 file changed, 278 insertions(+), 239 deletions(-)

diff --git a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
index ed61a6e3c51..4ce299e5fb5 100644
--- a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
+++ b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
@@ -4,27 +4,33 @@ reviewers:
 - mikedanese
 - munnerz
 - enj
-title: Certificate Signing Requests
+title: Certificates and Certificate Signing Requests
 content_type: concept
 weight: 25
 ---
 
 
 
-{{< feature-state for_k8s_version="v1.19" state="stable" >}}
-
-The Certificates API enables automation of
+Kubernetes certificate and trust bundle APIs enable automation of
 [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning by providing
 a programmatic interface for clients of the Kubernetes API to request and obtain
 X.509 {{< glossary_tooltip term_id="certificate" text="certificates" >}} from a Certificate Authority (CA).
 
+There is also experimental (alpha) support for distributing [trust bundles](#cluster-trust-bundles).
+
+
+
+## Certificate signing requests
+
+{{< feature-state for_k8s_version="v1.19" state="stable" >}}
+
+
 A CertificateSigningRequest (CSR) resource is used to request that a certificate be signed
 by a denoted signer, after which the request may be approved or denied before
 finally being signed.
 
-
 
-## Request signing process
+### Request signing process
 
 The CertificateSigningRequest resource type allows a client to ask for an X.509 certificate
 be issued, based on a signing request.
@@ -64,12 +70,46 @@ state for some duration:
 * Pending requests: automatically deleted after 24 hours
 * All requests: automatically deleted after the issued certificate has expired
 
+### Certificate signing authorization {#authorization}
+
+To allow creating a CertificateSigningRequest and retrieving any CertificateSigningRequest:
+
+* Verbs: `create`, `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
+
+For example:
+
+{{< codenew file="access/certificate-signing-request/clusterrole-create.yaml" >}}
+
+To allow approving a CertificateSigningRequest:
+
+* Verbs: `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
+* Verbs: `update`, group: `certificates.k8s.io`, resource: `certificatesigningrequests/approval`
+* Verbs: `approve`, group: `certificates.k8s.io`, resource: `signers`, resourceName: `/` or `/*`
+
+For example:
+
+{{< codenew file="access/certificate-signing-request/clusterrole-approve.yaml" >}}
+
+To allow signing a CertificateSigningRequest:
+
+* Verbs: `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
+* Verbs: `update`, group: `certificates.k8s.io`, resource: `certificatesigningrequests/status`
+* Verbs: `sign`, group: `certificates.k8s.io`, resource: `signers`, resourceName: `/` or `/*`
+
+{{< codenew file="access/certificate-signing-request/clusterrole-sign.yaml" >}}
+
+
 ## Signers
 
-Custom signerNames can also be specified. All signers should provide information about how they work so that clients can predict what will happen to their CSRs.
+Signers abstractly represent the entity or entities that might sign, or have
+signed, a security certificate.
+
+Any signer that is made available for outside a particular cluster should provide information
+about how the signer works, so that consumers can understand what that means for CertifcateSigningRequests
+and (if enabled) [ClusterTrustBundles](#cluster-trust-bundles).  
 This includes:
 
-1. **Trust distribution**: how trust (CA bundles) are distributed.
+1. **Trust distribution**: how trust anchors (CA certificates or certificate bundles) are distributed.
 1. **Permitted subjects**: any restrictions on and behavior when a disallowed subject is requested.
 1. **Permitted x509 extensions**: including IP subjectAltNames, DNS subjectAltNames, Email subjectAltNames, URI subjectAltNames etc, and behavior when a disallowed extension is requested.
 1. **Permitted key usages / extended key usages**: any restrictions on and behavior when usages different than the signer-determined usages are specified in the CSR.
@@ -77,13 +117,17 @@ This includes:
    and the behavior when the signer-determined expiration is different from the CSR `spec.expirationSeconds` field.
 1. **CA bit allowed/disallowed**: and behavior if a CSR contains a request a for a CA certificate when the signer does not permit it.
 
-Commonly, the `status.certificate` field contains a single PEM-encoded X.509
-certificate once the CSR is approved and the certificate is issued. Some
-signers store multiple certificates into the `status.certificate` field. In
+Commonly, the `status.certificate` field of a CertificateSigningRequest contains a
+single PEM-encoded X.509 certificate once the CSR is approved and the certificate is issued.
+Some signers store multiple certificates into the `status.certificate` field. In
 that case, the documentation for the signer should specify the meaning of
 additional certificates; for example, this might be the certificate plus
 intermediates to be presented during TLS handshakes.
 
+If you want to make the _trust anchor_ (root certificate) available, this should be done
+separately from a CertificateSigningRequest and its `status.certificate` field. For example,
+you could use a ClusterTrustBundle.
+
 The PKCS#10 signing request format does not have a standard mechanism to specify a
 certificate expiration or lifetime. The expiration or lifetime therefore has to be set
 through the `spec.expirationSeconds` field of the CSR object. The built-in signers
@@ -153,9 +197,8 @@ Kubernetes provides built-in signers that each have a well-known `signerName`:
       of the `--cluster-signing-duration` option or, if specified, the `spec.expirationSeconds` field of the CSR object.
    1. CA bit allowed/disallowed - not allowed.
 
-{{< note >}}
-Failures for all of these are only reported in kube-controller-manager logs.
-{{< /note >}}
+The kube-controller-manager implements [control plane signing](#signer-control-plane) for each of the built in
+signers. Failures for all of these are only reported in kube-controller-manager logs.
 
 {{< note >}}
 The `spec.expirationSeconds` field was added in Kubernetes v1.22.  Earlier versions of Kubernetes do not honor this field.
@@ -168,156 +211,89 @@ kube-apiserver, but this is not a standard.
 None of these usages are related to ServiceAccount token secrets `.data[ca.crt]` in any way.  That CA bundle is only
 guaranteed to verify a connection to the API server using the default service (`kubernetes.default.svc`).
 
-## Authorization
+### Custom signers
 
-To allow creating a CertificateSigningRequest and retrieving any CertificateSigningRequest:
+You can also introduce your own custom signer, which should have a similar prefixed name but using your
+own domain name. For example, if you represent an open source project that uses the domain `open-fictional.example`
+then you might use `issuer.open-fictional.example/service-mesh` as a signer name.
 
-* Verbs: `create`, `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
+A custom signer uses the Kubernetes API to issue a certificate. See [API-based signers](#signer-api).
 
-For example:
+## Signing
 
-{{< codenew file="access/certificate-signing-request/clusterrole-create.yaml" >}}
+### Control plane signer {#signer-control-plane}
 
-To allow approving a CertificateSigningRequest:
+The Kubernetes control plane implements each of the
+[Kubernetes signers](/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers),
+as part of the kube-controller-manager.
 
-* Verbs: `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
-* Verbs: `update`, group: `certificates.k8s.io`, resource: `certificatesigningrequests/approval`
-* Verbs: `approve`, group: `certificates.k8s.io`, resource: `signers`, resourceName: `/` or `/*`
+{{< note >}}
+Prior to Kubernetes v1.18, the kube-controller-manager would sign any CSRs that
+were marked as approved.
+{{< /note >}}
 
-For example:
+{{< note >}}
+The `spec.expirationSeconds` field was added in Kubernetes v1.22.  Earlier versions of Kubernetes do not honor this field.
+Kubernetes API servers prior to v1.22 will silently drop this field when the object is created.
+{{< /note >}}
 
-{{< codenew file="access/certificate-signing-request/clusterrole-approve.yaml" >}}
+### API-based signers {#signer-api}
 
-To allow signing a CertificateSigningRequest:
+Users of the REST API can sign CSRs by submitting an UPDATE request to the `status`
+subresource of the CSR to be signed.
 
-* Verbs: `get`, `list`, `watch`, group: `certificates.k8s.io`, resource: `certificatesigningrequests`
-* Verbs: `update`, group: `certificates.k8s.io`, resource: `certificatesigningrequests/status`
-* Verbs: `sign`, group: `certificates.k8s.io`, resource: `signers`, resourceName: `/` or `/*`
+As part of this request, the `status.certificate` field should be set to contain the
+signed certificate. This field contains one or more PEM-encoded certificates.
 
-{{< codenew file="access/certificate-signing-request/clusterrole-sign.yaml" >}}
+All PEM blocks must have the "CERTIFICATE" label, contain no headers,
+and the encoded data must be a BER-encoded ASN.1 Certificate structure
+as described in [section 4 of RFC5280](https://tools.ietf.org/html/rfc5280#section-4.1).
 
-## Normal user
+Example certificate content:
 
-A few steps are required in order to get a normal user to be able to
-authenticate and invoke an API. First, this user must have a certificate issued
-by the Kubernetes cluster, and then present that certificate to the Kubernetes API.
-
-### Create private key
-
-The following scripts show how to generate PKI private key and CSR. It is
-important to set CN and O attribute of the CSR. CN is the name of the user and
-O is the group that this user will belong to. You can refer to
-[RBAC](/docs/reference/access-authn-authz/rbac/) for standard groups.
-
-```shell
-openssl genrsa -out myuser.key 2048
-openssl req -new -key myuser.key -out myuser.csr
+```
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAmqgAwIBAgIUC1N1EJ4Qnsd322BhDPRwmg3b/oAwDQYJKoZIhvcNAQEL
+BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV
+BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4
+MB4XDTIwMDcwNjIyMDcwMFoXDTI1MDcwNTIyMDcwMFowNzEVMBMGA1UEChMMc3lz
+dGVtOm5vZGVzMR4wHAYDVQQDExVzeXN0ZW06bm9kZToxMjcuMC4wLjEwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDne5X2eQ1JcLZkKvhzCR4Hxl9+ZmU3
++e1zfOywLdoQxrPi+o4hVsUH3q0y52BMa7u1yehHDRSaq9u62cmi5ekgXhXHzGmm
+kmW5n0itRECv3SFsSm2DSghRKf0mm6iTYHWDHzUXKdm9lPPWoSOxoR5oqOsm3JEh
+Q7Et13wrvTJqBMJo1GTwQuF+HYOku0NF/DLqbZIcpI08yQKyrBgYz2uO51/oNp8a
+sTCsV4OUfyHhx2BBLUo4g4SptHFySTBwlpRWBnSjZPOhmN74JcpTLB4J5f4iEeA7
+2QytZfADckG4wVkhH3C2EJUmRtFIBVirwDn39GXkSGlnvnMgF3uLZ6zNAgMBAAGj
+YTBfMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMB0GA1UdDgQWBBTREl2hW54lkQBDeVCcd2f2VSlB1DALBgNVHREEBDAC
+ggAwDQYJKoZIhvcNAQELBQADggEBABpZjuIKTq8pCaX8dMEGPWtAykgLsTcD2jYr
+L0/TCrqmuaaliUa42jQTt2OVsVP/L8ofFunj/KjpQU0bvKJPLMRKtmxbhXuQCQi1
+qCRkp8o93mHvEz3mTUN+D1cfQ2fpsBENLnpS0F4G/JyY2Vrh19/X8+mImMEK5eOy
+o0BMby7byUj98WmcUvNCiXbC6F45QTmkwEhMqWns0JZQY+/XeDhEcg+lJvz9Eyo2
+aGgPsye1o3DpyXnyfJWAWMhOz7cikS5X2adesbgI86PhEHBXPIJ1v13ZdfCExmdd
+M1fLPhLyR54fGaY+7/X8P9AZzPefAkwizeXwe9ii6/a08vWoiE4=
+-----END CERTIFICATE-----
 ```
 
-### Create CertificateSigningRequest
+Non-PEM content may appear before or after the CERTIFICATE PEM blocks and is unvalidated,
+to allow for explanatory text as described in [section 5.2 of RFC7468](https://www.rfc-editor.org/rfc/rfc7468#section-5.2).
 
-Create a CertificateSigningRequest and submit it to a Kubernetes Cluster via kubectl. Below is a script to generate the CertificateSigningRequest.
+When encoded in JSON or YAML, this field is base-64 encoded.
+A CertificateSigningRequest containing the example certificate above would look like this:
 
-```shell
-cat < myuser.crt
-```
-
-### Create Role and RoleBinding
-
-With the certificate created it is time to define the Role and RoleBinding for
-this user to access Kubernetes cluster resources.
-
-This is a sample command to create a Role for this new user:
-
-```shell
-kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
-```
-
-This is a sample command to create a RoleBinding for this new user:
-
-```shell
-kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
-```
-
-### Add to kubeconfig
-
-The last step is to add this user into the kubeconfig file.
-
-First, you need to add new credentials:
-
-```shell
-kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
-
-```
-
-Then, you need to add the context:
-
-```shell
-kubectl config set-context myuser --cluster=kubernetes --user=myuser
-```
-
-To test it, change the context to `myuser`:
-
-```shell
-kubectl config use-context myuser
+...
+status:
+  certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS..."
 ```
 
 ## Approval or rejection  {#approval-rejection}
 
+Before a [signer](#signers) issues a certificate based on a CertificateSigningRequest,
+the signer typically checks that the issuance for that CSR has been _approved_.
+
 ### Control plane automated approval {#approval-rejection-control-plane}
 
 The kube-controller-manager ships with a built-in approver for certificates with
@@ -389,112 +365,49 @@ code using TitleCase; this is a convention but you can set it to anything
 you like. If you want to add a note for human consumption, use the
 `status.conditions.message` field.
 
-## Signing
 
-### Control plane signer {#signer-control-plane}
-
-The Kubernetes control plane implements each of the
-[Kubernetes signers](/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers),
-as part of the kube-controller-manager.
-
-{{< note >}}
-Prior to Kubernetes v1.18, the kube-controller-manager would sign any CSRs that
-were marked as approved.
-{{< /note >}}
-
-{{< note >}}
-The `spec.expirationSeconds` field was added in Kubernetes v1.22.  Earlier versions of Kubernetes do not honor this field.
-Kubernetes API servers prior to v1.22 will silently drop this field when the object is created.
-{{< /note >}}
-
-### API-based signers {#signer-api}
-
-Users of the REST API can sign CSRs by submitting an UPDATE request to the `status`
-subresource of the CSR to be signed.
-
-As part of this request, the `status.certificate` field should be set to contain the
-signed certificate. This field contains one or more PEM-encoded certificates.
-
-All PEM blocks must have the "CERTIFICATE" label, contain no headers,
-and the encoded data must be a BER-encoded ASN.1 Certificate structure
-as described in [section 4 of RFC5280](https://tools.ietf.org/html/rfc5280#section-4.1).
-
-Example certificate content:
-
-```
------BEGIN CERTIFICATE-----
-MIIDgjCCAmqgAwIBAgIUC1N1EJ4Qnsd322BhDPRwmg3b/oAwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV
-BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4
-MB4XDTIwMDcwNjIyMDcwMFoXDTI1MDcwNTIyMDcwMFowNzEVMBMGA1UEChMMc3lz
-dGVtOm5vZGVzMR4wHAYDVQQDExVzeXN0ZW06bm9kZToxMjcuMC4wLjEwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDne5X2eQ1JcLZkKvhzCR4Hxl9+ZmU3
-+e1zfOywLdoQxrPi+o4hVsUH3q0y52BMa7u1yehHDRSaq9u62cmi5ekgXhXHzGmm
-kmW5n0itRECv3SFsSm2DSghRKf0mm6iTYHWDHzUXKdm9lPPWoSOxoR5oqOsm3JEh
-Q7Et13wrvTJqBMJo1GTwQuF+HYOku0NF/DLqbZIcpI08yQKyrBgYz2uO51/oNp8a
-sTCsV4OUfyHhx2BBLUo4g4SptHFySTBwlpRWBnSjZPOhmN74JcpTLB4J5f4iEeA7
-2QytZfADckG4wVkhH3C2EJUmRtFIBVirwDn39GXkSGlnvnMgF3uLZ6zNAgMBAAGj
-YTBfMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMB
-Af8EAjAAMB0GA1UdDgQWBBTREl2hW54lkQBDeVCcd2f2VSlB1DALBgNVHREEBDAC
-ggAwDQYJKoZIhvcNAQELBQADggEBABpZjuIKTq8pCaX8dMEGPWtAykgLsTcD2jYr
-L0/TCrqmuaaliUa42jQTt2OVsVP/L8ofFunj/KjpQU0bvKJPLMRKtmxbhXuQCQi1
-qCRkp8o93mHvEz3mTUN+D1cfQ2fpsBENLnpS0F4G/JyY2Vrh19/X8+mImMEK5eOy
-o0BMby7byUj98WmcUvNCiXbC6F45QTmkwEhMqWns0JZQY+/XeDhEcg+lJvz9Eyo2
-aGgPsye1o3DpyXnyfJWAWMhOz7cikS5X2adesbgI86PhEHBXPIJ1v13ZdfCExmdd
-M1fLPhLyR54fGaY+7/X8P9AZzPefAkwizeXwe9ii6/a08vWoiE4=
------END CERTIFICATE-----
-```
-
-Non-PEM content may appear before or after the CERTIFICATE PEM blocks and is unvalidated,
-to allow for explanatory text as described in [section 5.2 of RFC7468](https://www.rfc-editor.org/rfc/rfc7468#section-5.2).
-
-When encoded in JSON or YAML, this field is base-64 encoded.
-A CertificateSigningRequest containing the example certificate above would look like this:
-
-```yaml
-apiVersion: certificates.k8s.io/v1
-kind: CertificateSigningRequest
-...
-status:
-  certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS..."
-```
-
-## ClusterTrustBundles (Alpha Feature) {#ctb}
+## Cluster trust bundles {#cluster-trust-bundles}
 
 {{< feature-state for_k8s_version="v1.27" state="alpha" >}}
 
 {{< note >}}
-Gated by the `ClusterTrustBundles` feature gate.
+In Kubernetes {{< skew currentVersion >}}, you must enable the `ClusterTrustBundles`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+_and_ the `certificates.k8s.io/v1alpha1`
+{{< glossary_tooltip text="API group" term_id="api-group" >}} in order to use
+this API.
 {{< /note >}}
 
-ClusterTrustBundles are a cluster-scoped object for distributing X.509 trust
+A ClusterTrustBundles is a cluster-scoped object for distributing X.509 trust
 anchors (root certificates) to workloads within the cluster.  They're designed
-to work well with the existing signer concept.
+to work well with the [signer](#signers) concept from CertificateSigningRequests.
 
-Future Kubernetes releases will build on them with integrations like the ability
-to project their contents into the pod filesystem.
-
-ClusterTrustBundles can be used in two modes: signer-linked and signer-unlinked.
+ClusterTrustBundles can be used in two modes:
+[signer-linked](#ctb-signer-linked) and [signer-unlinked](#ctb-signer-unlinked).
 
 ### Common properties and validation {#ctb-common}
 
 All ClusterTrustBundle objects have strong validation on the contents of their
-`trustBundle` field.  It must contain one or more X.509 certificates,
+`trustBundle` field.  That field must contain one or more X.509 certificates,
 DER-serialized, each wrapped in a PEM `CERTIFICATE` block.  The certificates
 must parse as valid X.509 certificates.
 
 Esoteric PEM features like inter-block data and intra-block headers are either
-rejected during object validation, or filtered by consumers of the object
-(primarily Kubelet).  Additionally, consumers will reorder the certificates in
+rejected during object validation, or can be ignored by consumers of the object.
+Additionally, consumers are allowed to reorder the certificates in
 the bundle with their own arbitrary but stable ordering.
 
 ClusterTrustBundle objects should be considered world-readable within the
-cluster.  All serviceaccounts have a default RBAC grant to get, list, and watch
-all ClusterTrustBundle objects.
+cluster. If your cluster uses [RBAC](/docs/reference/access-authn-authz/rbac/)
+authorization, all ServiceAccounts have a default grant that allows them to
+**get**, **list**, and **watch** all ClusterTrustBundle objects.
+If you use your own authorization mechanism and you have enabled
+ClusterTrustBundles in your cluster, you should set up an equivalent rule to
+make these objects public within the cluster, so that they work as intended.
 
 ### Signer-linked ClusterTrustBundles {#ctb-signer-linked}
 
-Signer-linked ClusterTrustBundles are associated with a signer name, like this:
+Signer-linked ClusterTrustBundles are associated with a _signer name_, like this:
 
 ```yaml
 apiVersion: certificates.k8s.io/v1alpha1
@@ -509,20 +422,22 @@ spec:
 These ClusterTrustBundles are intended to be maintained by a signer-specific
 controller in the cluster, so they have several security features:
 
-* To create or update a signer-linked ClusterTrustBundle, you must have the
-  `attest` verb on the signer (verbs: `attest`, group: `certificates.k8s.io`,
-  resource: `signers`, resourceName: `/` or
-  `/*`).
-* Signer-linked ClusterTrustBundles must be named with a prefix derived from
+* To create or update a signer-linked ClusterTrustBundle, you must be permitted
+  to **attest** on the signer (custom authorization verb `attest`,
+  API group `certificates.k8s.io`; resource path `signers`). You can configure
+  authorization for the specific resource name
+  `/` or match a pattern such as
+  `/*`.
+* Signer-linked ClusterTrustBundles **must** be named with a prefix derived from
   their `spec.signerName` field.  Slashes (`/`) are replaced with colons (`:`),
   and a final colon is appended.  This is followed by an arbitary name.  For
-  example, the signer `example.com/mysigner` becomes
-  `example.com:mysigner:`.
+  example, the signer `example.com/mysigner` can be linked to a
+  ClusterTrustBundle `example.com:mysigner:`.
 
-Signer-linked ClusterTrustBundles will be consumed in workloads by a combination
-of field selector on the signer name and a label selector.  If this query
-matches multiple ClusterTrustBundle objects, their contents will be merged,
-deduplicated, and sorted before being provided to the workload.
+Signer-linked ClusterTrustBundles will typically be consumed in workloads
+by a combination of a
+[field selector](/docs/concepts/overview/working-with-objects/field-selectors/) on the signer name, and a separate
+[label selector](/docs/concepts/overview/working-with-objects/labels/#label-selectors).
 
 ### Signer-unlinked ClusterTrustBundles {#ctb-signer-unlinked}
 
@@ -534,7 +449,7 @@ kind: ClusterTrustBundle
 metadata:
   name: foo
 spec:
-  signerName: ""
+  # no signerName specified, so the field is blank
   trustBundle: "<... PEM data ...>"
 ```
 
@@ -542,11 +457,135 @@ They are primarily intended for cluster configuration use cases.  Each
 signer-unlinked ClusterTrustBundle is an independent object, in contrast to the
 customary grouping behavior of signer-linked ClusterTrustBundles.
 
-Signer-unlinked ClusterTrustBundles have no `attest` verb requirement.  Instead,
-control access to them using the standard RBAC verbs.
+Signer-unlinked ClusterTrustBundles have no `attest` verb requirement.
+Instead, you control access to them directly using the usual mechanisms,
+such as role-based access control.
 
 To distinguish them from signer-linked ClusterTrustBundles, the names of
-signer-unlinked ClusterTrustBundles must not contain a colon (`:`).
+signer-unlinked ClusterTrustBundles **must not** contain a colon (`:`).
+
+
+## How to issue a certificate for a user {#normal-user}
+
+A few steps are required in order to get a normal user to be able to
+authenticate and invoke an API. First, this user must have a certificate issued
+by the Kubernetes cluster, and then present that certificate to the Kubernetes API.
+
+### Create private key
+
+The following scripts show how to generate PKI private key and CSR. It is
+important to set CN and O attribute of the CSR. CN is the name of the user and
+O is the group that this user will belong to. You can refer to
+[RBAC](/docs/reference/access-authn-authz/rbac/) for standard groups.
+
+```shell
+openssl genrsa -out myuser.key 2048
+openssl req -new -key myuser.key -out myuser.csr
+```
+
+### Create a CertificateSigningRequest {#create-certificatessigningrequest}
+
+Create a CertificateSigningRequest and submit it to a Kubernetes Cluster via kubectl. Below is a script to generate the CertificateSigningRequest.
+
+```shell
+cat < myuser.crt
+```
+
+### Create Role and RoleBinding
+
+With the certificate created it is time to define the Role and RoleBinding for
+this user to access Kubernetes cluster resources.
+
+This is a sample command to create a Role for this new user:
+
+```shell
+kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
+```
+
+This is a sample command to create a RoleBinding for this new user:
+
+```shell
+kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
+```
+
+### Add to kubeconfig
+
+The last step is to add this user into the kubeconfig file.
+
+First, you need to add new credentials:
+
+```shell
+kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
+
+```
+
+Then, you need to add the context:
+
+```shell
+kubectl config set-context myuser --cluster=kubernetes --user=myuser
+```
+
+To test it, change the context to `myuser`:
+
+```shell
+kubectl config use-context myuser
+```
+
 
 ## {{% heading "whatsnext" %}}
 

From ad7e7bae55016e1bf17c8bb4ce935cf3717d7079 Mon Sep 17 00:00:00 2001
From: my-git9 
Date: Mon, 10 Apr 2023 08:51:25 +0800
Subject: [PATCH 146/272] [zh-cn]rync and improve using-api/_index.md (#40570)

Signed-off-by: xin.li 
---
 content/zh-cn/docs/reference/_index.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/reference/_index.md b/content/zh-cn/docs/reference/_index.md
index d2674056720..61b2b4776dc 100644
--- a/content/zh-cn/docs/reference/_index.md
+++ b/content/zh-cn/docs/reference/_index.md
@@ -85,7 +85,7 @@ client libraries:
 * [kubectl](/zh-cn/docs/reference/kubectl/) —— 主要的 CLI 工具,用于运行命令和管理 Kubernetes 集群。
   * [JSONPath](/zh-cn/docs/reference/kubectl/jsonpath/) —— 通过 kubectl 使用
     [JSONPath 表达式](https://goessner.net/articles/JsonPath/)的语法指南。
-* [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) - 此 CLI 工具可轻松配置安全的 Kubernetes 集群。
+* [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) —— 此 CLI 工具可轻松配置安全的 Kubernetes 集群。
 
 
 创建 Pod 时,可以为其下的容器设置环境变量。通过配置文件的 `env` 或者 `envFrom` 字段来设置环境变量。
 
+
+`env` 和 `envFrom` 字段具有不同的效果。
+
+`env`
+:可以为容器设置环境变量,直接为你所给的每个变量指定一个值。
+
+
+`envFrom`
+:你可以通过引用 ConfigMap 或 Secret 来设置容器的环境变量。
+使用 `envFrom` 时,引用的 ConfigMap 或 Secret 中的所有键值对都被设置为容器的环境变量。
+你也可以指定一个通用的前缀字符串。
+
+
+你可以阅读有关 [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables)
+和 [Secret](/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+的更多信息。
+
+本页介绍如何使用 `env`。
+
 
 
 
 
 这篇文章提供了一些关于 DNS 问题诊断的方法。
 
-
-
 ## {{% heading "prerequisites" %}}
 
 {{< include "task-tutorial-prereqs.md" >}}
@@ -28,6 +35,8 @@ kube-dns.
 
 {{< version-check >}}
 
+
+
 
-### 创建一个简单的 Pod 作为测试环境
+### 创建一个简单的 Pod 作为测试环境   {#create-a-simple-pod-to-use-as-a-test-environment}
 
 {{< codenew file="admin/dns/dnsutils.yaml" >}}
 
@@ -117,7 +117,7 @@ Take a look inside the resolv.conf file.
 (See [Customizing DNS Service](/docs/tasks/administer-cluster/dns-custom-nameservers) and
 [Known issues](#known-issues) below for more information)
 -->
-### 先检查本地的 DNS 配置
+### 先检查本地的 DNS 配置   {#check-the-local-dns-configuration-first}
 
 查看 resolv.conf 文件的内容
 (阅读[定制 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/) 和
@@ -405,7 +405,7 @@ term_id="endpoint" >}} related resources to properly resolve service names.
 
 Sample error message:
 -->
-### CoreDNS 是否有足够的权限?
+### CoreDNS 是否有足够的权限?   {#does-coredns-have-sufficient-permissions}
 
 CoreDNS 必须能够列出 {{< glossary_tooltip text="service" term_id="service" >}} 和
 {{< glossary_tooltip text="endpoint" term_id="endpoint" >}} 相关的资源来正确解析服务名称。
@@ -476,7 +476,7 @@ the namespace of the service.
 
 This query is limited to the pod's namespace:
 -->
-### 你的服务在正确的名字空间中吗?
+### 你的服务在正确的名字空间中吗?   {#are-you-in-the-right-namespace-for-the-service}
 
 未指定名字空间的 DNS 查询仅作用于 Pod 所在的名字空间。
 

From 8aa1ec497dcf39e527feed4709b5af3ef7960fca Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Mon, 10 Apr 2023 11:44:26 +0300
Subject: [PATCH 150/272] [ja] Update branch name in ingress-nginx github link

---
 content/ja/docs/concepts/services-networking/ingress.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/services-networking/ingress.md b/content/ja/docs/concepts/services-networking/ingress.md
index 1ffa2299131..620a4580d29 100644
--- a/content/ja/docs/concepts/services-networking/ingress.md
+++ b/content/ja/docs/concepts/services-networking/ingress.md
@@ -51,7 +51,7 @@ Ingressリソースの最小構成の例は以下のとおりです。
 
 {{< codenew file="service/networking/minimal-ingress.yaml" >}}
 
-Ingressには`apiVersion`、`kind`、`metadata`や`spec`フィールドが必要です。Ingressオブジェクトの名前は、有効な[DNSサブドメイン名](/ja/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)である必要があります。設定ファイルに関する一般的な情報は、[アプリケーションのデプロイ](/ja/docs/tasks/run-application/run-stateless-application-deployment/)、[コンテナの設定](/ja/docs/tasks/configure-pod-container/configure-pod-configmap/)、[リソースの管理](/ja/docs/concepts/cluster-administration/manage-deployment/)を参照してください。Ingressでは、Ingressコントローラーに依存しているいくつかのオプションの設定をするためにアノテーションを一般的に使用します。例としては、[rewrite-targetアノテーション](https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/rewrite/README.md)などがあります。[Ingressコントローラー](/ja/docs/concepts/services-networking/ingress-controllers)の種類が異なれば、サポートするアノテーションも異なります。サポートされているアノテーションについて学ぶためには、使用するIngressコントローラーのドキュメントを確認してください。
+Ingressには`apiVersion`、`kind`、`metadata`や`spec`フィールドが必要です。Ingressオブジェクトの名前は、有効な[DNSサブドメイン名](/ja/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)である必要があります。設定ファイルに関する一般的な情報は、[アプリケーションのデプロイ](/ja/docs/tasks/run-application/run-stateless-application-deployment/)、[コンテナの設定](/ja/docs/tasks/configure-pod-container/configure-pod-configmap/)、[リソースの管理](/ja/docs/concepts/cluster-administration/manage-deployment/)を参照してください。Ingressでは、Ingressコントローラーに依存しているいくつかのオプションの設定をするためにアノテーションを一般的に使用します。例としては、[rewrite-targetアノテーション](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md)などがあります。[Ingressコントローラー](/ja/docs/concepts/services-networking/ingress-controllers)の種類が異なれば、サポートするアノテーションも異なります。サポートされているアノテーションについて学ぶためには、使用するIngressコントローラーのドキュメントを確認してください。
 
 Ingress [Spec](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)は、ロードバランサーやプロキシーサーバーを設定するために必要な全ての情報を持っています。最も重要なものとして、外部からくる全てのリクエストに対して一致したルールのリストを含みます。IngressリソースはHTTP(S)トラフィックに対してのルールのみサポートしています。
 

From 811f1290e58947c585b6f85b7eacb51b9212d257 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= 
Date: Mon, 10 Apr 2023 12:25:07 +0200
Subject: [PATCH 151/272] [pt-br] Replace k8s.gcr.io with registry.k8s.io in
 reference doc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marko Mudrinić 
---
 .../setup-tools/kubeadm/generated/kubeadm_config_images_pull.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
index 15b6fd9195c..a4f3864a434 100644
--- a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
+++ b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
@@ -59,7 +59,7 @@ kubeadm config images pull [flags]
 
 
 
---image-repository string     Padrão: "k8s.gcr.io"
+--image-repository string     Padrão: "registry.k8s.io"
 
 
 
Escolha um registro de contêineres para baixar imagens da camada de gerenciamento


From 2d7cc470c2ba7898483a8bd537846af1c931e5ec Mon Sep 17 00:00:00 2001
From: Katrina Verey 
Date: Tue, 4 Apr 2023 14:51:33 -0400
Subject: [PATCH 152/272] Add blog post introducing ApplySet-based pruning

---
 ...ore-Performant-Pruning-in-kubectl-apply.md | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-05-09-Safer-More-Performant-Pruning-in-kubectl-apply.md

diff --git a/content/en/blog/_posts/2023-05-09-Safer-More-Performant-Pruning-in-kubectl-apply.md b/content/en/blog/_posts/2023-05-09-Safer-More-Performant-Pruning-in-kubectl-apply.md
new file mode 100644
index 00000000000..d8d1b9a138c
--- /dev/null
+++ b/content/en/blog/_posts/2023-05-09-Safer-More-Performant-Pruning-in-kubectl-apply.md
@@ -0,0 +1,71 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Safer, More Performant Pruning in kubectl apply"
+date: 2023-05-09
+slug: introducing-kubectl-applyset-pruning
+---
+
+**Authors:** Katrina Verey (Shopify) and Justin Santa Barbara (Google)
+
+Declarative configuration management with the `kubectl apply` command is the gold standard approach
+to creating or modifying Kubernetes resources. However, one challenge it presents is the deletion
+of resources that are no longer needed. In Kubernetes version 1.5, the `--prune` flag was
+introduced to address this issue, allowing kubectl apply to automatically clean up previously
+applied resources removed from the current configuration.
+
+Unfortunately, that existing implementation of `--prune` has design flaws that diminish its
+performance and can result in unexpected behaviors. The main issue stems from the lack of explicit
+encoding of the previously applied set by the preceding `apply` operation, necessitating
+error-prone dynamic discovery. Object leakage, inadvertent over-selection of resources, and limited
+compatibility with custom resources are a few notable drawbacks of this implementation. Moreover,
+its coupling to client-side apply hinders user upgrades to the superior server-side apply
+mechanism.
+
+Version 1.27 of `kubectl` introduces an alpha version of a revamped pruning implementation that
+addresses these issues. This new implementation, based on a concept called _ApplySet_, promises
+better performance and safety.
+
+An _ApplySet_ is a group of resources associated with a _parent_ object on the cluster, as
+identified and configured through standardized labels and annotations. Additional standardized
+metadata allows for accurate identification of ApplySet _member_ objects within the cluster,
+simplifying operations like pruning.
+
+To leverage ApplySet-based pruning, set the `KUBECTL_APPLYSET=true` environment variable and include
+the flags `--prune` and `--applyset` in your `kubectl apply` invocation:
+
+```shell
+KUBECTL_APPLYSET=true kubectl apply -f  --prune --applyset=
+```
+
+By default, ApplySet uses a Secret as the parent object. However, you can also use
+a ConfigMap with the format `--applyset=configmaps/`. If your desired Secret or
+ConfigMap object does not yet exist, `kubectl` will create it for you. Furthermore, custom
+resources can be enabled for use as ApplySet parent objects.
+
+The ApplySet implementation is based on a new low-level specification that can support higher-level
+ecosystem tools by improving their interoperability. The lightweight nature of this specification
+enables these tools to continue to use existing object grouping systems while opting in to
+ApplySet's metadata conventions to prevent inadvertent changes by other tools (such as `kubectl`).
+
+ApplySet-based pruning offers a promising solution to the shortcomings of the previous `--prune`
+implementation in `kubectl` and can help streamline your Kubernetes resource management. Please
+give this new feature a try and share your experiences with the community—ApplySet is under active
+development, and your feedback is invaluable!
+
+
+### Additional resources
+
+- For more information how to use ApplySet-based pruning, read
+  [Declarative Management of Kubernetes Objects Using Configuration Files](/docs/tasks/manage-kubernetes-objects/declarative-config/) in the Kubernetes documentation.
+- For a deeper dive into the technical design of this feature or to learn how to implement the
+  ApplySet specification in your own tools, refer to [KEP 3659](https://git.k8s.io/enhancements/keps/sig-cli/3659-kubectl-apply-prune/README.md):
+  _ApplySet: `kubectl apply --prune` redesign and graduation strategy_.
+
+
+### How do I get involved?
+
+If you want to get involved in ApplySet development, you can get in touch with the developers at
+[SIG CLI](https://git.k8s.io/community/sig-cli). To provide feedback on the feature, please
+[file a bug](https://github.com/kubernetes/kubectl/issues/new?assignees=knverey,justinsb&labels=kind%2Fbug&template=bug-report.md)
+or [request an enhancement](https://github.com/kubernetes/kubectl/issues/new?assignees=knverey,justinsb&labels=kind%2Fbug&template=enhancement.md)
+on the `kubernetes/kubectl` repository.

From fe00b86c3eca67f82d95d3c2d9d8aa237e921d1a Mon Sep 17 00:00:00 2001
From: Nate W 
Date: Mon, 10 Apr 2023 12:28:48 -0700
Subject: [PATCH 153/272] Update data/releases/schedule.yaml

Co-authored-by: Rey Lejano 
---
 data/releases/schedule.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index 19ce450ae92..c41858faf34 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -5,7 +5,7 @@ schedules:
   endOfLifeDate: 2024-06-28
   next:
     release: 1.27.1
-    cherryPickDeadline: 2023-04-07
+    cherryPickDeadline: 2023-05-10
     targetDate: 2023-04-12
   previousPatches:
     - release: 1.27.0

From e7b492194a12c6ad0f67a42b263db9efddaafc4a Mon Sep 17 00:00:00 2001
From: Nate W 
Date: Mon, 10 Apr 2023 12:29:07 -0700
Subject: [PATCH 154/272] Update data/releases/schedule.yaml

Co-authored-by: Rey Lejano 
---
 data/releases/schedule.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index c41858faf34..4673097d521 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -6,7 +6,7 @@ schedules:
   next:
     release: 1.27.1
     cherryPickDeadline: 2023-05-10
-    targetDate: 2023-04-12
+    targetDate: 2023-05-17
   previousPatches:
     - release: 1.27.0
       cherryPickDeadline: ""

From 99dedbabf9094f47ac5e9b30d96159fb429befa5 Mon Sep 17 00:00:00 2001
From: Rob Scott 
Date: Fri, 17 Mar 2023 02:01:38 +0000
Subject: [PATCH 155/272] Updating documentation for Topology Aware Routing in
 1.27

---
 .../services-networking/service-topology.md   |  4 +-
 ...are-hints.md => topology-aware-routing.md} | 91 +++++++++++++------
 static/_redirects                             |  1 +
 3 files changed, 68 insertions(+), 28 deletions(-)
 rename content/en/docs/concepts/services-networking/{topology-aware-hints.md => topology-aware-routing.md} (62%)

diff --git a/content/en/docs/concepts/services-networking/service-topology.md b/content/en/docs/concepts/services-networking/service-topology.md
index b833ff6e3b0..081a58cc851 100644
--- a/content/en/docs/concepts/services-networking/service-topology.md
+++ b/content/en/docs/concepts/services-networking/service-topology.md
@@ -16,8 +16,8 @@ weight: 150
 
 This feature, specifically the alpha `topologyKeys` API, is deprecated since
 Kubernetes v1.21.
-[Topology Aware Hints](/docs/concepts/services-networking/topology-aware-hints/),
-introduced in Kubernetes v1.21, provide similar functionality.
+[Topology Aware Routing](/docs/concepts/services-networking/topology-aware-routing/),
+introduced in Kubernetes v1.21, provides similar functionality.
 {{}}
 
 _Service Topology_ enables a service to route traffic based upon the Node
diff --git a/content/en/docs/concepts/services-networking/topology-aware-hints.md b/content/en/docs/concepts/services-networking/topology-aware-routing.md
similarity index 62%
rename from content/en/docs/concepts/services-networking/topology-aware-hints.md
rename to content/en/docs/concepts/services-networking/topology-aware-routing.md
index 7a6d212476e..1977f199d0c 100644
--- a/content/en/docs/concepts/services-networking/topology-aware-hints.md
+++ b/content/en/docs/concepts/services-networking/topology-aware-routing.md
@@ -1,11 +1,11 @@
 ---
 reviewers:
 - robscott
-title: Topology Aware Hints
+title: Topology Aware Routing
 content_type: concept
 weight: 100
 description: >-
-  _Topology Aware Hints_ provides a mechanism to help keep network traffic within the zone
+  _Topology Aware Routing_ provides a mechanism to help keep network traffic within the zone
   where it originated. Preferring same-zone traffic between Pods in your cluster can help
   with reliability, performance (network latency and throughput), or cost.
 ---
@@ -15,45 +15,68 @@ description: >-
 
 {{< feature-state for_k8s_version="v1.23" state="beta" >}}
 
-_Topology Aware Hints_ enable topology aware routing by including suggestions
-for how clients should consume endpoints. This approach adds metadata to enable
-consumers of EndpointSlice (or Endpoints) objects, so that traffic to
-those network endpoints can be routed closer to where it originated.
+{{< note >}}
+Prior to Kubernetes 1.27, this feature was known as _Topology Aware Hints_.
+{{}}
 
-For example, you can route traffic within a locality to reduce
-costs, or to improve network performance.
+_Topology Aware Routing_ adjusts routing behavior to prefer keeping traffic in
+the zone it originated from. In some cases this can help reduce costs or improve
+network performance.
 
 
 
 ## Motivation
 
 Kubernetes clusters are increasingly deployed in multi-zone environments.
-_Topology Aware Hints_ provides a mechanism to help keep traffic within the zone
-it originated from. This concept is commonly referred to as "Topology Aware
-Routing". When calculating the endpoints for a {{< glossary_tooltip term_id="Service" >}},
-the EndpointSlice controller considers the topology (region and zone) of each endpoint
-and populates the hints field to allocate it to a zone.
-Cluster components such as the {{< glossary_tooltip term_id="kube-proxy" text="kube-proxy" >}}
-can then consume those hints, and use them to influence how the traffic is routed
-(favoring topologically closer endpoints).
+_Topology Aware Routing_ provides a mechanism to help keep traffic within the
+zone it originated from. When calculating the endpoints for a {{<
+glossary_tooltip term_id="Service" >}}, the EndpointSlice controller considers
+the topology (region and zone) of each endpoint and populates the hints field to
+allocate it to a zone. Cluster components such as {{< glossary_tooltip
+term_id="kube-proxy" text="kube-proxy" >}} can then consume those hints, and use
+them to influence how the traffic is routed (favoring topologically closer
+endpoints).
 
-## Using Topology Aware Hints
+## Enabling Topology Aware Routing
 
-You can activate Topology Aware Hints for a Service by setting the
-`service.kubernetes.io/topology-aware-hints` annotation to `auto`. This tells
-the EndpointSlice controller to set topology hints if it is deemed safe.
-Importantly, this does not guarantee that hints will always be set.
+{{< note >}}
+Prior to Kubernetes 1.27, this behavior was controlled using the
+`service.kubernetes.io/topology-aware-hints` annotation.
+{{}}
 
-## How it works {#implementation}
+You can enable Topology Aware Routing for a Service by setting the
+`service.kubernetes.io/topology-mode` annotation to `Auto`. When there are
+enough endpoints available in each zone, Topology Hints will be populated on
+EndpointSlices to allocate individual endpoints to specific zones, resulting in
+traffic being routed closer to where it originated from.
 
-The functionality enabling this feature is split into two components: The
-EndpointSlice controller and the kube-proxy. This section provides a high level overview
-of how each component implements this feature.
+## When it works best
+
+This feature works best when:
+
+### 1. Incoming traffic is evenly distributed
+
+If a large proportion of traffic is originating from a single zone, that traffic
+could overload the subset of endpoints that have been allocated to that zone.
+This feature is not recommended when incoming traffic is expected to originate
+from a single zone.
+
+### 2. The Service has 3 or more endpoints per zone {#three-or-more-endpoints-per-zone}
+In a three zone cluster, this means 9 or more endpoints. If there are fewer than
+3 endpoints per zone, there is a high (≈50%) probability that the EndpointSlice
+controller will not be able to allocate endpoints evenly and instead will fall
+back to the default cluster-wide routing approach.
+
+## How It Works
+
+The "Auto" heuristic attempts to proportionally allocate a number of endpoints
+to each zone. Note that this heuristic works best for Services that have a
+significant number of endpoints.
 
 ### EndpointSlice controller {#implementation-control-plane}
 
 The EndpointSlice controller is responsible for setting hints on EndpointSlices
-when this feature is enabled. The controller allocates a proportional amount of
+when this heuristic is enabled. The controller allocates a proportional amount of
 endpoints to each zone. This proportion is based on the
 [allocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 CPU cores for nodes running in that zone. For example, if one zone had 2 CPU
@@ -145,6 +168,11 @@ zone.
   proportions of each zone. This could have unintended consequences if a large
   portion of nodes are unready.
 
+* The EndpointSlice controller ignores nodes with the
+  `node-role.kubernetes.io/control-plane` or `node-role.kubernetes.io/master`
+  label set. This could be problematic if workloads are also running on those
+  nodes.
+
 * The EndpointSlice controller does not take into account {{< glossary_tooltip
   text="tolerations" term_id="toleration" >}} when deploying or calculating the
   proportions of each zone. If the Pods backing a Service are limited to a
@@ -157,6 +185,17 @@ zone.
   either not picking up on this event, or newly added pods starting in a
   different zone.
 
+
+## Custom heuristics
+
+Kubernetes is deployed in many different ways, there is no single heuristic for
+allocating endpoints to zones will work for every use case. A key goal of this
+feature is to enable custom heuristics to be developed if the built in heuristic
+does not work for your use case. The first steps to enable custom heuristics
+were included in the 1.27 release. This is a limited implementation that may not
+yet cover some relevant and plausible situations.
+
+
 ## {{% heading "whatsnext" %}}
 
 * Follow the [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/) tutorial
diff --git a/static/_redirects b/static/_redirects
index f4bd3250907..b720f758cb7 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -94,6 +94,7 @@
 /docs/concepts/service-catalog/     /docs/concepts/extend-kubernetes/service-catalog/ 301
 /docs/concepts/services-networking/networkpolicies/     /docs/concepts/services-networking/network-policies/ 301
 /docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/     /docs/tasks/network/customize-hosts-file-for-pods/ 301
+/docs/concepts/services-networking/topology-aware-hints/     /docs/concepts/services-networking/topology-aware-routing/ 302
 /docs/concepts/storage/etcd-store-api-object/     /docs/tasks/administer-cluster/configure-upgrade-etcd/ 301
 /docs/concepts/storage/volumes/emptyDirapiVersion/     /docs/concepts/storage/volumes/#emptydir/ 301
 /docs/concepts/tools/kubectl/object-management-overview/     /docs/concepts/overview/object-management-kubectl/overview/ 301

From 738428a02dfd37104349b311d9b0e9a0f80842fd Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Tue, 11 Apr 2023 00:40:42 +0300
Subject: [PATCH 156/272] [ru] Fix mismatch in Labels and Selectors concept
 page

---
 .../ru/docs/concepts/overview/working-with-objects/labels.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ru/docs/concepts/overview/working-with-objects/labels.md b/content/ru/docs/concepts/overview/working-with-objects/labels.md
index 572454f1815..6e1bdb5fbce 100644
--- a/content/ru/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/ru/docs/concepts/overview/working-with-objects/labels.md
@@ -166,7 +166,7 @@ kubectl get pods -l 'environment in (production),tier in (frontend)'
 kubectl get pods -l 'environment in (production, qa)'
 ```
 
-Либо можно воспользоваться исключающим сопоставлением с помощью оператора _exists_:
+Либо можно воспользоваться исключающим сопоставлением с помощью оператора _notin_:
 
 ```shell
 kubectl get pods -l 'environment,environment notin (frontend)'

From 5b7e267207ba8b11e89e145037a1f3d33c92c811 Mon Sep 17 00:00:00 2001
From: Jan Safranek 
Date: Tue, 7 Mar 2023 13:11:13 +0100
Subject: [PATCH 157/272] Add blog for Speed up recursive SELinux label change
 beta
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Roman Bednář 
Co-authored-by: Jonathan Dobson 
Co-authored-by: Tim Bannister 
---
 ...04-18-efficient-selinux-relabeling-beta.md | 120 ++++++++++++++++++
 1 file changed, 120 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-18-efficient-selinux-relabeling-beta.md

diff --git a/content/en/blog/_posts/2023-04-18-efficient-selinux-relabeling-beta.md b/content/en/blog/_posts/2023-04-18-efficient-selinux-relabeling-beta.md
new file mode 100644
index 00000000000..d9a3a880640
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-18-efficient-selinux-relabeling-beta.md
@@ -0,0 +1,120 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Efficient SELinux volume relabeling (Beta)"
+date: 2023-04-18T10:00:00-08:00
+slug: kubernetes-1-27-efficient-selinux-relabeling-beta
+---
+
+**Author:** Jan Šafránek (Red Hat)
+
+# The problem
+
+On Linux with Security-Enhanced Linux (SELinux) enabled, it's traditionally
+the container runtime that applies SELinux labels to a Pod and all its volumes.
+Kubernetes only provides the SELinux label from Pod's Security Context fields
+to the container runtime.
+
+The container runtime then recursively changes SELinux label on all files that
+are visible to the Pod's containers. This can be time-consuming if there are
+many files on the volume, especially when the volume is on a remote filesystem.
+
+{{% alert title="Note" color="info" %}}
+If a container uses `subPath` of a volume, only that `subPath` of the whole
+volume is relabeled. This allows two pods that have two different SELinux labels
+to use the same volume, as long as they use different subpaths of it.
+{{% /alert %}}
+
+If a Pod does not have any SELinux label assigned in Kubernetes API, the
+container runtime assigns a unique random one, so a process that potentially
+escapes the container boundary cannot access data of any other container on the
+host. The container runtime still recursively relabels all pod volumes with this
+random SELinux label.
+
+# Improvement using mount options
+
+If a Pod and its volume meet **all** of the following conditions, Kubernetes will
+_mount_ the volume directly with the right SELinux label. Such mount will happen
+in a constant time and the container runtime will not need to recursively
+relabel any files on it.
+
+1. The operating system must support SELinux.
+
+   Without SELinux support detected, kubelet and the container runtime do not
+   do anything with regard to SELinux.
+
+1. The [feature gates](/docs/reference/command-line-tools-reference/feature-gates/)
+   `ReadWriteOncePod` and `SELinuxMountReadWriteOncePod` must be enabled.
+   These feature gates are Beta in Kubernetes 1.27 and Alpha in 1.25.
+
+   With any of these feature gates disabled, SELinux labels will be always
+   applied by the container runtime by a recursive walk through the volume
+   (or its subPaths).
+
+1. The Pod must have at least `seLinuxOptions.level` assigned in its [Pod Security Context](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) or all Pod containers must have it set in their [Security Contexts](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1).
+   Kubernetes will read the default `user`, `role` and `type` from the operating
+   system defaults (typically `system_u`, `system_r` and `container_t`).
+
+   Without Kubernetes knowing at least the SELinux `level`, the container
+   runtime will assign a random one _after_ the volumes are mounted. The
+   container runtime will still relabel the volumes recursively in that case.
+
+1. The volume must be a Persistent Volume with
+   [Access Mode](/docs/concepts/storage/persistent-volumes/#access-modes)
+   `ReadWriteOncePod`.
+
+   This is a limitation of the initial implementation. As described above,
+   two Pods can have a different SELinux label and still use the same volume,
+   as long as they use a different `subPath` of it. This use case is not
+   possible when the volumes are _mounted_ with the SELinux label, because the
+   whole volume is mounted and most filesystems don't support mounting a single
+   volume multiple times with multiple SELinux labels.
+
+   If running two Pods with two different SELinux contexts and using
+   different `subPaths` of the same volume is necessary in your deployments,
+   please comment in the [KEP](https://github.com/kubernetes/enhancements/issues/1710)
+   issue (or upvote any existing comment - it's best not to duplicate).
+   Such pods may not run when the feature is extended to cover all volume access modes.
+
+1. The volume plugin or the CSI driver responsible for the volume supports
+   mounting with SELinux mount options.
+
+   These in-tree volume plugins support mounting with SELinux mount options:
+   `fc`, `iscsi`, and `rbd`.
+
+   CSI drivers that support mounting with SELinux mount options must announce
+   that in their
+   [CSIDriver](/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1/)
+   instance by setting `seLinuxMount` field.
+
+   Volumes managed by other volume plugins or CSI drivers that don't
+   set `seLinuxMount: true` will be recursively relabelled by the container
+   runtime.
+
+## Mounting with SELinux context
+
+When all aforementioned conditions are met, kubelet will
+pass `-o context=` mount option to the volume plugin or CSI
+driver. CSI driver vendors must ensure that this mount option is supported
+by their CSI driver and, if necessary, the CSI driver appends other mount
+options that are needed for `-o context` to work.
+
+For example, NFS may need `-o context=,nosharecache`, so each
+volume mounted from the same NFS server can have a different SELinux label
+value. Similarly, CIFS may need `-o context=,nosharesock`.
+
+It's up to the CSI driver vendor to test their CSI driver in a SELinux enabled
+environment before setting `seLinuxMount: true` in the CSIDriver instance.
+
+# How can I learn more?
+SELinux in containers: see excellent
+[visual SELinux guide](https://opensource.com/business/13/11/selinux-policy-guide)
+by Daniel J Walsh. Note that the guide is older than Kubernetes, it describes
+*Multi-Category Security* (MCS) mode using virtual machines as an example,
+however, a similar concept is used for containers.
+
+See a series of blog posts for details how exactly SELinux is applied to
+containers by container runtimes:
+* [How SELinux separates containers using Multi-Level Security](https://www.redhat.com/en/blog/how-selinux-separates-containers-using-multi-level-security)
+* [Why you should be using Multi-Category Security for your Linux containers](https://www.redhat.com/en/blog/why-you-should-be-using-multi-category-security-your-linux-containers)
+
+Read the KEP: [Speed up SELinux volume relabeling using mounts](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling)

From 4a658ee6a3f61240de7d007252d9b2f294367121 Mon Sep 17 00:00:00 2001
From: Aravindh Puthiyaparambil 
Date: Mon, 24 Oct 2022 14:52:49 -0700
Subject: [PATCH 158/272] Add blog about Node Log Query alpha

Enhancement:  https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/2258-node-service-log-viewer
Feature PR: https://github.com/kubernetes/kubernetes/pull/96120
---
 .../_posts/2023-04-21-node-log-query-alpha.md | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-21-node-log-query-alpha.md

diff --git a/content/en/blog/_posts/2023-04-21-node-log-query-alpha.md b/content/en/blog/_posts/2023-04-21-node-log-query-alpha.md
new file mode 100644
index 00000000000..5791f865a4f
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-21-node-log-query-alpha.md
@@ -0,0 +1,78 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Query Node Logs Using The Kubelet API"
+date: 2023-04-21
+slug: node-log-query-alpha
+---
+
+**Author:** Aravindh Puthiyaparambil (Red Hat)
+
+Kubernetes 1.27 introduced a new feature called _Node log query_ that allows
+viewing logs of services running on the node.
+
+## What problem does it solve?
+Cluster administrators face issues when debugging malfunctioning services
+running on the node. They usually have to SSH or RDP into the node to view the
+logs of the service to debug the issue. The _Node log query_ feature helps with
+this scenario by allowing the cluster administrator to view the logs using
+_kubectl_. This is especially useful with Windows nodes where you run into the
+issue of the node going to the ready state but containers not coming up due to
+CNI misconfigurations and other issues that are not easily identifiable by
+looking at the Pod status.
+
+## How does it work?
+
+The kubelet already has a _/var/log/_ viewer that is accessible via the node
+proxy endpoint. The feature supplements this endpoint with a shim that shells
+out to `journalctl`, on Linux nodes, and the `Get-WinEvent` cmdlet on Windows
+nodes. It then uses the existing filters provided by the commands to allow
+filtering the logs. The kubelet also uses heuristics to retrieve the logs.
+If the user is not aware if a given system services logs to a file or to the
+native system logger, the heuristics first checks the native operating system
+logger and if that is not available it attempts to retrieve the first logs
+from `/var/log/` or `/var/log/.log` or
+`/var/log//.log`.
+
+On Linux we assume that service logs are available via journald, and that
+`journalctl` is installed. On Windows we assume that service logs are available
+in the application log provider. Also note that fetching node logs is only
+available if you are authorized to do so (in RBAC, that's **get** and
+**create** access to `nodes/proxy`). The privileges that you need to fetch node
+logs also allow elevation-of-privilege attacks, so be careful about how you
+manage them.
+
+## How do I use it?
+
+To use the feature, ensure that the `NodeLogQuery`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is
+enabled for that node, and that the kubelet configuration options
+`enableSystemLogHandler` and `enableSystemLogQuery` are both set to true. You can
+then query the logs from all your nodes or just a subset. Here is an example to
+retrieve the kubelet service logs from a node:
+```shell
+# Fetch kubelet logs from a node named node-1.example
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet"
+```
+
+You can further filter the query to narrow down the results:
+```shell
+# Fetch kubelet logs from a node named node-1.example that have the word "error"
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet&pattern=error"
+```
+
+You can also fetch files from `/var/log/` on a Linux node:
+```shell
+kubectl get --raw "/api/v1/nodes//proxy/logs/?query=/"
+```
+
+You can read the
+[documentation](/docs/concepts/cluster-administration/system-logs/#log-query)
+for all the available options.
+
+## How do I help?
+
+Please use the feature and provide feedback by opening GitHub issues or
+reaching out to us on the
+[#sig-windows](https://kubernetes.slack.com/archives/C0SJ4AFB7) channel on the
+Kubernetes Slack or the SIG Windows
+[mailing list](https://groups.google.com/g/kubernetes-sig-windows).

From b7b35304dd389442b3e211619fa82061225e8cfe Mon Sep 17 00:00:00 2001
From: Chris Henzie 
Date: Mon, 6 Mar 2023 10:52:44 -0800
Subject: [PATCH 159/272] Feature blog for ReadWriteOncePod beta graduation

---
 ...20-read-write-once-pod-access-mode-beta.md | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md

diff --git a/content/en/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md b/content/en/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md
new file mode 100644
index 00000000000..1e3f83d806d
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md
@@ -0,0 +1,105 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Single Pod Access Mode for PersistentVolumes Graduates to Beta"
+date: 2023-04-20
+slug: read-write-once-pod-access-mode-beta
+---
+
+**Author:** Chris Henzie (Google)
+
+With the release of Kubernetes v1.27 the ReadWriteOncePod feature has graduated
+to beta. In this blog post, we'll take a closer look at this feature, what it
+does, and how it has evolved in the beta release.
+
+## What is ReadWriteOncePod?
+
+ReadWriteOncePod is a new access mode for
+[PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs)
+and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs)
+introduced in Kubernetes v1.22. This access mode enables you to restrict volume
+access to a single pod in the cluster, ensuring that only one pod can write to
+the volume at a time. This can be particularly useful for stateful workloads
+that require single-writer access to storage.
+
+For more context on access modes and how ReadWriteOncePod works read
+[What are access modes and why are they important?](/blog/2021/09/13/read-write-once-pod-access-mode-alpha/#what-are-access-modes-and-why-are-they-important)
+in the _Introducing Single Pod Access Mode for PersistentVolumes_ article from 2021.
+
+## Changes in the ReadWriteOncePod beta
+
+The ReadWriteOncePod beta adds support for
+[scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+of pods using ReadWriteOncePod PVCs.
+
+Scheduler preemption allows higher-priority pods to preempt lower-priority pods,
+so that they can start running on the same node. With this release, pods using
+ReadWriteOncePod PVCs can also be preempted if a higher-priority pod requires
+the same PVC.
+
+## How can I start using ReadWriteOncePod?
+
+With ReadWriteOncePod now in beta, it will be enabled by default in cluster
+versions v1.27 and beyond.
+
+Note that ReadWriteOncePod is
+[only supported for CSI volumes](/docs/concepts/storage/persistent-volumes/#access-modes).
+Before using this feature you will need to update the following
+[CSI sidecars](https://kubernetes-csi.github.io/docs/sidecar-containers.html)
+to these versions or greater:
+
+- [csi-provisioner:v3.0.0+](https://github.com/kubernetes-csi/external-provisioner/releases/tag/v3.0.0)
+- [csi-attacher:v3.3.0+](https://github.com/kubernetes-csi/external-attacher/releases/tag/v3.3.0)
+- [csi-resizer:v1.3.0+](https://github.com/kubernetes-csi/external-resizer/releases/tag/v1.3.0)
+
+To start using ReadWriteOncePod, create a PVC with the ReadWriteOncePod access mode:
+
+```yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: single-writer-only
+spec:
+  accessModes:
+  - ReadWriteOncePod # Allow only a single pod to access single-writer-only.
+  resources:
+    requests:
+      storage: 1Gi
+```
+
+If your storage plugin supports
+[dynamic provisioning](/docs/concepts/storage/dynamic-provisioning/),
+new PersistentVolumes will be created with the ReadWriteOncePod access mode applied.
+
+Read [Migrating existing PersistentVolumes](/blog/2021/09/13/read-write-once-pod-access-mode-alpha/#migrating-existing-persistentvolumes)
+for details on migrating existing volumes to use ReadWriteOncePod.
+
+## How can I learn more?
+
+Please see the [alpha blog post](/blog/2021/09/13/read-write-once-pod-access-mode-alpha)
+and [KEP-2485](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode/README.md)
+for more details on the ReadWriteOncePod access mode and motivations for CSI spec changes.
+
+## How do I get involved?
+
+The [Kubernetes #csi Slack channel](https://kubernetes.slack.com/messages/csi)
+and any of the standard
+[SIG Storage communication channels](https://github.com/kubernetes/community/blob/master/sig-storage/README.md#contact)
+are great mediums to reach out to the SIG Storage and the CSI teams.
+
+Special thanks to the following people whose thoughtful reviews and feedback helped shape this feature:
+
+* Abdullah Gharaibeh (ahg-g)
+* Aldo Culquicondor (alculquicondor)
+* Antonio Ojea (aojea)
+* David Eads (deads2k)
+* Jan Šafránek (jsafrane)
+* Joe Betz (jpbetz)
+* Kante Yin (kerthcet)
+* Michelle Au (msau42)
+* Tim Bannister (sftim)
+* Xing Yang (xing-yang)
+
+If you’re interested in getting involved with the design and development of CSI
+or any part of the Kubernetes storage system, join the
+[Kubernetes Storage Special Interest Group](https://github.com/kubernetes/community/tree/master/sig-storage) (SIG).
+We’re rapidly growing and always welcome new contributors.

From 9411b28ffbed23e6b94d69806855301fe0b95a1f Mon Sep 17 00:00:00 2001
From: Cailyn 
Date: Tue, 4 Apr 2023 19:45:38 -0400
Subject: [PATCH 160/272] Update
 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md

Co-authored-by: Nate W. 
---
 .../index.md                                  | 39 -----------
 .../index.md                                  | 64 +++++++++++++++++++
 2 files changed, 64 insertions(+), 39 deletions(-)
 delete mode 100644 content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
 create mode 100644 content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md

diff --git a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
deleted file mode 100644
index 9cfa0d4b9ce..00000000000
--- a/content/en/blog/_posts/2023-04-04-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-layout: blog 
-title: Updates to the Auto-refreshing Official CVE Feed
-date: 2023-04-04
-slug: k8s-cve-feed-beta
----
-
-**Author**: Cailyn Edwards (Shopify)
-
-Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha`
-feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
-`beta` version of the feed. This blog post will outline the changes made, and talk about what is planned for the to expect for 
-the `stable` release.
-
-## Updates
-| **\#** | **Title**                                                                                                    | **Issue**                                                       | **Status**                                                                                                                                                                                                                      |
-| ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 1 | Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | open, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)|
-| 2 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR open |
-| 3 | CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | open, no PR open |
-| 4 | CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
-| 5 | CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | open, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
-| 6 | CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | open, no PR |
-| 7 | CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | open, no PR |
-
-## Summary of Changes
-TODO - add details of changes
-
-## What's Next?
-
-In preparation for the graduation of this feature, SIG Security
-is still gathering feedback from end users who are using the updated beta feed.
-
-To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
-this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or
-let us know on
-[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY)
-Kubernetes Slack channel.
-(Join [Kubernetes Slack here](https://slack.k8s.io))
\ No newline at end of file
diff --git a/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
new file mode 100644
index 00000000000..846369d082d
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@@ -0,0 +1,64 @@
+---
+layout: blog
+title: Updates to the Auto-refreshing Official CVE Feed
+date: 2023-04-25
+slug: k8s-cve-feed-beta
+---
+
+**Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar
+
+Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha
+feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
+beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help 
+as we prepare to make this a stable feature in a future Kubernetes Release.
+
+
+## Feedback from end-users
+
+SIG Security received some feedback from end-users:
+- The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808)
+  with the [JSON Feed specification](https://www.jsonfeed.org/) as its name would suggest.
+- The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77)
+  in addition to JSON Feed format.
+- Some metadata could be [added](https://github.com/kubernetes/sig-security/issues/72) to indicate the freshness of
+  the feed overall, or [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Another suggestion was 
+  to [indicate](https://github.com/kubernetes/sig-security/issues/71) which Prow job recently updated the feed. See 
+  more ideas directly on the [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1).
+- The feed Markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73)
+  from the most recent to the least recently announced CVE.
+
+## Summary of changes
+
+In response, the SIG did a [rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76)
+to comply with the JSON Feed specification from generation and add a
+`last_updated` root field to indicate overall freshness. This redesign needed a
+[corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579)
+for the CVE feed page to continue to work with the new format.
+
+After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513)
+could be added transparently so that end-users can consume the feed in their
+preferred format.
+
+Overall, the redesign based on the JSON Feed specification, which this time broke
+backward compatibility, will allow updates in the future to address the rest of
+the issue while being more transparent and less disruptive to end-users.
+
+### Updates
+| **Title**                                                                                                    | **Issue**                                                       | **Status**                                                                                                                                                                                                                      |
+| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)|
+| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | closed, addressed by [kubernetes/sig-security#83](https://github.com/kubernetes/sig-security/pull/83) |
+
+## What's next?
+
+In preparation to [graduate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages) the feed 
+to stable i.e. `General Availability` stage, SIG Security is still gathering feedback from end users who are using the updated beta feed.
+
+To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
+this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or
+let us know on [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY)
+Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io).
\ No newline at end of file

From 9d1d924691641fb981eae98797b8f6eb35f7bc0a Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Wed, 12 Apr 2023 00:45:27 +0300
Subject: [PATCH 161/272] [ja] Fix mismatch in Labels and Selectors concept
 page

---
 .../ja/docs/concepts/overview/working-with-objects/labels.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/overview/working-with-objects/labels.md b/content/ja/docs/concepts/overview/working-with-objects/labels.md
index fbe8432b453..0af7384a6ad 100644
--- a/content/ja/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/ja/docs/concepts/overview/working-with-objects/labels.md
@@ -192,7 +192,7 @@ kubectl get pods -l 'environment in (production),tier in (frontend)'
 kubectl get pods -l 'environment in (production, qa)'
 ```
 
-もしくは、_exists_ オペレーターを介して、否定マッチングによる制限もできます。  
+もしくは、_notin_ オペレーターを介して、否定マッチングによる制限もできます。  
 
 ```shell
 kubectl get pods -l 'environment,environment notin (frontend)'

From 944de8f44e699819765e07321d8dc116fff0479d Mon Sep 17 00:00:00 2001
From: Qiming Teng 
Date: Wed, 12 Apr 2023 08:05:58 +0800
Subject: [PATCH 162/272] Update configuration API reference for v1.27

---
 content/en/docs/reference/_index.md           |    1 -
 .../config-api/apiserver-admission.v1.md      |   12 +-
 .../config-api/apiserver-audit.v1.md          |   16 +-
 .../config-api/apiserver-config.v1alpha1.md   |   63 +-
 .../config-api/apiserver-config.v1beta1.md    |   71 +-
 .../config-api/apiserver-encryption.v1.md     |   50 +-
 .../config-api/client-authentication.v1.md    |    2 +-
 .../client-authentication.v1beta1.md          |    2 +-
 .../config-api/imagepolicy.v1alpha1.md        |    2 +-
 ...kube-controller-manager-config.v1alpha1.md |  627 ++++----
 .../config-api/kube-proxy-config.v1alpha1.md  |   10 +-
 .../config-api/kube-scheduler-config.v1.md    |   18 +-
 .../kube-scheduler-config.v1beta2.md          |   14 +-
 .../kube-scheduler-config.v1beta3.md          |   14 +-
 .../config-api/kubeadm-config.v1beta2.md      | 1311 -----------------
 .../config-api/kubeadm-config.v1beta3.md      |  215 +--
 .../reference/config-api/kubelet-config.v1.md |  209 +--
 .../config-api/kubelet-config.v1alpha1.md     |    4 +-
 .../config-api/kubelet-config.v1beta1.md      |   72 +-
 19 files changed, 732 insertions(+), 1981 deletions(-)
 delete mode 100644 content/en/docs/reference/config-api/kubeadm-config.v1beta2.md

diff --git a/content/en/docs/reference/_index.md b/content/en/docs/reference/_index.md
index 960881e77f0..7fa6d578fde 100644
--- a/content/en/docs/reference/_index.md
+++ b/content/en/docs/reference/_index.md
@@ -100,7 +100,6 @@ operator to use or manage a cluster.
 
 ## Config API for kubeadm
 
-* [v1beta2](/docs/reference/config-api/kubeadm-config.v1beta2/)
 * [v1beta3](/docs/reference/config-api/kubeadm-config.v1beta3/)
 
 ## Design Docs
diff --git a/content/en/docs/reference/config-api/apiserver-admission.v1.md b/content/en/docs/reference/config-api/apiserver-admission.v1.md
index a4c70ac9f0f..946b011e771 100644
--- a/content/en/docs/reference/config-api/apiserver-admission.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-admission.v1.md
@@ -72,14 +72,14 @@ It is suitable for correlating log entries between the webhook and apiserver, fo
 
 
 kind [Required]

-meta/v1.GroupVersionKind
+meta/v1.GroupVersionKind
 
 
    
Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)

 
 
 resource [Required]

-meta/v1.GroupVersionResource
+meta/v1.GroupVersionResource
 
 
    
Resource is the fully-qualified resource being requested (for example, v1.pods)

@@ -93,7 +93,7 @@ It is suitable for correlating log entries between the webhook and apiserver, fo
 
 
 requestKind

-meta/v1.GroupVersionKind
+meta/v1.GroupVersionKind
 
 
    
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
@@ -107,7 +107,7 @@ and requestKind: {group:"apps", version:"v1beta1", kin
 
 
 requestResource

-meta/v1.GroupVersionResource
+meta/v1.GroupVersionResource
 
 
    
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
@@ -153,7 +153,7 @@ requested. e.g. a patch can result in either a CREATE or UPDATE Operation.

 
 
 userInfo [Required]

-authentication/v1.UserInfo
+authentication/v1.UserInfo
 
 
    
UserInfo is information about the requesting user

@@ -227,7 +227,7 @@ This must be copied over from the corresponding AdmissionRequest.

 
 
 status

-meta/v1.Status
+meta/v1.Status
 
 
    
Result contains extra details into why an admission request was denied.
diff --git a/content/en/docs/reference/config-api/apiserver-audit.v1.md b/content/en/docs/reference/config-api/apiserver-audit.v1.md
index ffef0b7f2b0..e89270a91a3 100644
--- a/content/en/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-audit.v1.md
@@ -72,14 +72,14 @@ For non-resource requests, this is the lower-cased HTTP method.

 
 
 user [Required]

-authentication/v1.UserInfo
+authentication/v1.UserInfo
 
 
    
Authenticated user information.

 
 
 impersonatedUser

-authentication/v1.UserInfo
+authentication/v1.UserInfo
 
 
    
Impersonated user information.

@@ -117,7 +117,7 @@ Does not apply for List-type requests, or non-resource requests.

 
 
 responseStatus

-meta/v1.Status
+meta/v1.Status
 
 
    
The response status, populated even when the ResponseObject is not a Status type.
@@ -145,14 +145,14 @@ at Response Level.

 
 
 requestReceivedTimestamp

-meta/v1.MicroTime
+meta/v1.MicroTime
 
 
    
Time the request reached the apiserver.

 
 
 stageTimestamp

-meta/v1.MicroTime
+meta/v1.MicroTime
 
 
    
Time the request reached current audit stage.

@@ -189,7 +189,7 @@ should be short. Annotations are included in the Metadata level.

     
   
 metadata

-meta/v1.ListMeta
+meta/v1.ListMeta
 
 
    No description provided.
@@ -224,7 +224,7 @@ categories are logged.

     
   
 metadata

-meta/v1.ObjectMeta
+meta/v1.ObjectMeta
 
 
    
ObjectMeta is included for interoperability with API infrastructure.

@@ -279,7 +279,7 @@ in a rule will override the global default.

     
   
 metadata

-meta/v1.ListMeta
+meta/v1.ListMeta
 
 
    No description provided.
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
index f2dc0bf5950..0c85b397f61 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1alpha1.md
@@ -81,23 +81,11 @@ auto_generated: true
 kind
stringTracingConfiguration
     
   
-endpoint

-string
+TracingConfiguration [Required]

+TracingConfiguration
 
-
-   
Endpoint of the collector that's running on the control-plane node.
-The APIServer uses the egressType ControlPlane when sending data to the collector.
-The syntax is defined in https://github.com/grpc/grpc/blob/master/doc/naming.md.
-Defaults to the otlpgrpc default, localhost:4317
-The connection is insecure, and does not support TLS.

-
-
-samplingRatePerMillion

-int32
-
-
-   
SamplingRatePerMillion is the number of samples to collect per million spans.
-Defaults to 0.

+(Members of TracingConfiguration are embedded into this type.)
+   
Embed the component config tracing configuration struct

 
 
 
@@ -372,4 +360,45 @@ This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server
 
 
 
-  
\ No newline at end of file
+  
+  
+    
+
+## `TracingConfiguration`     {#TracingConfiguration}
+    
+
+**Appears in:**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+- [TracingConfiguration](#apiserver-k8s-io-v1alpha1-TracingConfiguration)
+
+
+
TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients.

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
FieldDescription
endpoint

+string
+		
+   
Endpoint of the collector this component will report traces to.
+The connection is insecure, and does not currently support TLS.
+Recommended is unset, and endpoint is the otlp grpc default, localhost:4317.

+
samplingRatePerMillion

+int32
+		
+   
SamplingRatePerMillion is the number of samples to collect per million spans.
+Recommended is unset. If unset, sampler respects its parent span's sampling
+rate, but otherwise never samples.

+

\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-config.v1beta1.md b/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
index 0ed8e17a44d..6acb3540cd0 100644
--- a/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/apiserver-config.v1beta1.md
@@ -11,6 +11,7 @@ auto_generated: true
 
 
 - [EgressSelectorConfiguration](#apiserver-k8s-io-v1beta1-EgressSelectorConfiguration)
+- [TracingConfiguration](#apiserver-k8s-io-v1beta1-TracingConfiguration)
   
     
 
@@ -39,6 +40,31 @@ auto_generated: true
 
 
 
+## `TracingConfiguration`     {#apiserver-k8s-io-v1beta1-TracingConfiguration}
+    
+
+
+
TracingConfiguration provides versioned configuration for tracing clients.

+
+
+
+
+
+    
+
+
+    
+  
+
+
+
+
+
FieldDescription
apiVersion
string		apiserver.k8s.io/v1beta1
kind
string		TracingConfiguration
TracingConfiguration [Required]

+TracingConfiguration
+		(Members of TracingConfiguration are embedded into this type.)
+   
Embed the component config tracing configuration struct

+

+
 ## `Connection`     {#apiserver-k8s-io-v1beta1-Connection}
     
 
@@ -265,4 +291,47 @@ This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server
 
 
 
-  
\ No newline at end of file
+  
+  
+    
+
+## `TracingConfiguration`     {#TracingConfiguration}
+    
+
+**Appears in:**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+- [TracingConfiguration](#apiserver-k8s-io-v1alpha1-TracingConfiguration)
+
+- [TracingConfiguration](#apiserver-k8s-io-v1beta1-TracingConfiguration)
+
+
+
TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients.

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
FieldDescription
endpoint

+string
+		
+   
Endpoint of the collector this component will report traces to.
+The connection is insecure, and does not currently support TLS.
+Recommended is unset, and endpoint is the otlp grpc default, localhost:4317.

+
samplingRatePerMillion

+int32
+		
+   
SamplingRatePerMillion is the number of samples to collect per million spans.
+Recommended is unset. If unset, sampler respects its parent span's sampling
+rate, but otherwise never samples.

+

\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/apiserver-encryption.v1.md b/content/en/docs/reference/config-api/apiserver-encryption.v1.md
index bd12284f306..ecc82b7db7c 100644
--- a/content/en/docs/reference/config-api/apiserver-encryption.v1.md
+++ b/content/en/docs/reference/config-api/apiserver-encryption.v1.md
@@ -18,7 +18,45 @@ auto_generated: true
     
 
 
-
EncryptionConfiguration stores the complete configuration for encryption providers.

+
EncryptionConfiguration stores the complete configuration for encryption providers.
+It also allows the use of wildcards to specify the resources that should be encrypted.
+Use '.' to encrypt all resources within a group or '.' to encrypt all resources.
+'.' can be used to encrypt all resource in the core group.  '.' will encrypt all
+resources, even custom resources that are added after API server start.
+Use of wildcards that overlap within the same resource list or across multiple
+entries are not allowed since part of the configuration would be ineffective.
+Resource lists are processed in order, with earlier lists taking precedence.

+
Example:

+
kind: EncryptionConfiguration
+apiVersion: apiserver.config.k8s.io/v1
+resources:
+- resources:
+  - events
+  providers:
+  - identity: {}  # do not encrypt events even though *.* is specified below
+- resources:
+  - secrets
+  - configmaps
+  - pandas.awesome.bears.example
+  providers:
+  - aescbc:
+      keys:
+      - name: key1
+        secret: c2VjcmV0IGlzIHNlY3VyZQ==
+- resources:
+  - '*.apps'
+  providers:
+  - aescbc:
+      keys:
+      - name: key2
+        secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
+- resources:
+  - '*.*'
+  providers:
+  - aescbc:
+      keys:
+      - name: key3
+        secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==

 
 
 
@@ -114,7 +152,7 @@ Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.
 
diff --git a/content/en/docs/reference/config-api/client-authentication.v1.md b/content/en/docs/reference/config-api/client-authentication.v1.md
index 0a3fab1a5c4..63bbeb00176 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1.md
@@ -206,7 +206,7 @@ itself should at least be protected via file permissions.

 

    
cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
-Set to a negative value to disable caching.

+Set to a negative value to disable caching. This field is only allowed for KMS v1 providers.

 		
 

 
endpoint [Required]

@@ -243,7 +281,11 @@ Set to a negative value to disable caching.

 []string
 		
 
-   
resources is a list of kubernetes resources which have to be encrypted.

+   
resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from resource or resource.group of the group/version/resource.
+eg: pandas.awesome.bears.example is a custom resource with 'group': awesome.bears.example, 'resource': pandas.
+Use '.' to encrypt all resources and '.' to encrypt all resources in a specific group.
+eg: '.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
+eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).

 		
 

 
providers [Required]

@@ -251,7 +293,7 @@ Set to a negative value to disable caching.

 		
 
    
providers is a list of transformers to be used for reading and writing the resources to disk.
-eg: aesgcm, aescbc, secretbox, identity.

+eg: aesgcm, aescbc, secretbox, identity, kms.

 		
 

 
     
   
 
expirationTimestamp

-meta/v1.Time
+meta/v1.Time
 		
 
    
ExpirationTimestamp indicates a time when the provided credentials expire.

diff --git a/content/en/docs/reference/config-api/client-authentication.v1beta1.md b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
index 09aa4dcc875..f8cab963cdd 100644
--- a/content/en/docs/reference/config-api/client-authentication.v1beta1.md
+++ b/content/en/docs/reference/config-api/client-authentication.v1beta1.md
@@ -206,7 +206,7 @@ itself should at least be protected via file permissions.

     
   
 
expirationTimestamp

-meta/v1.Time
+meta/v1.Time
 		
 
    
ExpirationTimestamp indicates a time when the provided credentials expire.

diff --git a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
index 0eaa8f14ade..fb55f9a06b5 100644
--- a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -29,7 +29,7 @@ auto_generated: true
     
   
 
metadata

-meta/v1.ObjectMeta
+meta/v1.ObjectMeta
 		
 
    
Standard object's metadata.
diff --git a/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md b/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
index 4ec29226a5d..1b4b120abd0 100644
--- a/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/kube-controller-manager-config.v1alpha1.md
@@ -1,7 +1,7 @@
 ---
 title: kube-controller-manager Configuration (v1alpha1)
 content_type: tool-reference
-package: controllermanager.config.k8s.io/v1alpha1
+package: cloudcontrollermanager.config.k8s.io/v1alpha1
 auto_generated: true
 ---
 
@@ -9,11 +9,358 @@ auto_generated: true
 ## Resource Types 
 
 
-- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
 - [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
+- [LeaderMigrationConfiguration](#controllermanager-config-k8s-io-v1alpha1-LeaderMigrationConfiguration)
+- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
   
     
 
+## `NodeControllerConfiguration`     {#NodeControllerConfiguration}
+    
+
+**Appears in:**
+
+- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
+
+
+
NodeControllerConfiguration contains elements describing NodeController.

+
+
+
+
+
+    
+  
+
+
+
+
+
FieldDescription
ConcurrentNodeSyncs [Required]

+int32
+		
+   
ConcurrentNodeSyncs is the number of workers
+concurrently synchronizing nodes

+

+
+## `ServiceControllerConfiguration`     {#ServiceControllerConfiguration}
+    
+
+**Appears in:**
+
+- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
+
+- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
+
+
+
ServiceControllerConfiguration contains elements describing ServiceController.

+
+
+
+
+
+    
+  
+
+
+
+
+
FieldDescription
ConcurrentServiceSyncs [Required]

+int32
+		
+   
concurrentServiceSyncs is the number of services that are
+allowed to sync concurrently. Larger number = more responsive service
+management, but more CPU (and network) load.

+

+  
+    
+
+## `CloudControllerManagerConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration}
+    
+
+
+
CloudControllerManagerConfiguration contains elements describing cloud-controller manager.

+
+
+
+
+
+    
+
+
+    
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldDescription
apiVersion
string		cloudcontrollermanager.config.k8s.io/v1alpha1
kind
string		CloudControllerManagerConfiguration
Generic [Required]

+GenericControllerManagerConfiguration
+		
+   
Generic holds configuration for a generic controller-manager

+
KubeCloudShared [Required]

+KubeCloudSharedConfiguration
+		
+   
KubeCloudSharedConfiguration holds configuration for shared related features
+both in cloud controller manager and kube-controller manager.

+
NodeController [Required]

+NodeControllerConfiguration
+		
+   
NodeController holds configuration for node controller
+related features.

+
ServiceController [Required]

+ServiceControllerConfiguration
+		
+   
ServiceControllerConfiguration holds configuration for ServiceController
+related features.

+
NodeStatusUpdateFrequency [Required]

+meta/v1.Duration
+		
+   
NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status

+
Webhook [Required]

+WebhookConfiguration
+		
+   
Webhook is the configuration for cloud-controller-manager hosted webhooks

+

+
+## `CloudProviderConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudProviderConfiguration}
+    
+
+**Appears in:**
+
+- [KubeCloudSharedConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-KubeCloudSharedConfiguration)
+
+
+
CloudProviderConfiguration contains basically elements about cloud provider.

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
FieldDescription
Name [Required]

+string
+		
+   
Name is the provider for cloud services.

+
CloudConfigFile [Required]

+string
+		
+   
cloudConfigFile is the path to the cloud provider configuration file.

+

+
+## `KubeCloudSharedConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-KubeCloudSharedConfiguration}
+    
+
+**Appears in:**
+
+- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
+
+- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
+
+
+
KubeCloudSharedConfiguration contains elements shared by both kube-controller manager
+and cloud-controller manager, but not genericconfig.

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldDescription
CloudProvider [Required]

+CloudProviderConfiguration
+		
+   
CloudProviderConfiguration holds configuration for CloudProvider related features.

+
ExternalCloudVolumePlugin [Required]

+string
+		
+   
externalCloudVolumePlugin specifies the plugin to use when cloudProvider is "external".
+It is currently used by the in repo cloud providers to handle node and volume control in the KCM.

+
UseServiceAccountCredentials [Required]

+bool
+		
+   
useServiceAccountCredentials indicates whether controllers should be run with
+individual service account credentials.

+
AllowUntaggedCloud [Required]

+bool
+		
+   
run with untagged cloud instances

+
RouteReconciliationPeriod [Required]

+meta/v1.Duration
+		
+   
routeReconciliationPeriod is the period for reconciling routes created for Nodes by cloud provider..

+
NodeMonitorPeriod [Required]

+meta/v1.Duration
+		
+   
nodeMonitorPeriod is the period for syncing NodeStatus in NodeController.

+
ClusterName [Required]

+string
+		
+   
clusterName is the instance prefix for the cluster.

+
ClusterCIDR [Required]

+string
+		
+   
clusterCIDR is CIDR Range for Pods in cluster.

+
AllocateNodeCIDRs [Required]

+bool
+		
+   
AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if
+ConfigureCloudRoutes is true, to be set on the cloud provider.

+
CIDRAllocatorType [Required]

+string
+		
+   
CIDRAllocatorType determines what kind of pod CIDR allocator will be used.

+
ConfigureCloudRoutes [Required]

+bool
+		
+   
configureCloudRoutes enables CIDRs allocated with allocateNodeCIDRs
+to be configured on the cloud provider.

+
NodeSyncPeriod [Required]

+meta/v1.Duration
+		
+   
nodeSyncPeriod is the period for syncing nodes from cloudprovider. Longer
+periods will result in fewer calls to cloud provider, but may delay addition
+of new nodes to cluster.

+

+
+## `WebhookConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-WebhookConfiguration}
+    
+
+**Appears in:**
+
+- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
+
+
+
WebhookConfiguration contains configuration related to
+cloud-controller-manager hosted webhooks

+
+
+
+
+
+    
+  
+
+
+
+
+
FieldDescription
Webhooks [Required]

+[]string
+		
+   
Webhooks is the list of webhooks to enable or disable
+'*' means "all enabled by default webhooks"
+'foo' means "enable 'foo'"
+'-foo' means "disable 'foo'"
+first item for a particular name wins

+

+  
+  
+    
+
+## `LeaderMigrationConfiguration`     {#controllermanager-config-k8s-io-v1alpha1-LeaderMigrationConfiguration}
+    
+
+**Appears in:**
+
+- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
+
+
+
LeaderMigrationConfiguration provides versioned configuration for all migrating leader locks.

+
+
+
+
+
+    
+
+
+    
+  
+
+
+
+
+
+
+
+
+
+
+
FieldDescription
apiVersion
string		controllermanager.config.k8s.io/v1alpha1
kind
string		LeaderMigrationConfiguration
leaderName [Required]

+string
+		
+   
LeaderName is the name of the leader election resource that protects the migration
+E.g. 1-20-KCM-to-1-21-CCM

+
resourceLock [Required]

+string
+		
+   
ResourceLock indicates the resource object type that will be used to lock
+Should be "leases" or "endpoints"

+
controllerLeaders [Required]

+[]ControllerLeaderConfiguration
+		
+   
ControllerLeaders contains a list of migrating leader lock configurations

+

+
 ## `ControllerLeaderConfiguration`     {#controllermanager-config-k8s-io-v1alpha1-ControllerLeaderConfiguration}
     
 
@@ -146,48 +493,6 @@ first item for a particular name wins

 

 
 

-
-## `LeaderMigrationConfiguration`     {#controllermanager-config-k8s-io-v1alpha1-LeaderMigrationConfiguration}
-    
-
-**Appears in:**
-
-- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
-
-
-
LeaderMigrationConfiguration provides versioned configuration for all migrating leader locks.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
leaderName [Required]

-string
-		
-   
LeaderName is the name of the leader election resource that protects the migration
-E.g. 1-20-KCM-to-1-21-CCM

-
resourceLock [Required]

-string
-		
-   
ResourceLock indicates the resource object type that will be used to lock
-Should be "leases" or "endpoints"

-
controllerLeaders [Required]

-[]ControllerLeaderConfiguration
-		
-   
ControllerLeaders contains a list of migrating leader lock configurations

-

   
   
     
@@ -1115,14 +1420,6 @@ allowed to sync concurrently.

 
     
   
-EnableTaintManager [Required]

-bool
-
-
-   
If set to true enables NoExecute Taints and will evict all not-tolerating
-Pod running on Nodes tainted with this kind of Taints.

-
-
 NodeEvictionRate [Required]

 float32
 
@@ -1582,230 +1879,4 @@ volume plugin should search for additional third party volume plugins

 
 
 
-  
-  
-    
-
-## `ServiceControllerConfiguration`     {#ServiceControllerConfiguration}
-    
-
-**Appears in:**
-
-- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
-
-- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
-
-
-
ServiceControllerConfiguration contains elements describing ServiceController.

-
-
-
-
-
-    
-  
-
-
-
-
-
FieldDescription
ConcurrentServiceSyncs [Required]

-int32
-		
-   
concurrentServiceSyncs is the number of services that are
-allowed to sync concurrently. Larger number = more responsive service
-management, but more CPU (and network) load.

-

-  
-    
-
-## `CloudControllerManagerConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration}
-    
-
-
-
-
-
-
-    
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
apiVersion
string		cloudcontrollermanager.config.k8s.io/v1alpha1
kind
string		CloudControllerManagerConfiguration
Generic [Required]

-GenericControllerManagerConfiguration
-		
-   
Generic holds configuration for a generic controller-manager

-
KubeCloudShared [Required]

-KubeCloudSharedConfiguration
-		
-   
KubeCloudSharedConfiguration holds configuration for shared related features
-both in cloud controller manager and kube-controller manager.

-
ServiceController [Required]

-ServiceControllerConfiguration
-		
-   
ServiceControllerConfiguration holds configuration for ServiceController
-related features.

-
NodeStatusUpdateFrequency [Required]

-meta/v1.Duration
-		
-   
NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status

-

-
-## `CloudProviderConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudProviderConfiguration}
-    
-
-**Appears in:**
-
-- [KubeCloudSharedConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-KubeCloudSharedConfiguration)
-
-
-
CloudProviderConfiguration contains basically elements about cloud provider.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
Name [Required]

-string
-		
-   
Name is the provider for cloud services.

-
CloudConfigFile [Required]

-string
-		
-   
cloudConfigFile is the path to the cloud provider configuration file.

-

-
-## `KubeCloudSharedConfiguration`     {#cloudcontrollermanager-config-k8s-io-v1alpha1-KubeCloudSharedConfiguration}
-    
-
-**Appears in:**
-
-- [CloudControllerManagerConfiguration](#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration)
-
-- [KubeControllerManagerConfiguration](#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration)
-
-
-
KubeCloudSharedConfiguration contains elements shared by both kube-controller manager
-and cloud-controller manager, but not genericconfig.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
CloudProvider [Required]

-CloudProviderConfiguration
-		
-   
CloudProviderConfiguration holds configuration for CloudProvider related features.

-
ExternalCloudVolumePlugin [Required]

-string
-		
-   
externalCloudVolumePlugin specifies the plugin to use when cloudProvider is "external".
-It is currently used by the in repo cloud providers to handle node and volume control in the KCM.

-
UseServiceAccountCredentials [Required]

-bool
-		
-   
useServiceAccountCredentials indicates whether controllers should be run with
-individual service account credentials.

-
AllowUntaggedCloud [Required]

-bool
-		
-   
run with untagged cloud instances

-
RouteReconciliationPeriod [Required]

-meta/v1.Duration
-		
-   
routeReconciliationPeriod is the period for reconciling routes created for Nodes by cloud provider..

-
NodeMonitorPeriod [Required]

-meta/v1.Duration
-		
-   
nodeMonitorPeriod is the period for syncing NodeStatus in NodeController.

-
ClusterName [Required]

-string
-		
-   
clusterName is the instance prefix for the cluster.

-
ClusterCIDR [Required]

-string
-		
-   
clusterCIDR is CIDR Range for Pods in cluster.

-
AllocateNodeCIDRs [Required]

-bool
-		
-   
AllocateNodeCIDRs enables CIDRs for Pods to be allocated and, if
-ConfigureCloudRoutes is true, to be set on the cloud provider.

-
CIDRAllocatorType [Required]

-string
-		
-   
CIDRAllocatorType determines what kind of pod CIDR allocator will be used.

-
ConfigureCloudRoutes [Required]

-bool
-		
-   
configureCloudRoutes enables CIDRs allocated with allocateNodeCIDRs
-to be configured on the cloud provider.

-
NodeSyncPeriod [Required]

-meta/v1.Duration
-		
-   
nodeSyncPeriod is the period for syncing nodes from cloudprovider. Longer
-periods will result in fewer calls to cloud provider, but may delay addition
-of new nodes to cluster.

-

   
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md b/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
index 6dfcb913e9f..96baf232678 100644
--- a/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/kube-proxy-config.v1alpha1.md
@@ -531,12 +531,12 @@ will exit with an error.

 
 - [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
-
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
 
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
 
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
+
 - [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
 
 
@@ -593,12 +593,12 @@ client.

 
 **Appears in:**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
-
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
 
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
 
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
+
 - [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
 
 
@@ -621,7 +621,7 @@ client.

 bool
 
 
-   
enableContentionProfiling enables lock contention profiling, if
+   
enableContentionProfiling enables block profiling, if
 enableProfiling is true.

 
 
diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
index 876122ef541..1ef0143f311 100644
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
+++ b/content/en/docs/reference/config-api/kube-scheduler-config.v1.md
@@ -85,6 +85,14 @@ that play a role in the number of candidates shortlisted. Must be at least
 matching hard affinity to the incoming pod.

 
 
+ignorePreferredTermsOfExistingPods [Required]

+bool
+
+
+   
IgnorePreferredTermsOfExistingPods configures the scheduler to ignore existing pods' preferred affinity
+rules when scoring candidate nodes, unless the incoming pod has inter-pod affinities.

+
+
 
 
 
@@ -202,7 +210,7 @@ with the extender. These extenders are shared by all scheduler profiles.

     
   
 addedAffinity

-core/v1.NodeAffinity
+core/v1.NodeAffinity
 
 
    
AddedAffinity is applied to all Pods additionally to the NodeAffinity
@@ -301,7 +309,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "m
     
   
 defaultConstraints

-[]core/v1.TopologySpreadConstraint
+[]core/v1.TopologySpreadConstraint
 
 
    
DefaultConstraints defines topology spread constraints to be applied to
@@ -1176,7 +1184,7 @@ client.

 bool
 
 
-   
enableContentionProfiling enables lock contention profiling, if
+   
enableContentionProfiling enables block profiling, if
 enableProfiling is true.

 
 
@@ -1188,12 +1196,12 @@ enableProfiling is true.

 
 **Appears in:**
 
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
 
 - [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration)
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
-
 
 
LeaderElectionConfiguration defines the configuration of leader election
 clients for components that can run with leader election enabled.

diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta2.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1beta2.md
index edf1071e18a..bcd0377d7ca 100644
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta2.md
+++ b/content/en/docs/reference/config-api/kube-scheduler-config.v1beta2.md
@@ -85,6 +85,14 @@ that play a role in the number of candidates shortlisted. Must be at least
 matching hard affinity to the incoming pod.

 
 
+ignorePreferredTermsOfExistingPods [Required]

+bool
+
+
+   
IgnorePreferredTermsOfExistingPods configures the scheduler to ignore existing pods' preferred affinity
+rules when scoring candidate nodes, unless the incoming pod has inter-pod affinities.

+
+
 
 
 
@@ -218,7 +226,7 @@ with the extender. These extenders are shared by all scheduler profiles.

     
   
 addedAffinity

-core/v1.NodeAffinity
+core/v1.NodeAffinity
 
 
    
AddedAffinity is applied to all Pods additionally to the NodeAffinity
@@ -317,7 +325,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "m
     
   
 defaultConstraints

-[]core/v1.TopologySpreadConstraint
+[]core/v1.TopologySpreadConstraint
 
 
    
DefaultConstraints defines topology spread constraints to be applied to
@@ -1153,7 +1161,7 @@ client.

 bool
 
 
-   
enableContentionProfiling enables lock contention profiling, if
+   
enableContentionProfiling enables block profiling, if
 enableProfiling is true.

 
 
diff --git a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md b/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md
index 1f67ffce6c4..278b9637270 100644
--- a/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md
+++ b/content/en/docs/reference/config-api/kube-scheduler-config.v1beta3.md
@@ -85,6 +85,14 @@ that play a role in the number of candidates shortlisted. Must be at least
 matching hard affinity to the incoming pod.

 
 
+ignorePreferredTermsOfExistingPods [Required]

+bool
+
+
+   
IgnorePreferredTermsOfExistingPods configures the scheduler to ignore existing pods' preferred affinity
+rules when scoring candidate nodes, unless the incoming pod has inter-pod affinities.

+
+
 
 
 
@@ -202,7 +210,7 @@ with the extender. These extenders are shared by all scheduler profiles.

     
   
 addedAffinity

-core/v1.NodeAffinity
+core/v1.NodeAffinity
 
 
    
AddedAffinity is applied to all Pods additionally to the NodeAffinity
@@ -301,7 +309,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "m
     
   
 defaultConstraints

-[]core/v1.TopologySpreadConstraint
+[]core/v1.TopologySpreadConstraint
 
 
    
DefaultConstraints defines topology spread constraints to be applied to
@@ -1157,7 +1165,7 @@ client.

 bool
 
 
-   
enableContentionProfiling enables lock contention profiling, if
+   
enableContentionProfiling enables block profiling, if
 enableProfiling is true.

 
 
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md
deleted file mode 100644
index dca15f101f9..00000000000
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md
+++ /dev/null
@@ -1,1311 +0,0 @@
----
-title: kubeadm Configuration (v1beta2)
-content_type: tool-reference
-package: kubeadm.k8s.io/v1beta2
-auto_generated: true
----
-
Overview

-
Package v1beta2 has been DEPRECATED by v1beta3.

-
Package v1beta2 defines the v1beta2 version of the kubeadm configuration file format.
-This version improves on the v1beta1 format by fixing some minor issues and adding a few new fields.

-
A list of changes since v1beta1:

-
    
-
  • "certificateKey" field is added to InitConfiguration and JoinConfiguration.
    • 
-
  • "ignorePreflightErrors" field is added to the NodeRegistrationOptions.
    • 
-
  • The JSON "omitempty" tag is used in a more places where appropriate.
    • 
-
  • The JSON "omitempty" tag of the "taints" field (inside NodeRegistrationOptions) is removed.
    • 
-

-
See the Kubernetes 1.15 changelog for further details.

-
Migration from old kubeadm config versions

-
Please convert your v1beta1 configuration files to v1beta2 using the "kubeadm config migrate" command of kubeadm v1.15.x
-(conversion from older releases of kubeadm config files requires older release of kubeadm as well e.g.

-
    
-
  • kubeadm v1.11 should be used to migrate v1alpha1 to v1alpha2; kubeadm v1.12 should be used to translate v1alpha2 to v1alpha3;
    • 
-
  • kubeadm v1.13 or v1.14 should be used to translate v1alpha3 to v1beta1)
    • 
-

-
Nevertheless, kubeadm v1.15.x will support reading from v1beta1 version of the kubeadm config file format.

-
Basics

-
The preferred way to configure kubeadm is to pass an YAML configuration file with the --config option. Some of the
-configuration options defined in the kubeadm config file are also available as command line flags, but only
-the most common/simple use case are supported with this approach.

-
A kubeadm config file could contain multiple configuration types separated using three dashes (---).

-
kubeadm supports the following configuration types:

-
apiVersion: kubeadm.k8s.io/v1beta2
-kind: InitConfiguration
-
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: JoinConfiguration
-
To print the defaults for "init" and "join" actions use the following commands:

-
kubeadm config print init-defaults
-kubeadm config print join-defaults
-
The list of configuration types that must be included in a configuration file depends by the action you are
-performing (init or join) and by the configuration options you are going to use (defaults or advanced customization).

-
If some configuration types are not provided, or provided only partially, kubeadm will use default values; defaults
-provided by kubeadm includes also enforcing consistency of values across components when required (e.g.
---cluster-cidr flag on controller manager and clusterCIDR on kube-proxy).

-
Users are always allowed to override default values, with the only exception of a small subset of setting with
-relevance for security (e.g. enforce authorization-mode Node and RBAC on API server)

-
If the user provides a configuration types that is not expected for the action you are performing, kubeadm will
-ignore those types and print a warning.

-
Kubeadm init configuration types

-
When executing kubeadm init with the --config option, the following configuration types could be used:
-InitConfiguration, ClusterConfiguration, KubeProxyConfiguration, KubeletConfiguration, but only one
-between InitConfiguration and ClusterConfiguration is mandatory.

-
apiVersion: kubeadm.k8s.io/v1beta2
-kind: InitConfiguration
-bootstrapTokens:
-  ...
-nodeRegistration:
-  ...
-
The InitConfiguration type should be used to configure runtime settings, that in case of kubeadm init
-are the configuration of the bootstrap token and all the setting which are specific to the node where kubeadm
-is executed, including:

-
    
-
  • 
-
    nodeRegistration, that holds fields that relate to registering the new node to the cluster;
-use it to customize the node name, the CRI socket to use or any other settings that should apply to this
-node only (e.g. the node ip).
    
-
    • 
-
  • 
-
    localAPIEndpoint, that represents the endpoint of the instance of the API server to be deployed on this node;
-use it e.g. to customize the API server advertise address.
    
-
    • 
-

-
apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-networking:
-  ...
-etcd:
-  ...
-apiServer:
-  extraArgs:
-    ...
-  extraVolumes:
-    ...
-...
-
The ClusterConfiguration type should be used to configure cluster-wide settings,
-including settings for:

-
    
-
  • 
-
    Networking, that holds configuration for the networking topology of the cluster; use it e.g. to customize
-pod subnet or services subnet.
    
-
    • 
-
  • 
-
    Etcd configurations; use it e.g. to customize the local etcd or to configure the API server
-for using an external etcd cluster.
    
-
    • 
-
  • 
-
    kube-apiserver, kube-scheduler, kube-controller-manager configurations; use it to customize control-plane
-components by adding customized setting or overriding kubeadm default settings.
    
-
    • 
-

-
apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
- ...
-
The KubeProxyConfiguration type should be used to change the configuration passed to kube-proxy instances deployed
-in the cluster. If this object is not provided or provided only partially, kubeadm applies defaults.

-
See https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ or
-https://pkg.go.dev/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
-for kube proxy official documentation.

-
apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
- ...
-
The KubeletConfiguration type should be used to change the configurations that will be passed to all kubelet instances
-deployed in the cluster. If this object is not provided or provided only partially, kubeadm applies defaults.

-
See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ or
-https://pkg.go.dev/k8s.io/kubelet/config/v1beta1#KubeletConfiguration
-for kubelet official documentation.

-
Here is a fully populated example of a single YAML file containing multiple
-configuration types to be used during a kubeadm init run.

-
apiVersion: kubeadm.k8s.io/v1beta2
-kind: InitConfiguration
-bootstrapTokens:
-  - token: "9a08jv.c0izixklcxtmnze7"
-    description: "kubeadm bootstrap token"
-    ttl: "24h"
-  - token: "783bde.3f89s0fje9f38fhf"
-    description: "another bootstrap token"
-    usages:
-      - authentication
-      - signing
-    groups:
-      - system:bootstrappers:kubeadm:default-node-token
-nodeRegistration:
-  name: "ec2-10-100-0-1"
-  criSocket: "/var/run/dockershim.sock"
-  taints:
-    - key: "kubeadmNode"
-      value: "someValue"
-      effect: "NoSchedule"
-  kubeletExtraArgs:
-    v: 4
-  ignorePreflightErrors:
-    - IsPrivilegedUser
-localAPIEndpoint:
-  advertiseAddress: "10.100.0.1"
-  bindPort: 6443
-certificateKey: "e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204"
----
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-etcd:
-  # one of local or external
-  local:
-    imageRepository: "registry.k8s.io"
-    imageTag: "3.2.24"
-    dataDir: "/var/lib/etcd"
-    extraArgs:
-      listen-client-urls: "http://10.100.0.1:2379"
-    serverCertSANs:
-      -  "ec2-10-100-0-1.compute-1.amazonaws.com"
-    peerCertSANs:
-      - "10.100.0.1"
-  # external:
-  #   endpoints:
-  #     - "10.100.0.1:2379"
-  #     - "10.100.0.2:2379"
-  #   caFile: "/etcd/kubernetes/pki/etcd/etcd-ca.crt"
-  #   certFile: "/etcd/kubernetes/pki/etcd/etcd.crt"
-  #   keyFile: "/etcd/kubernetes/pki/etcd/etcd.key"
-networking:
-  serviceSubnet: "10.96.0.0/16"
-  podSubnet: "10.244.0.0/24"
-  dnsDomain: "cluster.local"
-kubernetesVersion: "v1.12.0"
-controlPlaneEndpoint: "10.100.0.1:6443"
-apiServer:
-  extraArgs:
-    authorization-mode: "Node,RBAC"
-  extraVolumes:
-    - name: "some-volume"
-      hostPath: "/etc/some-path"
-      mountPath: "/etc/some-pod-path"
-      readOnly: false
-      pathType: File
-  certSANs:
-    - "10.100.1.1"
-    - "ec2-10-100-0-1.compute-1.amazonaws.com"
-  timeoutForControlPlane: 4m0s
-controllerManager:
-  extraArgs:
-    "node-cidr-mask-size": "20"
-  extraVolumes:
-    - name: "some-volume"
-      hostPath: "/etc/some-path"
-      mountPath: "/etc/some-pod-path"
-      readOnly: false
-      pathType: File
-scheduler:
-  extraArgs:
-    address: "10.100.0.1"
-  extraVolumes:
-    - name: "some-volume"
-      hostPath: "/etc/some-path"
-      mountPath: "/etc/some-pod-path"
-      readOnly: false
-      pathType: File
-certificatesDir: "/etc/kubernetes/pki"
-imageRepository: "registry.k8s.io"
-useHyperKubeImage: false
-clusterName: "example-cluster"
----
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-# kubelet specific options here
----
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-# kube-proxy specific options here
-
Kubeadm join configuration types

-
When executing kubeadm join with the --config option, the JoinConfiguration type should be provided.

-
apiVersion: kubeadm.k8s.io/v1beta2
-kind: JoinConfiguration
- ...
-
The JoinConfiguration type should be used to configure runtime settings, that in case of kubeadm join
-are the discovery method used for accessing the cluster info and all the setting which are specific
-to the node where kubeadm is executed, including:

-
    
-
  • 
-
    nodeRegistration, that holds fields that relate to registering the new node to the cluster;
-use it to customize the node name, the CRI socket to use or any other settings that should apply to this
-node only (e.g. the node IP).
    
-
    • 
-
  • 
-
    apiEndpoint, that represents the endpoint of the instance of the API server to be eventually deployed on this node.
    
-
    • 
-

-
-
-## Resource Types 
-
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-- [ClusterStatus](#kubeadm-k8s-io-v1beta2-ClusterStatus)
-- [InitConfiguration](#kubeadm-k8s-io-v1beta2-InitConfiguration)
-- [JoinConfiguration](#kubeadm-k8s-io-v1beta2-JoinConfiguration)
-  
-    
-
-## `ClusterConfiguration`     {#kubeadm-k8s-io-v1beta2-ClusterConfiguration}
-    
-
-
-
ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster

-
-
-
-
-
-    
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
apiVersion
string		kubeadm.k8s.io/v1beta2
kind
string		ClusterConfiguration
etcd [Required]

-Etcd
-		
-   
etcd holds configuration for etcd.

-
networking [Required]

-Networking
-		
-   
networking holds configuration for the networking topology of the cluster.

-
kubernetesVersion [Required]

-string
-		
-   
kubernetesVersion is the target version of the control plane.

-
controlPlaneEndpoint [Required]

-string
-		
-   
controlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it
-can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
-In case the controlPlaneEndpoint is not specified, the advertiseAddress + bindPort
-are used; in case the controlPlaneEndpoint is specified but without a TCP port,
-the bindPort is used.
-Possible usages are:

-
    
-
  • In a cluster with more than one control plane instances, this field should be
-assigned the address of the external load balancer in front of the
-control plane instances.
    • 
-
  • In environments with enforced node recycling, the controlPlaneEndpoint
-could be used for assigning a stable DNS to the control plane.
    • 
-

-
apiServer [Required]

-APIServer
-		
-   
apiServer contains extra settings for the API server.

-
controllerManager [Required]

-ControlPlaneComponent
-		
-   
controllerManager contains extra settings for the controller manager.

-
scheduler [Required]

-ControlPlaneComponent
-		
-   
scheduler contains extra settings for the scheduler.

-
dns [Required]

-DNS
-		
-   
dns defines the options for the DNS add-on installed in the cluster.

-
certificatesDir [Required]

-string
-		
-   
certificatesDir specifies where to store or look for all required certificates.

-
imageRepository [Required]

-string
-		
-   
imageRepository sets the container registry to pull images from.
-If empty, registry.k8s.io will be used by default; in case of kubernetes version is
-a CI build (kubernetes version starts with ci/) gcr.io/k8s-staging-ci-images
-is used as a default for control plane components and for kube-proxy, while
-registry.k8s.io will be used for all the other images.

-
useHyperKubeImage [Required]

-bool
-		
-   
useHyperKubeImage controls if hyperkube should be used for Kubernetes components
-instead of their respective separate images.
-DEPRECATED: As hyperkube is itself deprecated, this fields is too. It will be
-removed in future kubeadm config versions, kubeadm will print multiple warnings
-when this set to true, and at some point it may become ignored.

-
featureGates [Required]

-map[string]bool
-		
-   
featureGates contains the feature gates enabled by the user.

-
clusterName [Required]

-string
-		
-   
The cluster name.

-

-
-## `ClusterStatus`     {#kubeadm-k8s-io-v1beta2-ClusterStatus}
-    
-
-
-
ClusterStatus contains the cluster status. The ClusterStatus will be stored in
-the kubeadm-config ConfigMap in the cluster, and then updated by kubeadm when
-additional control plane instance joins or leaves the cluster.

-
-
-
-
-
-    
-
-
-    
-  
-
-
-
-
-
FieldDescription
apiVersion
string		kubeadm.k8s.io/v1beta2
kind
string		ClusterStatus
apiEndpoints [Required]

-map[string]github.com/tengqm/kubeconfig/config/kubeadm/v1beta2.APIEndpoint
-		
-   
apiEndpoints currently available in the cluster, one for each control
-plane/API server instance.
-The key of the map is the IP of the host's default interface.

-

-
-## `InitConfiguration`     {#kubeadm-k8s-io-v1beta2-InitConfiguration}
-    
-
-
-
InitConfiguration contains a list of elements that is specific "kubeadm init"-only runtime
-information.

-
-
-
-
-
-    
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
apiVersion
string		kubeadm.k8s.io/v1beta2
kind
string		InitConfiguration
bootstrapTokens [Required]

-[]BootstrapToken
-		
-   
bootstrapTokens is respected at kubeadm init time and describes a set of bootstrap tokens to create.
-This information IS NOT uploaded to the kubeadm cluster ConfigMap, partly because of its sensitive nature.

-
nodeRegistration [Required]

-NodeRegistrationOptions
-		
-   
nodeRegistration holds fields that relate to registering the new control-plane node to the cluster.

-
localAPIEndpoint [Required]

-APIEndpoint
-		
-   
localAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node.
-In HA setups, this differs from ClusterConfiguration.controlPlaneEndpoint in the sense that ControlPlaneEndpoint
-is the global endpoint for the cluster, which then load-balances the requests to each individual API server. This
-configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible
-on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process
-fails you may set the desired value here.

-
certificateKey [Required]

-string
-		
-   
certificateKey sets the key with which certificates and keys are encrypted prior to being uploaded in
-a secret in the cluster during the uploadcerts init phase.

-

-
-## `JoinConfiguration`     {#kubeadm-k8s-io-v1beta2-JoinConfiguration}
-    
-
-
-
JoinConfiguration contains elements describing a particular node.

-
-
-
-
-
-    
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
apiVersion
string		kubeadm.k8s.io/v1beta2
kind
string		JoinConfiguration
nodeRegistration [Required]

-NodeRegistrationOptions
-		
-   
nodeRegistration holds fields that relate to registering the new
-control-plane node to the cluster

-
caCertPath [Required]

-string
-		
-   
caCertPath is the path to the SSL certificate authority used to
-secure comunications between a node and the control-plane.
-Defaults to "/etc/kubernetes/pki/ca.crt".

-
discovery [Required]

-Discovery
-		
-   
discovery specifies the options for the kubelet to use during the TLS
-bootstrap process.

-
controlPlane [Required]

-JoinControlPlane
-		
-   
controlPlane defines the additional control plane instance to be deployed
-on the joining node. If nil, no additional control plane instance will be deployed.

-

-
-## `APIEndpoint`     {#kubeadm-k8s-io-v1beta2-APIEndpoint}
-    
-
-**Appears in:**
-
-- [ClusterStatus](#kubeadm-k8s-io-v1beta2-ClusterStatus)
-
-- [InitConfiguration](#kubeadm-k8s-io-v1beta2-InitConfiguration)
-
-- [JoinControlPlane](#kubeadm-k8s-io-v1beta2-JoinControlPlane)
-
-
-
APIEndpoint struct contains elements of API server instance deployed on a node.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
advertiseAddress [Required]

-string
-		
-   
advertiseAddress sets the IP address for the API server to advertise.

-
bindPort [Required]

-int32
-		
-   
bindPort sets the secure port for the API Server to bind to.
-Defaults to 6443.

-

-
-## `APIServer`     {#kubeadm-k8s-io-v1beta2-APIServer}
-    
-
-**Appears in:**
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-
-
-
APIServer holds settings necessary for API server deployments in the cluster.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
ControlPlaneComponent [Required]

-ControlPlaneComponent
-		(Members of ControlPlaneComponent are embedded into this type.)
-   No description provided.
certSANs [Required]

-[]string
-		
-   
certSANs sets extra Subject Alternative Names (SANs) for the API Server
-signing certificate.

-
timeoutForControlPlane [Required]

-meta/v1.Duration
-		
-   
timeoutForControlPlane controls the timeout that we wait for the API server
-to appear.

-

-
-## `BootstrapToken`     {#kubeadm-k8s-io-v1beta2-BootstrapToken}
-    
-
-**Appears in:**
-
-- [InitConfiguration](#kubeadm-k8s-io-v1beta2-InitConfiguration)
-
-
-
BootstrapToken describes one bootstrap token, stored as a Secret in the cluster

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
token [Required]

-BootstrapTokenString
-		
-   
token is used for establishing bidirectional trust between nodes and control-planes.
-Used for joining nodes in the cluster.

-
description [Required]

-string
-		
-   
description sets a human-friendly message why this token exists and what it's used
-for, so other administrators can know its purpose.

-
ttl [Required]

-meta/v1.Duration
-		
-   
ttl defines the time to live for this token. Defaults to '24h'.
-expires and ttl are mutually exclusive.

-
expires [Required]

-meta/v1.Time
-		
-   
expires specifies the timestamp when this token expires. Defaults to being set
-dynamically at runtime based on the ttl. expires and ttl are mutually exclusive.

-
usages [Required]

-[]string
-		
-   
usages describes the ways in which this token can be used. Can by default be used
-for establishing bidirectional trust, but that can be changed here.

-
groups [Required]

-[]string
-		
-   
groups specifies the extra groups that this token will authenticate as when/if
-used for authentication.

-

-
-## `BootstrapTokenDiscovery`     {#kubeadm-k8s-io-v1beta2-BootstrapTokenDiscovery}
-    
-
-**Appears in:**
-
-- [Discovery](#kubeadm-k8s-io-v1beta2-Discovery)
-
-
-
BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
token [Required]

-string
-		
-   
token is a token used to validate cluster information fetched from
-the control-plane.

-
apiServerEndpoint [Required]

-string
-		
-   
apiServerEndpoint is an IP or domain name to the API server from which information
-will be fetched.

-
caCertHashes [Required]

-[]string
-		
-   
caCertHashes specifies a set of public key pins to verify when token-based discovery
-is used. The root CA found during discovery must match one of these values.
-Specifying an empty set disables root CA pinning, which can be unsafe.
-Each hash is specified as ":", where the only currently supported type is "sha256".
-This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI) object in
-DER-encoded ASN.1. These hashes can be calculated using, for example, OpenSSL.

-
unsafeSkipCAVerification [Required]

-bool
-		
-   
unsafeSkipCAVerification allows token-based discovery without CA verification via
-caCertHashes. This can weaken the security of kubeadm since other nodes can
-impersonate the control-plane.

-

-
-## `BootstrapTokenString`     {#kubeadm-k8s-io-v1beta2-BootstrapTokenString}
-    
-
-**Appears in:**
-
-- [BootstrapToken](#kubeadm-k8s-io-v1beta2-BootstrapToken)
-
-
-
BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
-for both validation of the practically of the API server from a joining node's point
-of view and as an authentication method for the node in the bootstrap phase of
-"kubeadm join". This token is and should be short-lived

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
- [Required]

-string
-		
-   No description provided.
- [Required]

-string
-		
-   No description provided.

-
-## `ControlPlaneComponent`     {#kubeadm-k8s-io-v1beta2-ControlPlaneComponent}
-    
-
-**Appears in:**
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-
-- [APIServer](#kubeadm-k8s-io-v1beta2-APIServer)
-
-
-
ControlPlaneComponent holds settings common to control plane component of the cluster

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
extraArgs [Required]

-map[string]string
-		
-   
extraArgs is an extra set of flags to pass to a control plane component.
-A key in this map is the flag name as it appears on the command line except
-without leading dash(es).

-
extraVolumes [Required]

-[]HostPathMount
-		
-   
extraVolumes is an extra set of host volumes mounted to the control plane
-component.

-

-
-## `DNS`     {#kubeadm-k8s-io-v1beta2-DNS}
-    
-
-**Appears in:**
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-
-
-
DNS defines the DNS addon that should be used in the cluster

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
type [Required]

-DNSAddOnType
-		
-   
type defines the DNS add-on to be used.

-
ImageMeta [Required]

-ImageMeta
-		(Members of ImageMeta are embedded into this type.)
-   
ImageMeta allows to customize the image used for the DNS component

-

-
-## `DNSAddOnType`     {#kubeadm-k8s-io-v1beta2-DNSAddOnType}
-    
-(Alias of `string`)
-
-**Appears in:**
-
-- [DNS](#kubeadm-k8s-io-v1beta2-DNS)
-
-
-
DNSAddOnType defines string identifying DNS add-on types.

-
-
-
-
-## `Discovery`     {#kubeadm-k8s-io-v1beta2-Discovery}
-    
-
-**Appears in:**
-
-- [JoinConfiguration](#kubeadm-k8s-io-v1beta2-JoinConfiguration)
-
-
-
Discovery specifies the options for the kubelet to use during the TLS Bootstrap process

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
bootstrapToken [Required]

-BootstrapTokenDiscovery
-		
-   
bootstrapToken is used to set the options for bootstrap token based discovery.
-bootstrapToken and file are mutually exclusive.

-
file [Required]

-FileDiscovery
-		
-   
file is used to specify a file or URL to a kubeconfig file from which to load
-cluster information.
-bootstrapToken and file are mutually exclusive.

-
tlsBootstrapToken [Required]

-string
-		
-   
tlsBootstrapToken is a token used for TLS bootstrapping.
-If bootstrapToken is set, this field is defaulted to .bootstrapToken.token,
-but can be overridden.
-If file is set, this field must be set in case the KubeConfigFile does not
-contain any other authentication information.

-
timeout [Required]

-meta/v1.Duration
-		
-   
timeout modifies the discovery timeout.

-

-
-## `Etcd`     {#kubeadm-k8s-io-v1beta2-Etcd}
-    
-
-**Appears in:**
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-
-
-
Etcd contains elements describing Etcd configuration.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
local [Required]

-LocalEtcd
-		
-   
local provides configuration knobs for configuring the local etcd instance.
-local and external are mutually exclusive.

-
external [Required]

-ExternalEtcd
-		
-   
external describes how to connect to an external etcd cluster.
-local and external are mutually exclusive.

-

-
-## `ExternalEtcd`     {#kubeadm-k8s-io-v1beta2-ExternalEtcd}
-    
-
-**Appears in:**
-
-- [Etcd](#kubeadm-k8s-io-v1beta2-Etcd)
-
-
-
ExternalEtcd describes an external etcd cluster.
-Kubeadm has no knowledge of where certificate files live and they must be supplied.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
endpoints [Required]

-[]string
-		
-   
endpoints of etcd members. Required for external etcd.

-
caFile [Required]

-string
-		
-   
caFile is an SSL Certificate Authority (CA) file used to secure etcd communication.
-Required if using a TLS connection.

-
certFile [Required]

-string
-		
-   
certFile is an SSL certification file used to secure etcd communication.
-Required if using a TLS connection.

-
keyFile [Required]

-string
-		
-   
keyFile is an SSL key file used to secure etcd communication.
-Required if using a TLS connection.

-

-
-## `FileDiscovery`     {#kubeadm-k8s-io-v1beta2-FileDiscovery}
-    
-
-**Appears in:**
-
-- [Discovery](#kubeadm-k8s-io-v1beta2-Discovery)
-
-
-
FileDiscovery is used to specify a file or URL to a kubeconfig file from which to load cluster information

-
-
-
-
-
-    
-  
-
-
-
-
-
FieldDescription
kubeConfigPath [Required]

-string
-		
-   
kubeConfigPath is used to specify the actual file path or URL to the kubeconfig file
-from which to load cluster information.

-

-
-## `HostPathMount`     {#kubeadm-k8s-io-v1beta2-HostPathMount}
-    
-
-**Appears in:**
-
-- [ControlPlaneComponent](#kubeadm-k8s-io-v1beta2-ControlPlaneComponent)
-
-
-
HostPathMount contains elements describing volumes that are mounted from the host.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
name [Required]

-string
-		
-   
name of the volume inside the Pod template.

-
hostPath [Required]

-string
-		
-   
hostPath is the path in the host that will be mounted inside the Pod.

-
mountPath [Required]

-string
-		
-   
mountPathis the path inside the Pod where hostPath volume will be mounted.

-
readOnly [Required]

-bool
-		
-   
readOnly controls write access to the volume.

-
pathType [Required]

-core/v1.HostPathType
-		
-   
pathType is the type of the HostPath.

-

-
-## `ImageMeta`     {#kubeadm-k8s-io-v1beta2-ImageMeta}
-    
-
-**Appears in:**
-
-- [DNS](#kubeadm-k8s-io-v1beta2-DNS)
-
-- [LocalEtcd](#kubeadm-k8s-io-v1beta2-LocalEtcd)
-
-
-
ImageMeta allows to customize the image used for components that are not
-originated from the Kubernetes/Kubernetes release process

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
imageRepository [Required]

-string
-		
-   
imageRepository sets the container registry to pull images from.
-If not set, the imageRepository defined in ClusterConfiguration will be used.

-
imageTag [Required]

-string
-		
-   
imageTag allows for specifying a tag for the image.
-In case this value is set, kubeadm does not change automatically the
-version of the above components during upgrades.

-

-
-## `JoinControlPlane`     {#kubeadm-k8s-io-v1beta2-JoinControlPlane}
-    
-
-**Appears in:**
-
-- [JoinConfiguration](#kubeadm-k8s-io-v1beta2-JoinConfiguration)
-
-
-
JoinControlPlane contains elements describing an additional control plane instance
-to be deployed on the joining node.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
localAPIEndpoint [Required]

-APIEndpoint
-		
-   
localAPIEndpoint represents the endpoint of the API server instance
-to be deployed on this node.

-
certificateKey [Required]

-string
-		
-   
certificateKey is the key that is used for decryption of certificates after
-they are downloaded from the secret upon joining a new control plane node.
-The corresponding encryption key is in the InitConfiguration.

-

-
-## `LocalEtcd`     {#kubeadm-k8s-io-v1beta2-LocalEtcd}
-    
-
-**Appears in:**
-
-- [Etcd](#kubeadm-k8s-io-v1beta2-Etcd)
-
-
-
LocalEtcd describes that kubeadm should run an etcd cluster locally.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
ImageMeta [Required]

-ImageMeta
-		(Members of ImageMeta are embedded into this type.)
-   
ImageMeta allows to customize the container used for etcd.

-
dataDir [Required]

-string
-		
-   
dataDir is the directory etcd will place its data.
-Defaults to "/var/lib/etcd".

-
extraArgs [Required]

-map[string]string
-		
-   
extraArgs are extra arguments provided to the etcd binary when run
-inside a static pod.
-A key in this map is the flag name as it appears on the
-command line except without leading dash(es).

-
serverCertSANs [Required]

-[]string
-		
-   
serverCertSANs sets extra Subject Alternative Names (SANs) for the
-etcd server signing certificate.

-
peerCertSANs [Required]

-[]string
-		
-   
peerCertSANs sets extra Subject Alternative Names (SANs) for the
-etcd peer signing certificate.

-

-
-## `Networking`     {#kubeadm-k8s-io-v1beta2-Networking}
-    
-
-**Appears in:**
-
-- [ClusterConfiguration](#kubeadm-k8s-io-v1beta2-ClusterConfiguration)
-
-
-
Networking contains elements describing cluster's networking configuration

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
serviceSubnet [Required]

-string
-		
-   
serviceSubnet is the subnet used by kubernetes Services. Defaults to "10.96.0.0/12".

-
podSubnet [Required]

-string
-		
-   
podSubnet is the subnet used by Pods.

-
dnsDomain [Required]

-string
-		
-   
dnsDomain is the DNS domain used by kubernetes Services. Defaults to "cluster.local".

-

-
-## `NodeRegistrationOptions`     {#kubeadm-k8s-io-v1beta2-NodeRegistrationOptions}
-    
-
-**Appears in:**
-
-- [InitConfiguration](#kubeadm-k8s-io-v1beta2-InitConfiguration)
-
-- [JoinConfiguration](#kubeadm-k8s-io-v1beta2-JoinConfiguration)
-
-
-
NodeRegistrationOptions holds fields that relate to registering a new control-plane
-or node to the cluster, either via "kubeadm init" or "kubeadm join".

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
name [Required]

-string
-		
-   
name is the .Metadata.Name field of the Node API object that will be created
-in this kubeadm init or kubeadm join operation.
-This field is also used in the CommonName field of the kubelet's client certificate
-to the API server.
-Defaults to the hostname of the node if not provided.

-
criSocket [Required]

-string
-		
-   
criSocket is used to retrieve container runtime information. This information will
-be annotated to the Node API object, for later re-use.

-
taints [Required]

-[]core/v1.Taint
-		
-   
taints specifies the taints the Node API object should be registered with.
-If this field is unset, i.e. nil, in the kubeadm init process it will be defaulted with
-a control-plane taint for control-plane nodes. If you don't want to taint your control-plane
-node, set this field to an empty list, i.e. taints: [], in the YAML file. This field is
-solely used for Node registration.

-
kubeletExtraArgs [Required]

-map[string]string
-		
-   
kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are
-passed to the kubelet command line via the environment file kubeadm writes at runtime for
-the kubelet to source. This overrides the generic base-level configuration in the
-'kubelet-config-1.X' ConfigMap.
-Flags have higher priority when parsing. These values are local and specific to the node
-kubeadm is executing on.
-A key in this map is the flag name as it appears on the command line except without leading dash(es).

-
ignorePreflightErrors [Required]

-[]string
-		
-   
ignorePreflightErrors provides a list of pre-flight errors to be ignored when the
-current node is registered.

-

-  
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
index 8abeb61fe35..5504f6070e1 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
@@ -30,6 +30,7 @@ the user to configure a directory from which to take patches for components depl
 
    
 
  • kubeadm v1.15.x and newer can be used to migrate from v1beta1 to v1beta2.
    • 
 
  • kubeadm v1.22.x and newer no longer support v1beta1 and older APIs, but can be used to migrate v1beta2 to v1beta3.
    • 
+
  • kubeadm v1.27.x and newer no longer support v1beta2 and older APIs,
    • 
 

 
Basics

 
The preferred way to configure kubeadm is to pass an YAML configuration file with the --config option. Some of the
@@ -264,109 +265,6 @@ node only (e.g. the node ip).

   
     
 
-## `BootstrapToken`     {#BootstrapToken}
-    
-
-**Appears in:**
-
-- [InitConfiguration](#kubeadm-k8s-io-v1beta3-InitConfiguration)
-
-
-
BootstrapToken describes one bootstrap token, stored as a Secret in the cluster

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
token [Required]

-BootstrapTokenString
-		
-   
token is used for establishing bidirectional trust between nodes and control-planes.
-Used for joining nodes in the cluster.

-
description

-string
-		
-   
description sets a human-friendly message why this token exists and what it's used
-for, so other administrators can know its purpose.

-
ttl

-meta/v1.Duration
-		
-   
ttl defines the time to live for this token. Defaults to 24h.
-expires and ttl are mutually exclusive.

-
expires

-meta/v1.Time
-		
-   
expires specifies the timestamp when this token expires. Defaults to being set
-dynamically at runtime based on the ttl. expires and ttl are mutually exclusive.

-
usages

-[]string
-		
-   
usages describes the ways in which this token can be used. Can by default be used
-for establishing bidirectional trust, but that can be changed here.

-
groups

-[]string
-		
-   
groups specifies the extra groups that this token will authenticate as when/if
-used for authentication

-

-
-## `BootstrapTokenString`     {#BootstrapTokenString}
-    
-
-**Appears in:**
-
-- [BootstrapToken](#BootstrapToken)
-
-
-
BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
-for both validation of the practically of the API server from a joining node's point
-of view and as an authentication method for the node in the bootstrap phase of
-"kubeadm join". This token is and should be short-lived.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
- [Required]

-string
-		
-   No description provided.
- [Required]

-string
-		
-   No description provided.

-  
-    
-
 ## `ClusterConfiguration`     {#kubeadm-k8s-io-v1beta3-ClusterConfiguration}
     
 
@@ -1036,7 +934,7 @@ file from which to load cluster information.

 
 
 pathType

-core/v1.HostPathType
+core/v1.HostPathType
 
 
    
pathType is the type of the hostPath.

@@ -1259,7 +1157,7 @@ This information will be annotated to the Node API object, for later re-use

 
 
 taints [Required]

-[]core/v1.Taint
+[]core/v1.Taint
 
 
    
taints specifies the taints the Node API object should be registered with.
@@ -1290,7 +1188,7 @@ the current node is registered.

 
 
 imagePullPolicy

-core/v1.PullPolicy
+core/v1.PullPolicy
 
 
    
imagePullPolicy specifies the policy for image pulling during kubeadm "init" and
@@ -1338,4 +1236,107 @@ first alpha-numerically.

 
 
 
-  
\ No newline at end of file
+  
+  
+    
+
+## `BootstrapToken`     {#BootstrapToken}
+    
+
+**Appears in:**
+
+- [InitConfiguration](#kubeadm-k8s-io-v1beta3-InitConfiguration)
+
+
+
BootstrapToken describes one bootstrap token, stored as a Secret in the cluster

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldDescription
token [Required]

+BootstrapTokenString
+		
+   
token is used for establishing bidirectional trust between nodes and control-planes.
+Used for joining nodes in the cluster.

+
description

+string
+		
+   
description sets a human-friendly message why this token exists and what it's used
+for, so other administrators can know its purpose.

+
ttl

+meta/v1.Duration
+		
+   
ttl defines the time to live for this token. Defaults to 24h.
+expires and ttl are mutually exclusive.

+
expires

+meta/v1.Time
+		
+   
expires specifies the timestamp when this token expires. Defaults to being set
+dynamically at runtime based on the ttl. expires and ttl are mutually exclusive.

+
usages

+[]string
+		
+   
usages describes the ways in which this token can be used. Can by default be used
+for establishing bidirectional trust, but that can be changed here.

+
groups

+[]string
+		
+   
groups specifies the extra groups that this token will authenticate as when/if
+used for authentication

+

+
+## `BootstrapTokenString`     {#BootstrapTokenString}
+    
+
+**Appears in:**
+
+- [BootstrapToken](#BootstrapToken)
+
+
+
BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
+for both validation of the practically of the API server from a joining node's point
+of view and as an authentication method for the node in the bootstrap phase of
+"kubeadm join". This token is and should be short-lived.

+
+
+
+
+
+    
+  
+
+
+
+
+
+
+
+
FieldDescription
- [Required]

+string
+		
+   No description provided.
- [Required]

+string
+		
+   No description provided.

\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1.md b/content/en/docs/reference/config-api/kubelet-config.v1.md
index abaf48ec4bb..407ce5f1a9d 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1.md
@@ -169,211 +169,4 @@ credential plugin.

 
 
 
-  
-  
-    
-
-## `FormatOptions`     {#FormatOptions}
-    
-
-**Appears in:**
-
-- [LoggingConfiguration](#LoggingConfiguration)
-
-
-
FormatOptions contains options for the different logging formats.

-
-
-
-
-
-    
-  
-
-
-
-
-
FieldDescription
json [Required]

-JSONOptions
-		
-   
[Alpha] JSON contains options for logging format "json".
-Only available when the LoggingAlphaOptions feature gate is enabled.

-

-
-## `JSONOptions`     {#JSONOptions}
-    
-
-**Appears in:**
-
-- [FormatOptions](#FormatOptions)
-
-
-
JSONOptions contains options for logging format "json".

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
splitStream [Required]

-bool
-		
-   
[Alpha] SplitStream redirects error messages to stderr while
-info messages go to stdout, with buffering. The default is to write
-both to stdout, without buffering. Only available when
-the LoggingAlphaOptions feature gate is enabled.

-
infoBufferSize [Required]

-k8s.io/apimachinery/pkg/api/resource.QuantityValue
-		
-   
[Alpha] InfoBufferSize sets the size of the info stream when
-using split streams. The default is zero, which disables buffering.
-Only available when the LoggingAlphaOptions feature gate is enabled.

-

-
-## `LogFormatFactory`     {#LogFormatFactory}
-    
-
-
-
LogFormatFactory provides support for a certain additional,
-non-default log format.

-
-
-
-
-## `LoggingConfiguration`     {#LoggingConfiguration}
-    
-
-**Appears in:**
-
-- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
-
-
-
LoggingConfiguration contains logging options.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldDescription
format [Required]

-string
-		
-   
Format Flag specifies the structure of log messages.
-default value of format is text

-
flushFrequency [Required]

-time.Duration
-		
-   
Maximum number of nanoseconds (i.e. 1s = 1000000000) between log
-flushes. Ignored if the selected logging backend writes log
-messages without buffering.

-
verbosity [Required]

-VerbosityLevel
-		
-   
Verbosity is the threshold that determines which log messages are
-logged. Default is zero which logs only the most important
-messages. Higher values enable additional messages. Error messages
-are always logged.

-
vmodule [Required]

-VModuleConfiguration
-		
-   
VModule overrides the verbosity threshold for individual files.
-Only supported for "text" log format.

-
options [Required]

-FormatOptions
-		
-   
[Alpha] Options holds additional parameters that are specific
-to the different logging formats. Only the options for the selected
-format get used, but all of them get validated.
-Only available when the LoggingAlphaOptions feature gate is enabled.

-

-
-## `TracingConfiguration`     {#TracingConfiguration}
-    
-
-**Appears in:**
-
-- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
-
-
-
TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients.

-
-
-
-
-
-    
-  
-
-
-
-
-
-
-
-
FieldDescription
endpoint

-string
-		
-   
Endpoint of the collector this component will report traces to.
-The connection is insecure, and does not currently support TLS.
-Recommended is unset, and endpoint is the otlp grpc default, localhost:4317.

-
samplingRatePerMillion

-int32
-		
-   
SamplingRatePerMillion is the number of samples to collect per million spans.
-Recommended is unset. If unset, sampler respects its parent span's sampling
-rate, but otherwise never samples.

-

-
-## `VModuleConfiguration`     {#VModuleConfiguration}
-    
-(Alias of `[]k8s.io/component-base/logs/api/v1.VModuleItem`)
-
-**Appears in:**
-
-- [LoggingConfiguration](#LoggingConfiguration)
-
-
-
VModuleConfiguration is a collection of individual file names or patterns
-and the corresponding verbosity threshold.

-
-
-
-
-## `VerbosityLevel`     {#VerbosityLevel}
-    
-(Alias of `uint32`)
-
-**Appears in:**
-
-- [LoggingConfiguration](#LoggingConfiguration)
-
-
-
-
VerbosityLevel represents a klog or logr verbosity threshold.

-
-
+  
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1alpha1.md b/content/en/docs/reference/config-api/kubelet-config.v1alpha1.md
index 079c36a9329..6082c2f7ecf 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1alpha1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1alpha1.md
@@ -169,6 +169,4 @@ credential plugin.

 
 
 
-  
-  
-    
\ No newline at end of file
+  
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
index a11c179a58a..b40fb3f5e96 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -262,7 +262,7 @@ Default: 10

 
    
eventRecordQPS is the maximum event creations per second. If 0, there
 is no limit enforced. The value cannot be a negative number.
-Default: 5

+Default: 50

 
 
 eventBurst

@@ -273,7 +273,7 @@ Default: 5

 allows event creations to burst to this number, while still not exceeding
 eventRecordQPS. This field canot be a negative number and it is only used
 when eventRecordQPS > 0.
-Default: 10

+Default: 100

 
 
 enableDebuggingHandlers

@@ -290,7 +290,7 @@ Default: true

 bool
 
 
-   
enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true.
+   
enableContentionProfiling enables block profiling, if enableDebuggingHandlers is true.
 Default: false

 
 
@@ -529,8 +529,7 @@ resources;
 
  • single-numa-node: kubelet only allows pods with a single NUMA alignment
 of CPU and device resources.
    • 
 
-
    Policies other than "none" require the TopologyManager feature gate to be enabled.
-Default: "none"
    
+
    Default: "none"
    
 
 
 topologyManagerScope
    
@@ -543,8 +542,7 @@ that topology manager requests and hint providers generate. Valid values include
 
  • container: topology policy is applied on a per-container basis.
    • 
 
  • pod: topology policy is applied on a per-pod basis.
    • 
 
-
    "pod" scope requires the TopologyManager feature gate to be enabled.
-Default: "container"
    
+
    Default: "container"
    
 
 
 topologyManagerPolicyOptions
    
@@ -692,7 +690,7 @@ Default: "application/vnd.kubernetes.protobuf"
    
 
 
    
    kubeAPIQPS is the QPS to use while talking with kubernetes apiserver.
-Default: 5
    
+Default: 50
    
 
 
 kubeAPIBurst
    
@@ -701,7 +699,7 @@ Default: 5
    
 
    
    kubeAPIBurst is the burst to allow while talking with kubernetes API server.
 This field cannot be a negative number.
-Default: 10
    
+Default: 100
    
 
 
 serializeImagePulls
    
@@ -715,6 +713,16 @@ Issue #10959 has more details.
 Default: true
    
 
 
+maxParallelImagePulls
    
+int32
+
+
+   
    MaxParallelImagePulls sets the maximum number of image pulls in parallel.
+This field cannot be set if SerializeImagePulls is true.
+Setting it to nil means no limit.
+Default: nil
    
+
+
 evictionHard
    
 map[string]string
 
@@ -953,7 +961,7 @@ Default: ""
    
 
    
    systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce systemReserved compute resource reservation for OS system daemons.
-Refer to Node Allocatable
+Refer to Node Allocatable
 doc for more information.
 Default: ""
    
 
@@ -964,7 +972,7 @@ Default: ""
    
 
    
    kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce KubeReserved compute resource reservation for Kubernetes node system daemons.
-Refer to Node Allocatable
+Refer to Node Allocatable
 doc for more information.
 Default: ""
    
 
@@ -980,7 +988,7 @@ If none is specified, no other options may be specified.
 When system-reserved is in the list, systemReservedCgroup must be specified.
 When kube-reserved is in the list, kubeReservedCgroup must be specified.
 This field is supported only when cgroupsPerQOS is set to true.
-Refer to Node Allocatable
+Refer to Node Allocatable
 for more information.
 Default: ["pods"]
    
 
@@ -1042,6 +1050,15 @@ Format: text
    
 Default: true
    
 
 
+enableSystemLogQuery
    
+bool
+
+
+   
    enableSystemLogQuery enables the node log query feature on the /logs endpoint.
+EnableSystemLogHandler has to be enabled in addition for this feature to work.
+Default: false
    
+
+
 shutdownGracePeriod
    
 meta/v1.Duration
 
@@ -1143,7 +1160,6 @@ Default: true
    
 
 
    
    SeccompDefault enables the use of RuntimeDefault as the default seccomp profile for all workloads.
-This requires the corresponding SeccompDefault feature gate to be enabled as well.
 Default: false
    
 
 
@@ -1156,11 +1172,11 @@ when setting the cgroupv2 memory.high value to enforce MemoryQoS.
 Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure
 while increasing will put less reclaim pressure.
 See https://kep.k8s.io/2570 for more details.
-Default: 0.8
    
+Default: 0.9
    
 
 
 registerWithTaints
    
-[]core/v1.Taint
+[]core/v1.Taint
 
 
    
    registerWithTaints are an array of taints to add to a node object when
@@ -1182,7 +1198,8 @@ Default: true
    
 
 
    
    Tracing specifies the versioned configuration for OpenTelemetry tracing clients.
-See https://kep.k8s.io/2832 for more details.
    
+See https://kep.k8s.io/2832 for more details.
+Default: nil
    
 
 
 localStorageCapacityIsolation
    
@@ -1199,6 +1216,25 @@ disabled. Once disabled, user should not set request/limit for container's ephem
 Default: true
    
 
 
+containerRuntimeEndpoint [Required]
    
+string
+
+
+   
    ContainerRuntimeEndpoint is the endpoint of container runtime.
+Unix Domain Sockets are supported on Linux, while npipe and tcp endpoints are supported on Windows.
+Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime'
    
+
+
+imageServiceEndpoint
    
+string
+
+
+   
    ImageServiceEndpoint is the endpoint of container image service.
+Unix Domain Socket are supported on Linux, while npipe and tcp endpoints are supported on Windows.
+Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime'.
+If not specified, the value in containerRuntimeEndpoint is used.
    
+
+
 
 
 
@@ -1220,7 +1256,7 @@ It exists in the kubeletconfig API group because it is classified as a versioned
     
   
 source
    
-core/v1.NodeConfigSource
+core/v1.NodeConfigSource
 
 
    
    source is the source that we are serializing.
    
@@ -1581,7 +1617,7 @@ and groups corresponding to the Organization in the client certificate.
    
    No description provided.
 
 limits [Required]
    
-core/v1.ResourceList
+core/v1.ResourceList
 
 
    No description provided.

From 8895af3e9b8a392f5b14292464375573a80fc572 Mon Sep 17 00:00:00 2001
From: Qiming Teng 
Date: Wed, 12 Apr 2023 08:26:09 +0800
Subject: [PATCH 163/272] Update component reference for 1.27

---
 .../kube-apiserver.md                         | 24 +++++++++++++++----
 .../kube-controller-manager.md                |  6 ++---
 .../kube-proxy.md                             |  2 +-
 .../kube-scheduler.md                         |  4 ++--
 .../generated/kubeadm_config_images_list.md   |  2 +-
 .../generated/kubeadm_config_images_pull.md   |  2 +-
 .../kubeadm/generated/kubeadm_init.md         |  2 +-
 .../generated/kubeadm_init_phase_addon_all.md |  2 +-
 .../kubeadm_init_phase_addon_coredns.md       |  2 +-
 .../kubeadm_init_phase_control-plane_all.md   |  2 +-
 ...eadm_init_phase_control-plane_apiserver.md |  2 +-
 .../generated/kubeadm_init_phase_preflight.md |  7 ++++++
 .../kubeadm_init_phase_upload-config_all.md   |  7 ++++++
 ...ubeadm_init_phase_upload-config_kubeadm.md |  7 ++++++
 ...ubeadm_init_phase_upload-config_kubelet.md |  7 ++++++
 .../generated/kubeadm_kubeconfig_user.md      |  3 +++
 .../generated/kubeadm_upgrade_apply.md        |  2 +-
 .../kubeadm/generated/kubeadm_upgrade_plan.md |  2 +-
 18 files changed, 65 insertions(+), 20 deletions(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
index af3687662e6..8aa21abe024 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
@@ -421,14 +421,21 @@ kube-apiserver [flags]
 --contention-profiling
 
 
-
    Enable lock contention profiling, if profiling is enabled
    
+
    Enable block profiling, if profiling is enabled
    
 
 
 
 --cors-allowed-origins strings
 
 
-
    List of allowed origins for CORS, comma separated.  An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.
    
+
    List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled. Please ensure each expression matches the entire hostname by anchoring to the start with '^' or including the '//' prefix, and by anchoring to the end with '$' or including the ':' port separator suffix. Examples of valid expressions are '//example.com(:|$)' and '^https://example.com(:|$)'
    
+
+
+
+--debug-socket-path string
+
+
+
    Use an unprotected (no authn/authz) unix-domain socket for profiling with the given path
    
 
 
 
@@ -456,7 +463,7 @@ kube-apiserver [flags]
 --disable-admission-plugins strings
 
 
-
    admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
    
+
    admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, ClusterTrustBundleAttest, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, ClusterTrustBundleAttest, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
    
 
 
 
@@ -477,7 +484,7 @@ kube-apiserver [flags]
 --enable-admission-plugins strings
 
 
-
    admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
    
+
    admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, ClusterTrustBundleAttest, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, ClusterTrustBundleAttest, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
    
 
 
 
@@ -624,7 +631,7 @@ kube-apiserver [flags]
 --feature-gates <comma-separated 'key=True|False' pairs>
 
 
-
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (ALPHA - default=false)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (ALPHA - default=false)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (ALPHA - default=false)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CronJobTimeZone=true|false (BETA - default=true)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DownwardAPIHugePages=true|false (BETA - default=true)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    EventedPLEG=true|false (ALPHA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GRPCContainerProbe=true|false (BETA - default=true)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (ALPHA - default=false)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (ALPHA - default=false)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (ALPHA - default=false)
    LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (ALPHA - default=false)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=false)
    MinimizeIPTablesRestore=true|false (ALPHA - default=false)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    OpenAPIV3=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (ALPHA - default=false)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (ALPHA - default=false)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)
    SeccompDefault=true|false (BETA - default=true)
    ServerSideFieldValidation=true|false (BETA - default=true)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)
    StatefulSetStartOrdinal=true|false (ALPHA - default=false)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManager=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
+
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (BETA - default=true)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (BETA - default=true)
    AdmissionWebhookMatchConditions=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (BETA - default=true)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (BETA - default=true)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    CloudControllerManagerWebhook=true|false (ALPHA - default=false)
    CloudDualStackNodeIPs=true|false (ALPHA - default=false)
    ClusterTrustBundle=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (BETA - default=true)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    ElasticIndexedJob=true|false (BETA - default=true)
    EventedPLEG=true|false (BETA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (BETA - default=true)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (BETA - default=true)
    InPlacePodVerticalScaling=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (BETA - default=true)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesDynamicResources=true|false (ALPHA - default=false)
    KubeletPodResourcesGet=true|false (ALPHA - default=false)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (BETA - default=true)
    LegacyServiceAccountTokenTracking=true|false (BETA - default=true)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (BETA - default=true)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=true)
    MinimizeIPTablesRestore=true|false (BETA - default=true)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    MultiCIDRServiceAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NewVolumeManagerReconstruction=true|false (BETA - default=true)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeLogQuery=true|false (ALPHA - default=false)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (BETA - default=true)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (BETA - default=true)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (BETA - default=true)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (BETA - default=true)
    SecurityContextDeny=true|false (ALPHA - default=false)
    ServiceNodePortStaticSubrange=true|false (ALPHA - default=false)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StableLoadBalancerNodeSet=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (BETA - default=true)
    StatefulSetStartOrdinal=true|false (BETA - default=true)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WatchList=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
 
 
 
@@ -984,6 +991,13 @@ kube-apiserver [flags]
 
    If true the HTTP Server will continue listening until all non long running request(s) in flight have been drained, during this window all incoming requests will be rejected with a status code 429 and a 'Retry-After' response header, in addition 'Connection: close' response header is set in order to tear down the TCP connection when idle.
    
 
 
+
+--shutdown-watch-termination-grace-period duration
+
+
+
    This option, if set, represents the maximum amount of grace period the apiserver will wait for active watch request(s) to drain during the graceful server shutdown window.
    
+
+
 
 --storage-backend string
 
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
index 0d448987d06..98316ac6851 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md
@@ -369,7 +369,7 @@ kube-controller-manager [flags]
 --contention-profiling
 
 
-
    Enable lock contention profiling, if profiling is enabled
    
+
    Enable block profiling, if profiling is enabled
    
 
 
 
@@ -453,7 +453,7 @@ kube-controller-manager [flags]
 --feature-gates <comma-separated 'key=True|False' pairs>
 
 
-
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (ALPHA - default=false)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (ALPHA - default=false)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (ALPHA - default=false)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CronJobTimeZone=true|false (BETA - default=true)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DownwardAPIHugePages=true|false (BETA - default=true)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    EventedPLEG=true|false (ALPHA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GRPCContainerProbe=true|false (BETA - default=true)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (ALPHA - default=false)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (ALPHA - default=false)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (ALPHA - default=false)
    LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (ALPHA - default=false)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=false)
    MinimizeIPTablesRestore=true|false (ALPHA - default=false)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    OpenAPIV3=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (ALPHA - default=false)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (ALPHA - default=false)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)
    SeccompDefault=true|false (BETA - default=true)
    ServerSideFieldValidation=true|false (BETA - default=true)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)
    StatefulSetStartOrdinal=true|false (ALPHA - default=false)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManager=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
+
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (BETA - default=true)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (BETA - default=true)
    AdmissionWebhookMatchConditions=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (BETA - default=true)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (BETA - default=true)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    CloudControllerManagerWebhook=true|false (ALPHA - default=false)
    CloudDualStackNodeIPs=true|false (ALPHA - default=false)
    ClusterTrustBundle=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (BETA - default=true)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    ElasticIndexedJob=true|false (BETA - default=true)
    EventedPLEG=true|false (BETA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (BETA - default=true)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (BETA - default=true)
    InPlacePodVerticalScaling=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (BETA - default=true)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesDynamicResources=true|false (ALPHA - default=false)
    KubeletPodResourcesGet=true|false (ALPHA - default=false)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (BETA - default=true)
    LegacyServiceAccountTokenTracking=true|false (BETA - default=true)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (BETA - default=true)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=true)
    MinimizeIPTablesRestore=true|false (BETA - default=true)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    MultiCIDRServiceAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NewVolumeManagerReconstruction=true|false (BETA - default=true)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeLogQuery=true|false (ALPHA - default=false)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (BETA - default=true)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (BETA - default=true)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (BETA - default=true)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (BETA - default=true)
    SecurityContextDeny=true|false (ALPHA - default=false)
    ServiceNodePortStaticSubrange=true|false (ALPHA - default=false)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StableLoadBalancerNodeSet=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (BETA - default=true)
    StatefulSetStartOrdinal=true|false (BETA - default=true)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WatchList=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
 
 
 
@@ -537,7 +537,7 @@ kube-controller-manager [flags]
 --kubeconfig string
 
 
-
    Path to kubeconfig file with authorization and master location information.
    
+
    Path to kubeconfig file with authorization and master location information (the master location can be overridden by the master flag).
    
 
 
 
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
index 15b1aa9d2f4..34f71db84b9 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
@@ -144,7 +144,7 @@ kube-proxy [flags]
 --feature-gates <comma-separated 'key=True|False' pairs>
 
 
-
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (ALPHA - default=false)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (ALPHA - default=false)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (ALPHA - default=false)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    CronJobTimeZone=true|false (BETA - default=true)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DownwardAPIHugePages=true|false (BETA - default=true)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    EventedPLEG=true|false (ALPHA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GRPCContainerProbe=true|false (BETA - default=true)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (ALPHA - default=false)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (ALPHA - default=false)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (ALPHA - default=false)
    LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (ALPHA - default=false)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=false)
    MinimizeIPTablesRestore=true|false (ALPHA - default=false)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    OpenAPIV3=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (ALPHA - default=false)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (ALPHA - default=false)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)
    SeccompDefault=true|false (BETA - default=true)
    ServerSideFieldValidation=true|false (BETA - default=true)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)
    StatefulSetStartOrdinal=true|false (ALPHA - default=false)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManager=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    This parameter is ignored if a config file is specified by --config.
    
+
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (BETA - default=true)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (BETA - default=true)
    AdmissionWebhookMatchConditions=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (BETA - default=true)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (BETA - default=true)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    CloudControllerManagerWebhook=true|false (ALPHA - default=false)
    CloudDualStackNodeIPs=true|false (ALPHA - default=false)
    ClusterTrustBundle=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (BETA - default=true)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    ElasticIndexedJob=true|false (BETA - default=true)
    EventedPLEG=true|false (BETA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (BETA - default=true)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (BETA - default=true)
    InPlacePodVerticalScaling=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (BETA - default=true)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesDynamicResources=true|false (ALPHA - default=false)
    KubeletPodResourcesGet=true|false (ALPHA - default=false)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (BETA - default=true)
    LegacyServiceAccountTokenTracking=true|false (BETA - default=true)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (BETA - default=true)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=true)
    MinimizeIPTablesRestore=true|false (BETA - default=true)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    MultiCIDRServiceAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NewVolumeManagerReconstruction=true|false (BETA - default=true)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeLogQuery=true|false (ALPHA - default=false)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (BETA - default=true)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (BETA - default=true)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (BETA - default=true)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (BETA - default=true)
    SecurityContextDeny=true|false (ALPHA - default=false)
    ServiceNodePortStaticSubrange=true|false (ALPHA - default=false)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StableLoadBalancerNodeSet=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (BETA - default=true)
    StatefulSetStartOrdinal=true|false (BETA - default=true)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WatchList=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    This parameter is ignored if a config file is specified by --config.
    
 
 
 
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
index d0032be6a16..7dc952537d4 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md
@@ -145,7 +145,7 @@ kube-scheduler [flags]
 --contention-profiling     Default: true
 
 
-
    DEPRECATED: enable lock contention profiling, if profiling is enabled. This parameter is ignored if a config file is specified in --config.
    
+
    DEPRECATED: enable block profiling, if profiling is enabled. This parameter is ignored if a config file is specified in --config.
    
 
 
 
@@ -159,7 +159,7 @@ kube-scheduler [flags]
 --feature-gates <comma-separated 'key=True|False' pairs>
 
 
-
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (ALPHA - default=false)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (ALPHA - default=false)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (ALPHA - default=false)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CronJobTimeZone=true|false (BETA - default=true)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DownwardAPIHugePages=true|false (BETA - default=true)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    EventedPLEG=true|false (ALPHA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GRPCContainerProbe=true|false (BETA - default=true)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (ALPHA - default=false)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (ALPHA - default=false)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (ALPHA - default=false)
    LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (ALPHA - default=false)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=false)
    MinimizeIPTablesRestore=true|false (ALPHA - default=false)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    OpenAPIV3=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (ALPHA - default=false)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (ALPHA - default=false)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)
    SeccompDefault=true|false (BETA - default=true)
    ServerSideFieldValidation=true|false (BETA - default=true)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)
    StatefulSetStartOrdinal=true|false (ALPHA - default=false)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManager=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
+
    A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
    APIListChunking=true|false (BETA - default=true)
    APIPriorityAndFairness=true|false (BETA - default=true)
    APIResponseCompression=true|false (BETA - default=true)
    APISelfSubjectReview=true|false (BETA - default=true)
    APIServerIdentity=true|false (BETA - default=true)
    APIServerTracing=true|false (BETA - default=true)
    AdmissionWebhookMatchConditions=true|false (ALPHA - default=false)
    AggregatedDiscoveryEndpoint=true|false (BETA - default=true)
    AllAlpha=true|false (ALPHA - default=false)
    AllBeta=true|false (BETA - default=false)
    AnyVolumeDataSource=true|false (BETA - default=true)
    AppArmor=true|false (BETA - default=true)
    CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    CPUManagerPolicyBetaOptions=true|false (BETA - default=true)
    CPUManagerPolicyOptions=true|false (BETA - default=true)
    CSIMigrationPortworx=true|false (BETA - default=false)
    CSIMigrationRBD=true|false (ALPHA - default=false)
    CSINodeExpandSecret=true|false (BETA - default=true)
    CSIVolumeHealth=true|false (ALPHA - default=false)
    CloudControllerManagerWebhook=true|false (ALPHA - default=false)
    CloudDualStackNodeIPs=true|false (ALPHA - default=false)
    ClusterTrustBundle=true|false (ALPHA - default=false)
    ComponentSLIs=true|false (BETA - default=true)
    ContainerCheckpoint=true|false (ALPHA - default=false)
    ContextualLogging=true|false (ALPHA - default=false)
    CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)
    CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
    CustomResourceValidationExpressions=true|false (BETA - default=true)
    DisableCloudProviders=true|false (ALPHA - default=false)
    DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)
    DynamicResourceAllocation=true|false (ALPHA - default=false)
    ElasticIndexedJob=true|false (BETA - default=true)
    EventedPLEG=true|false (BETA - default=false)
    ExpandedDNSConfig=true|false (BETA - default=true)
    ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
    GracefulNodeShutdown=true|false (BETA - default=true)
    GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)
    HPAContainerMetrics=true|false (BETA - default=true)
    HPAScaleToZero=true|false (ALPHA - default=false)
    HonorPVReclaimPolicy=true|false (ALPHA - default=false)
    IPTablesOwnershipCleanup=true|false (BETA - default=true)
    InPlacePodVerticalScaling=true|false (ALPHA - default=false)
    InTreePluginAWSUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)
    InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)
    InTreePluginGCEUnregister=true|false (ALPHA - default=false)
    InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)
    InTreePluginPortworxUnregister=true|false (ALPHA - default=false)
    InTreePluginRBDUnregister=true|false (ALPHA - default=false)
    InTreePluginvSphereUnregister=true|false (ALPHA - default=false)
    JobPodFailurePolicy=true|false (BETA - default=true)
    JobReadyPods=true|false (BETA - default=true)
    KMSv2=true|false (BETA - default=true)
    KubeletInUserNamespace=true|false (ALPHA - default=false)
    KubeletPodResources=true|false (BETA - default=true)
    KubeletPodResourcesDynamicResources=true|false (ALPHA - default=false)
    KubeletPodResourcesGet=true|false (ALPHA - default=false)
    KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)
    KubeletTracing=true|false (BETA - default=true)
    LegacyServiceAccountTokenTracking=true|false (BETA - default=true)
    LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)
    LogarithmicScaleDown=true|false (BETA - default=true)
    LoggingAlphaOptions=true|false (ALPHA - default=false)
    LoggingBetaOptions=true|false (BETA - default=true)
    MatchLabelKeysInPodTopologySpread=true|false (BETA - default=true)
    MaxUnavailableStatefulSet=true|false (ALPHA - default=false)
    MemoryManager=true|false (BETA - default=true)
    MemoryQoS=true|false (ALPHA - default=false)
    MinDomainsInPodTopologySpread=true|false (BETA - default=true)
    MinimizeIPTablesRestore=true|false (BETA - default=true)
    MultiCIDRRangeAllocator=true|false (ALPHA - default=false)
    MultiCIDRServiceAllocator=true|false (ALPHA - default=false)
    NetworkPolicyStatus=true|false (ALPHA - default=false)
    NewVolumeManagerReconstruction=true|false (BETA - default=true)
    NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)
    NodeLogQuery=true|false (ALPHA - default=false)
    NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)
    NodeSwap=true|false (ALPHA - default=false)
    OpenAPIEnums=true|false (BETA - default=true)
    PDBUnhealthyPodEvictionPolicy=true|false (BETA - default=true)
    PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)
    PodDeletionCost=true|false (BETA - default=true)
    PodDisruptionConditions=true|false (BETA - default=true)
    PodHasNetworkCondition=true|false (ALPHA - default=false)
    PodSchedulingReadiness=true|false (BETA - default=true)
    ProbeTerminationGracePeriod=true|false (BETA - default=true)
    ProcMountType=true|false (ALPHA - default=false)
    ProxyTerminatingEndpoints=true|false (BETA - default=true)
    QOSReserved=true|false (ALPHA - default=false)
    ReadWriteOncePod=true|false (BETA - default=true)
    RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)
    RemainingItemCount=true|false (BETA - default=true)
    RetroactiveDefaultStorageClass=true|false (BETA - default=true)
    RotateKubeletServerCertificate=true|false (BETA - default=true)
    SELinuxMountReadWriteOncePod=true|false (BETA - default=true)
    SecurityContextDeny=true|false (ALPHA - default=false)
    ServiceNodePortStaticSubrange=true|false (ALPHA - default=false)
    SizeMemoryBackedVolumes=true|false (BETA - default=true)
    StableLoadBalancerNodeSet=true|false (BETA - default=true)
    StatefulSetAutoDeletePVC=true|false (BETA - default=true)
    StatefulSetStartOrdinal=true|false (BETA - default=true)
    StorageVersionAPI=true|false (ALPHA - default=false)
    StorageVersionHash=true|false (BETA - default=true)
    TopologyAwareHints=true|false (BETA - default=true)
    TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)
    TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)
    TopologyManagerPolicyOptions=true|false (ALPHA - default=false)
    UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)
    ValidatingAdmissionPolicy=true|false (ALPHA - default=false)
    VolumeCapacityPriority=true|false (ALPHA - default=false)
    WatchList=true|false (ALPHA - default=false)
    WinDSR=true|false (ALPHA - default=false)
    WinOverlay=true|false (BETA - default=true)
    WindowsHostNetwork=true|false (ALPHA - default=true)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
index 541d9892a15..92b045be4bf 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
@@ -55,7 +55,7 @@ kubeadm config images list [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
index 3a78f260312..cad6279ee04 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
@@ -48,7 +48,7 @@ kubeadm config images pull [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
index ad919d2e16e..385331d7af5 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
@@ -139,7 +139,7 @@ kubeadm init [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
index dafa56360ac..621c1f8170b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
@@ -69,7 +69,7 @@ kubeadm init phase addon all [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
index 3225abfba1d..a44e72427fb 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
@@ -48,7 +48,7 @@ kubeadm init phase addon coredns [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
index e168a6bb877..b28306a6477 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
@@ -101,7 +101,7 @@ kubeadm init phase control-plane all [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
index 3f69982f8f1..67d775db2d1 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
@@ -83,7 +83,7 @@ kubeadm init phase control-plane apiserver [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
index 21fc3f7feae..23013ec7e3a 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
@@ -44,6 +44,13 @@ kubeadm init phase preflight [flags]
 
    Path to a kubeadm configuration file.
    
 
 
+
+--cri-socket string
+
+
+
    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
    
+
+
 
 --dry-run
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
index 2b15abac969..3feed3b1892 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
@@ -37,6 +37,13 @@ kubeadm init phase upload-config all [flags]
 
    Path to a kubeadm configuration file.
    
 
 
+
+--cri-socket string
+
+
+
    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
    
+
+
 
 --dry-run
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
index d8f466b4094..4ef3f88e7e8 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
@@ -46,6 +46,13 @@ kubeadm init phase upload-config kubeadm [flags]
 
    Path to a kubeadm configuration file.
    
 
 
+
+--cri-socket string
+
+
+
    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
    
+
+
 
 --dry-run
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
index ae2fd63e838..c83a86129e5 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
@@ -44,6 +44,13 @@ kubeadm init phase upload-config kubelet [flags]
 
    Path to a kubeadm configuration file.
    
 
 
+
+--cri-socket string
+
+
+
    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
    
+
+
 
 --dry-run
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
index 7d8bda9389f..25edb297c20 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
@@ -24,6 +24,9 @@ kubeadm kubeconfig user [flags]
 ### Examples
 
 ```
+  # Output a kubeconfig file for an additional user named foo
+  kubeadm kubeconfig user --client-name=foo
+  
   # Output a kubeconfig file for an additional user named foo using a kubeadm config file bar
   kubeadm kubeconfig user --client-name=foo --config=bar
 ```
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
index 2d1d3aa37dc..dca72b0cce9 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
@@ -76,7 +76,7 @@ kubeadm upgrade apply [version]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
index d235a065264..dddf17e1877 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
@@ -55,7 +55,7 @@ kubeadm upgrade plan [version] [flags]
 --feature-gates string
 
 
-
    A set of key=value pairs that describe feature gates for various features. Options are:
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
+
    A set of key=value pairs that describe feature gates for various features. Options are:
    EtcdLearnerMode=true|false (ALPHA - default=false)
    PublicKeysECDSA=true|false (ALPHA - default=false)
    RootlessControlPlane=true|false (ALPHA - default=false)
    
 
 
 

From ec9d29c0dfcacc76bbc9750f0a159cd499678dbc Mon Sep 17 00:00:00 2001
From: Pushkar Joglekar 
Date: Tue, 11 Apr 2023 19:18:10 -0700
Subject: [PATCH 164/272] Make the switch from alpha -> beta

---
 content/en/docs/reference/issues-security/official-cve-feed.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/reference/issues-security/official-cve-feed.md b/content/en/docs/reference/issues-security/official-cve-feed.md
index 11eb4edee1d..70497a1adfe 100644
--- a/content/en/docs/reference/issues-security/official-cve-feed.md
+++ b/content/en/docs/reference/issues-security/official-cve-feed.md
@@ -9,7 +9,7 @@ outputs:
 layout: cve-feed
 ---
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 This is a community maintained list of official CVEs announced by
 the Kubernetes Security Response Committee. See

From 5eecfb009fdcd5f421e1c3dda39a68478b62efd5 Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Wed, 12 Apr 2023 11:42:37 +0800
Subject: [PATCH 165/272] [zh-cn] Sync
 scheduling-eviction/topology-spread-constraints.md

Signed-off-by: Guangwen Feng 
---
 .../topology-spread-constraints.md            | 46 ++++++++++++-------
 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md b/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
index afb4aefbc39..398d92d8629 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
@@ -105,7 +105,7 @@ spec:
       topologyKey: 
       whenUnsatisfiable: 
       labelSelector: 
-      matchLabelKeys:  # 可选;自从 v1.25 开始成为 Alpha
+      matchLabelKeys:  # 可选;自从 v1.27 开始成为 Beta
       nodeAffinityPolicy: [Honor|Ignore] # 可选;自从 v1.26 开始成为 Beta
       nodeTaintsPolicy: [Honor|Ignore] # 可选;自从 v1.26 开始成为 Beta
   ### 其他 Pod 字段置于此处
@@ -223,40 +223,54 @@ your cluster. Those fields are:
 
 
 - **matchLabelKeys** 是一个 Pod 标签键的列表,用于选择需要计算分布方式的 Pod 集合。
   这些键用于从 Pod 标签中查找值,这些键值标签与 `labelSelector` 进行逻辑与运算,以选择一组已有的 Pod,
-  通过这些 Pod 计算新来 Pod 的分布方式。Pod 标签中不存在的键将被忽略。
+  通过这些 Pod 计算新来 Pod 的分布方式。`matchLabelKeys` 和 `labelSelector` 中禁止存在相同的键。
+  未设置 `labelSelector` 时无法设置 `matchLabelKeys`。Pod 标签中不存在的键将被忽略。
   null 或空列表意味着仅与 `labelSelector` 匹配。
 
-  借助 `matchLabelKeys`,用户无需在变更 Pod 修订版本时更新 `pod.spec`。
-  控制器或 Operator 只需要将不同修订版的 `label` 键设为不同的值。
-  调度器将根据 `matchLabelKeys` 自动确定取值。例如,如果用户使用 Deployment,
-  则他们可以使用由 Deployment 控制器自动添加的、以 `pod-template-hash` 为键的标签来区分单个
-  Deployment 的不同修订版。
+  借助 `matchLabelKeys`,你无需在变更 Pod 修订版本时更新 `pod.spec`。
+  控制器或 Operator 只需要将不同修订版的标签键设为不同的值。
+  调度器将根据 `matchLabelKeys` 自动确定取值。例如,如果你正在配置一个 Deployment,
+  则你可以使用由 Deployment 控制器自动添加的、以
+  [pod-template-hash](/zh-cn/docs/concepts/workloads/controllers/deployment/#pod-template-hash-label)
+  为键的标签来区分同一个 Deployment 的不同修订版。
 
   ```yaml
       topologySpreadConstraints:
           - maxSkew: 1
             topologyKey: kubernetes.io/hostname
             whenUnsatisfiable: DoNotSchedule
+            labelSelector:
+              matchLabels:
+                app: foo
             matchLabelKeys:
-              - app
               - pod-template-hash
   ```
 
   {{< note >}}
   
-  `matchLabelKeys` 字段是 1.25 中新增的一个 Alpha 字段。
-  你必须启用 `MatchLabelKeysInPodTopologySpread`
-  [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)才能使用此字段。
+  `matchLabelKeys` 字段是 1.27 中默认启用的一个 Beta 级别字段。
+  你可以通过禁用 `MatchLabelKeysInPodTopologySpread`
+  [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)来禁用此字段。
   {{< /note >}}
 
 
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 此订阅源会自动刷新,但从宣布 CVE 到可在此订阅源中找到对应的 CVE 会有一个明显却很小的延迟(几分钟到几小时)。
 

From 9b0af72e3531b20d407375e86af6dc108d451f5a Mon Sep 17 00:00:00 2001
From: Sascha Grunert 
Date: Wed, 12 Apr 2023 09:36:40 +0200
Subject: [PATCH 168/272] Re-add v1.24 schedule to patch releases

We removed them as part of https://github.com/kubernetes/website/pull/40551,
but v1.24 is not EOL yet.

Signed-off-by: Sascha Grunert 
---
 data/releases/schedule.yaml | 54 +++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index 4673097d521..933fffc79d1 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -76,3 +76,57 @@ schedules:
     - release: 1.25.0
       cherryPickDeadline: ""
       targetDate: 2022-08-23
+- release: 1.24
+  releaseDate: 2022-05-03
+  maintenanceModeStartDate: 2023-05-28
+  endOfLifeDate: 2023-07-28
+  next:
+    release: 1.24.13
+    cherryPickDeadline: 2023-04-07
+    targetDate: 2023-04-12
+  previousPatches:
+    - release: 1.24.12
+      cherryPickDeadline: 2023-03-10
+      targetDate: 2023-03-15
+    - release: 1.24.11
+      cherryPickDeadline: 2023-02-10
+      targetDate: 2023-02-15
+      note: >-
+        [Some container images might be **unsigned** due to a temporary issue with the promotion process](https://groups.google.com/a/kubernetes.io/g/dev/c/MwSx761slM0/m/4ajkeUl0AQAJ)
+    - release: 1.24.10
+      cherryPickDeadline: 2023-01-13
+      targetDate: 2023-01-18
+    - release: 1.24.9
+      cherryPickDeadline: 2022-12-02
+      targetDate: 2022-12-08
+    - release: 1.24.8
+      cherryPickDeadline: 2022-11-04
+      targetDate: 2022-11-09
+    - release: 1.24.7
+      cherryPickDeadline: 2022-10-07
+      targetDate: 2022-10-12
+    - release: 1.24.6
+      cherryPickDeadline: 2022-09-20
+      targetDate: 2022-09-21
+      note: >-
+        [Out-of-Band release to fix the regression introduced in 1.24.5](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
+    - release: 1.24.5
+      cherryPickDeadline: 2022-09-09
+      targetDate: 2022-09-14
+      note: >-
+        [Regression](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
+    - release: 1.24.4
+      cherryPickDeadline: 2022-08-12
+      targetDate: 2022-08-17
+    - release: 1.24.3
+      cherryPickDeadline: 2022-07-08
+      targetDate: 2022-07-13
+    - release: 1.24.2
+      cherryPickDeadline: 2022-06-10
+      targetDate: 2022-06-15
+    - release: 1.24.1
+      cherryPickDeadline: 2022-05-20
+      targetDate: 2022-05-24
+    - release: 1.24.0
+      cherryPickDeadline: ""
+      targetDate: 2022-05-03

From 3292ae8e09657100bd3b7b47c5b3effd1f04c5f9 Mon Sep 17 00:00:00 2001
From: xuzhenglun 
Date: Wed, 22 Mar 2023 10:06:38 +0800
Subject: [PATCH 169/272] add blog document for feature
 ServiceNodePortStaticSubrange

---
 ...-nodeport-dynamic-and-static-allocation.md | 173 ++++++++++++++++++
 1 file changed, 173 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md

diff --git a/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md b/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md
new file mode 100644
index 00000000000..fde6ed1c1d5
--- /dev/null
+++ b/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md
@@ -0,0 +1,173 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Avoid Collisions Assigning Ports to NodePort Services"
+date: 2023-05-11
+slug: nodeport-dynamic-and-static-allocation
+---
+
+**Author:** Xu Zhenglun (Alibaba)
+
+In Kubernetes, a Service can be used to provide a unified traffic endpoint for 
+applications running on a set of Pods. Clients can use the virtual IP address (or _VIP_) provided
+by the Service for access, and Kubernetes provides load balancing for traffic accessing
+different back-end Pods, but a ClusterIP type of Service is limited to providing access to
+nodes within the cluster, while traffic from outside the cluster cannot be routed.
+One way to solve this problem is to use a `type: NodePort` Service, which sets up a mapping
+to a specific port of all nodes in the cluster, thus redirecting traffic from the
+outside to the inside of the cluster.
+
+## How Kubernetes allocates node ports to Services?
+
+When a `type: NodePort` Service is created, its corresponding port(s) are allocated in one
+of two ways:
+
+- **Dynamic** : If the Service type is `NodePort` and you do not set a `nodePort` 
+  value explicitly in the `spec` for that Service, the Kubernetes control plane will
+  automatically allocate an unused port to it at creation time.
+
+- **Static** : In addition to the dynamic auto-assignment described above, you can also
+  explicitly assign a port that is within the nodeport port range configuration.
+
+The value of `nodePort` that you manually assign must be unique across the whole cluster.
+Attempting to create a Service of `type: NodePort` where you explicitly specify a node port that
+was already allocated results in an error.
+
+## Why do you need to reserve ports of NodePort Service? 
+Sometimes, you may want to have a NodePort Service running on well-known ports
+so that other components and users inside o r outside the cluster can use them.
+
+In some complex cluster deployments with a mix of Kubernetes nodes and other servers on the same network, 
+it may be necessary to use some pre-defined ports for communication. In particular, some fundamental
+components cannot rely on the VIPs that back `type: LoadBalancer` Services
+because the virtual IP address mapping implementation for that cluster also relies on
+these foundational components.
+
+Now suppose you need to expose a Minio object storage service on Kubernetes to clients 
+running outside the Kubernetes cluster, and the agreed port is `30009`, we need to 
+create a Service as follows:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+spec:
+  ports:
+  - name: api
+    nodePort: 30009
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    app: minio
+  type: NodePort
+```
+
+However, as mentioned before, if the port (30009) required for the `minio` Service is not reserved,
+and another `type: NodePort` (or possibly `type: LoadBalancer`) Service is created and dynamically
+allocated before or concurrently with the `minio` Service, TCP port 30009 might be allocated to that
+other Service; if so, creation of the `minio` Service will fail due to a node port collision.
+
+## How can you avoid NodePort Service port conflicts? 
+Kubernetes 1.24 introduced changes for `type: ClusterIP` Services, dividing the CIDR range for cluster
+IP addresses into two blocks that use different allocation policies to [reduce the risk of conflicts](/docs/reference/networking/virtual-ips/#avoiding-collisions).
+In Kubernetes 1.27, as an alpha feature, you can adopt a similar policy for `type: NodePort` Servies.
+You can enable a new [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+`ServiceNodePortStaticSubrange`. Turning this on allows you to use a different port allocation strategy
+for `type: NodePort` Services, and reduce the risk of collision.
+
+The port range for `NodePort` will be divided, based on the formula `min(max(16, nodeport-size / 32), 128)`. 
+The outcome of the formula will be a number between 16 and 128, with a step size that increases as the 
+size of the nodeport range increases. The outcome of the formula determine that the size of static port 
+range. When the port range is less than 16, the size of static port range will be set to 0, 
+which means that all ports will be dynamically allocated.
+
+Dynamic port assignment will use the upper band by default, once this has been exhausted it will use the lower range.
+This will allow users to use static allocations on the lower band with a low risk of collision.
+
+## Examples
+
+### default range: 30000-32767
+| Range properties        | Values                                                |
+|-------------------------|-------------------------------------------------------|
+| service-node-port-range | 30000-32767                                           |
+| Band Offset             |   `min(max(16, 2768/32), 128)` 
    = `min(max(16, 86), 128)` 
    = `min(86, 128)` 
    = 86 |
+| Static band start       | 30000                                                 |
+| Static band end         | 30085                                                 |
+| Dynamic band start      | 30086                                                 |
+| Dynamic band end        | 32767                                                 |
+
+{{< mermaid >}}
+pie showData
+    title 30000-32767
+    "Static" : 86
+    "Dynamic" : 2682
+{{< /mermaid >}}
+
+### very small range: 30000-30015
+| Range properties        | Values                                                |
+|-------------------------|-------------------------------------------------------|
+| service-node-port-range | 30000-30015                                           |
+| Band Offset             | 0                                                     |
+| Static band start       | -                                                     |
+| Static band end         | -                                                     |
+| Dynamic band start      | 30000                                                 |
+| Dynamic band end        | 30015                                                 |
+
+{{< mermaid >}}
+pie showData
+    title 30000-30015
+    "Static" : 0
+    "Dynamic" : 16
+{{< /mermaid >}}
+
+### small(lower boundary) range: 30000-30127
+| Range properties        | Values                                                |
+|-------------------------|-------------------------------------------------------|
+| service-node-port-range | 30000-30127                                           |
+| Band Offset             |   `min(max(16, 128/32), 128)` 
    = `min(max(16, 4), 128)` 
    = `min(16, 128)` 
    = 16 |
+| Static band start       | 30000                                                 |
+| Static band end         | 30015                                                 |
+| Dynamic band start      | 30016                                                 |
+| Dynamic band end        | 30127                                                 |
+
+{{< mermaid >}}
+pie showData
+    title 30000-30127
+    "Static" : 16
+    "Dynamic" : 112
+{{< /mermaid >}}
+
+### large(upper boundary) range: 30000-34095
+| Range properties        | Values                                                |
+|-------------------------|-------------------------------------------------------|
+| service-node-port-range | 30000-34095                                           |
+| Band Offset             |   `min(max(16, 4096/32), 128)` 
    = `min(max(16, 128), 128)` 
    = `min(128, 128)` 
    = 128 |
+| Static band start       | 30000                                                 |
+| Static band end         | 30127                                                 |
+| Dynamic band start      | 30128                                                 |
+| Dynamic band end        | 34095                                                 |
+
+{{< mermaid >}}
+pie showData
+    title 30000-34095
+    "Static" : 128
+    "Dynamic" : 3968
+{{< /mermaid >}}
+
+### very large range: 30000-38191
+| Range properties        | Values                                                |
+|-------------------------|-------------------------------------------------------|
+| service-node-port-range | 30000-38191                                           |
+| Band Offset             |   `min(max(16, 8192/32), 128)` 
    = `min(max(16, 256), 128)` 
    = `min(256, 128)` 
    = 128 |
+| Static band start       | 30000                                                 |
+| Static band end         | 30127                                                 |
+| Dynamic band start      | 30128                                                 |
+| Dynamic band end        | 38191                                                 |
+
+{{< mermaid >}}
+pie showData
+    title 30000-38191
+    "Static" : 128
+    "Dynamic" : 8064
+{{< /mermaid >}}
\ No newline at end of file

From aecfbf10b8443fb01041112b1487386d6cbeeae1 Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Wed, 12 Apr 2023 16:41:06 +0800
Subject: [PATCH 170/272] [zh-cn] Sync pod-qos.md

Signed-off-by: Guangwen Feng 
---
 .../docs/concepts/workloads/pods/pod-qos.md   | 38 +++++++++++++++++--
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md b/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md
index 10647dfc16f..f47384643a3 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-qos.md
@@ -79,7 +79,7 @@ CPU 管理策略来使用独占的 CPU。
 
 For a Pod to be given a QoS class of `Guaranteed`:
 -->
-#### 判据
+#### 判据   {#criteria}
 
 Pod 被赋予 `Guaranteed` QoS 类的几个判据:
 
@@ -119,7 +119,7 @@ A Pod is given a QoS class of `Burstable` if:
 * The Pod does not meet the criteria for QoS class `Guaranteed`.
 * At least one Container in the Pod has a memory or CPU request or limit.
 -->
-#### 判据
+#### 判据   {#criteria-1}
 
 Pod 被赋予 `Burstable` QoS 类的几个判据:
 
@@ -152,13 +152,43 @@ CPU limit or a CPU request.
 Containers in a Pod can request other resources (not CPU or memory) and still be classified as
 `BestEffort`.
 -->
-#### 判据
+#### 判据   {#criteria-2}
 
 如果 Pod 不满足 `Guaranteed` 或 `Burstable` 的判据,则它的 QoS 类为 `BestEffort`。
 换言之,只有当 Pod 中的所有容器没有内存 limit 或内存 request,也没有 CPU limit 或
 CPU request 时,Pod 才是 `BestEffort`。Pod 中的容器可以请求(除 CPU 或内存之外的)
 其他资源并且仍然被归类为 `BestEffort`。
 
+
+## 使用 cgroup v2 的内存 QoS   {#memory-qos-with-cgroup-v2}
+
+{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+
+
+内存 QoS 使用 cgroup v2 的内存控制器来保证 Kubernetes 中的内存资源。
+Pod 中容器的内存请求和限制用于设置由内存控制器所提供的特定接口 `memory.min` 和 `memory.high`。
+当 `memory.min` 被设置为内存请求时,内存资源被保留并且永远不会被内核回收;
+这就是内存 QoS 确保 Kubernetes Pod 的内存可用性的方式。而如果容器中设置了内存限制,
+这意味着系统需要限制容器内存的使用;内存 QoS 使用 `memory.high` 来限制接近其内存限制的工作负载,
+确保系统不会因瞬时内存分配而不堪重负。
+
+
+内存 QoS 依赖于 QoS 类来确定应用哪些设置;它们的机制不同,但都提供对服务质量的控制。
+
 
 
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
 
 
-新的 `resource.k8s.io/v1alpha1`
+`resource.k8s.io/v1alpha2`
 {{< glossary_tooltip text="API 组" term_id="api-group" >}}提供四种新类型:
 
 
+## 监控资源  {#monitoring-resources}
+
+
+kubelet 提供了一个 gRPC 服务,以便发现正在运行的 Pod 的动态资源。
+有关 gRPC 端点的更多信息,请参阅[资源分配报告](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources)。
+
 
@@ -279,7 +292,7 @@ future.
 Dynamic resource allocation is an *alpha feature* and only enabled when the
 `DynamicResourceAllocation` [feature
 gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
-`resource.k8s.io/v1alpha1` {{< glossary_tooltip text="API group"
+`resource.k8s.io/v1alpha2` {{< glossary_tooltip text="API group"
 term_id="api-group" >}} are enabled. For details on that, see the
 `--feature-gates` and `--runtime-config` [kube-apiserver
 parameters](/docs/reference/command-line-tools-reference/kube-apiserver/).
@@ -322,10 +335,11 @@ error: the server doesn't have a resource type "resourceclasses"
 
 
-kube-scheduler 的默认配置仅在启用特性门控时才启用 "DynamicResources" 插件。
+kube-scheduler 的默认配置仅在启用特性门控且使用 v1 配置 API 时才启用 "DynamicResources" 插件。
 自定义配置可能需要被修改才能启用它。
 
 
-`kubeadm` 工具将每个主机的 CRI 套接字保存在该主机对应的 Node 对象的注解中。
 使用 `kubeadm` 的用户应该知道,`kubeadm` 工具将每个主机的 CRI 套接字保存在该主机对应的
 Node 对象的注解中。
 要更改这一注解信息,你可以在一台包含 kubeadm `/etc/kubernetes/admin.conf` 文件的机器上执行以下命令:

From 6b9bc4223306b3a33f26dc3dd2d9cb6c1c817703 Mon Sep 17 00:00:00 2001
From: xuzhenglun 
Date: Wed, 12 Apr 2023 19:15:26 +0800
Subject: [PATCH 173/272] fix typo for blog ServiceNodePortStaticSubrange

---
 .../_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md b/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md
index fde6ed1c1d5..78c2ca1d2fa 100644
--- a/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md
+++ b/content/en/blog/_posts/2023-05-11-nodeport-dynamic-and-static-allocation.md
@@ -71,7 +71,7 @@ other Service; if so, creation of the `minio` Service will fail due to a node po
 ## How can you avoid NodePort Service port conflicts? 
 Kubernetes 1.24 introduced changes for `type: ClusterIP` Services, dividing the CIDR range for cluster
 IP addresses into two blocks that use different allocation policies to [reduce the risk of conflicts](/docs/reference/networking/virtual-ips/#avoiding-collisions).
-In Kubernetes 1.27, as an alpha feature, you can adopt a similar policy for `type: NodePort` Servies.
+In Kubernetes 1.27, as an alpha feature, you can adopt a similar policy for `type: NodePort` Services.
 You can enable a new [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 `ServiceNodePortStaticSubrange`. Turning this on allows you to use a different port allocation strategy
 for `type: NodePort` Services, and reduce the risk of collision.

From c82cb982a0578d80eb5cbeeff1cd4cd7eb286138 Mon Sep 17 00:00:00 2001
From: James Harmison 
Date: Wed, 12 Apr 2023 14:06:41 -0400
Subject: [PATCH 174/272] fix typo in blog post on 1.27 release

Kuberentes -> Kubernetes
---
 content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
index 128c03ceac4..def80c55e40 100644
--- a/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
+++ b/content/en/blog/_posts/2023-04-11-kubernetes-1.27-blog.md
@@ -91,7 +91,7 @@ A cluster administrator can try out this alpha feature across all nodes of their
 
 ## ReadWriteOncePod PersistentVolume access mode goes to beta 
 
-Kuberentes `v1.22` introduced a new access mode `ReadWriteOncePod` for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs). This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
+Kubernetes `v1.22` introduced a new access mode `ReadWriteOncePod` for [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#persistent-volumes) (PVs) and [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVCs). This access mode enables you to restrict volume access to a single pod in the cluster, ensuring that only one pod can write to the volume at a time. This can be particularly useful for stateful workloads that require single-writer access to storage.
 
 The ReadWriteOncePod beta adds support for [scheduler preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 of pods that use ReadWriteOncePod PVCs.

From 555d454924bb968dd859d55e818bd19360fcd40e Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Thu, 13 Apr 2023 01:06:14 +0300
Subject: [PATCH 175/272] [es] Fix mismatch in Labels and Selectors concept
 page

---
 .../es/docs/concepts/overview/working-with-objects/labels.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/es/docs/concepts/overview/working-with-objects/labels.md b/content/es/docs/concepts/overview/working-with-objects/labels.md
index 7420aac5c6d..2b0954ff193 100644
--- a/content/es/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/es/docs/concepts/overview/working-with-objects/labels.md
@@ -151,7 +151,7 @@ Como ya se ha comentado, los requisitos _basados en conjunto_ son más expresivo
 kubectl get pods -l 'environment in (production, qa)'
 ```
 
-o restringir la coincidencia negativa mediante el operador _exists_:
+o restringir la coincidencia negativa mediante el operador _notin_:
 
 ```shell
 kubectl get pods -l 'environment,environment notin (frontend)'

From 1499edaaf2923f97375bd5c37d941e696aca42d5 Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Wed, 12 Apr 2023 15:57:18 +0800
Subject: [PATCH 176/272] [zh] sync 1.27 /concepts/architecture/nodes.md

---
 .../zh-cn/docs/concepts/architecture/nodes.md | 102 ++++++++----------
 1 file changed, 46 insertions(+), 56 deletions(-)

diff --git a/content/zh-cn/docs/concepts/architecture/nodes.md b/content/zh-cn/docs/concepts/architecture/nodes.md
index 655b017d9d3..e7c9c5a6adf 100644
--- a/content/zh-cn/docs/concepts/architecture/nodes.md
+++ b/content/zh-cn/docs/concepts/architecture/nodes.md
@@ -158,11 +158,6 @@ For self-registration, the kubelet is started with the following options:
   {{< glossary_tooltip text="taints" term_id="taint" >}} (comma separated `=:`).
 
   No-op if `register-node` is false.
-- `--node-ip` - IP address of the node.
-- `--node-labels` - {{< glossary_tooltip text="Labels" term_id="label" >}} to add when registering the node
-  in the cluster (see label restrictions enforced by the
-  [NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)).
-- `--node-status-update-frequency` - Specifies how often kubelet posts its node status to the API server.
 -->
 - `--kubeconfig` - 用于向 API 服务器执行身份认证所用的凭据的路径。
 - `--cloud-provider` - 与某{{< glossary_tooltip text="云驱动" term_id="cloud-provider" >}}
@@ -170,7 +165,29 @@ For self-registration, the kubelet is started with the following options:
 - `--register-node` - 自动向 API 服务注册。
 - `--register-with-taints` - 使用所给的{{< glossary_tooltip text="污点" term_id="taint" >}}列表
   (逗号分隔的 `=:`)注册节点。当 `register-node` 为 false 时无效。
-- `--node-ip` - 节点 IP 地址。
+
+- `--node-ip` - 可选的以英文逗号隔开的节点 IP 地址列表。你只能为每个地址簇指定一个地址。
+  例如在单协议栈 IPv4 集群中,需要将此值设置为 kubelet 应使用的节点 IPv4 地址。
+  参阅[配置 IPv4/IPv6 双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)了解运行双协议栈集群的详情。
+
+  如果你未提供这个参数,kubelet 将使用节点默认的 IPv4 地址(如果有);
+  如果节点没有 IPv4 地址,则 kubelet 使用节点的默认 IPv6 地址。
+
 - `--node-labels` - 在集群中注册节点时要添加的{{< glossary_tooltip text="标签" term_id="label" >}}。
   (参见 [NodeRestriction 准入控制插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)所实施的标签限制)。
 - `--node-status-update-frequency` - 指定 kubelet 向 API 服务器发送其节点状态的频率。
@@ -389,66 +406,39 @@ of the Node resource. For example, the following JSON structure describes a heal
 ]
 ```
 
-
-如果 Ready 状况的 `status` 处于 `Unknown` 或者 `False` 状态的时间超过了
-`pod-eviction-timeout` 值(一个传递给
-{{< glossary_tooltip text="kube-controller-manager" term_id="kube-controller-manager" >}}
-的参数),[节点控制器](#node-controller)会对节点上的所有 Pod 触发
-{{< glossary_tooltip text="API 发起的驱逐" term_id="api-eviction" >}}。
-默认的逐出超时时长为 **5 分钟**。
-
-
-某些情况下,当节点不可达时,API 服务器不能和其上的 kubelet 通信。
-删除 Pod 的决定不能传达给 kubelet,直到它重新建立和 API 服务器的连接为止。
-与此同时,被计划删除的 Pod 可能会继续在游离的节点上运行。
-
-
-节点控制器在确认 Pod 在集群中已经停止运行前,不会强制删除它们。
-你可以看到可能在这些无法访问的节点上运行的 Pod 处于 `Terminating` 或者 `Unknown` 状态。
-如果 Kubernetes 不能基于下层基础设施推断出某节点是否已经永久离开了集群,
-集群管理员可能需要手动删除该节点对象。
-从 Kubernetes 删除节点对象将导致 API 服务器删除节点上所有运行的 Pod 对象并释放它们的名字。
-
 
 当节点上出现问题时,Kubernetes 控制面会自动创建与影响节点的状况对应的
 [污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
-调度器在将 Pod 指派到某 Node 时会考虑 Node 上的污点设置。
-Pod 也可以设置{{< glossary_tooltip text="容忍度" term_id="toleration" >}},
-以便能够在设置了特定污点的 Node 上运行。
+例如当 Ready 状况的 `status` 保持 `Unknown` 或 `False` 的时间长于
+kube-controller-manager 的 `NodeMonitorGracePeriod`(默认为 40 秒)时,
+会造成 `Unknown` 状态下为节点添加 `node.kubernetes.io/unreachable` 污点或在
+`False` 状态下为节点添加 `node.kubernetes.io/not-ready` 污点。
 
 
+这些污点会影响悬决的 Pod,因为调度器在将 Pod 分配到 Node 时会考虑 Node 的污点。
+已调度到节点的当前 Pod 可能会由于施加的 `NoExecute` 污点被驱逐。
+Pod 还可以设置{{< glossary_tooltip text="容忍度" term_id="toleration" >}},
+使得这些 Pod 仍然能够调度到且继续运行在设置了特定污点的 Node 上。
+
+
-进一步的细节可参阅[根据状况为节点设置污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition)。
+进一步的细节可参阅[基于污点的驱逐](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions)
+和[根据状况为节点设置污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition)。
 
 
 
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 默认情况下,Kubernetes 组件使用 gRPC 的 OTLP 导出器来导出追踪信息,将信息写到
 [IANA OpenTelemetry 端口](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=opentelemetry)。
-举例来说,如果收集器以 Kubernetes 组件的边车模式运行,以下接收器配置会收集 span 信息,并将它们写入到标准输出。
+举例来说,如果收集器以 Kubernetes 组件的边车模式运行,
+以下接收器配置会收集 span 信息,并将它们写入到标准输出。
 
 
 ```yaml
 receivers:
@@ -105,38 +120,43 @@ kube-apiserver 为传入的 HTTP 请求、传出到 webhook 和 etcd 的请求
 #### 在 kube-apiserver 中启用追踪 {#enabling-tracing-in-the-kube-apiserver}
 
 
-要启用追踪特性,需要启用 kube-apiserver 上的  `APIServerTracing`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
-然后,使用 `--tracing-config-file=<<配置文件路径>` 为 kube-apiserver 提供追踪配置文件。
-下面是一个示例配置,它为万分之一的请求记录 spans,并使用了默认的 OpenTelemetry 端口。
 
 ```yaml
-apiVersion: apiserver.config.k8s.io/v1alpha1
+apiVersion: apiserver.config.k8s.io/v1beta1
 kind: TracingConfiguration
 # default value
 #endpoint: localhost:4317
 samplingRatePerMillion: 100
 ```
+-->
+要启用追踪特性,需要使用 `--tracing-config-file=<<配置文件路径>` 为
+kube-apiserver 提供追踪配置文件。下面是一个示例配置,它为万分之一的请求记录
+span,并使用了默认的 OpenTelemetry 端点。
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: TracingConfiguration
+# 默认值
+#endpoint: localhost:4317
+samplingRatePerMillion: 100
+```
 
 
 有关 TracingConfiguration 结构体的更多信息,请参阅
-[API 服务器配置 API (v1alpha1)](/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1/#apiserver-k8s-io-v1alpha1-TracingConfiguration)。
+[API 服务器配置 API (v1beta1)](/zh-cn/docs/reference/config-api/apiserver-config.v1beta1/#apiserver-k8s-io-v1beta1-TracingConfiguration)。
 
 
-### kubelet 追踪 {#kubelet-traces}
+### kubelet 追踪   {#kubelet-traces}
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 #### 在 kubelet 中启用追踪 {#enabling-tracing-in-the-kubelet}
 
-要启用 span,需在 kubelet 上启用 `KubeletTracing`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
-另外,为 kubelet 提供[追踪配置](https://github.com/kubernetes/component-base/blob/release-1.25/tracing/api/v1/types.go)。
-以下是 kubelet 配置的示例代码片段,每 10000 个请求中记录一个请求的 span,并使用默认的 OpenTelemetry 端点:
+要启用追踪,需应用[追踪配置](https://github.com/kubernetes/component-base/blob/release-1.27/tracing/api/v1/types.go)。
+以下是 kubelet 配置的示例代码片段,每 10000 个请求中记录一个请求的
+span,并使用默认的 OpenTelemetry 端点:
 
 ```yaml
 apiVersion: kubelet.config.k8s.io/v1beta1
@@ -178,6 +206,34 @@ tracing:
   samplingRatePerMillion: 100
 ```
 
+
+如果 `samplingRatePerMillion` 被设置为一百万 (`1000000`),则所有 span 都将被发送到导出器。
+
+
+Kubernetes v{{< skew currentVersion >}} 中的 kubelet 从垃圾回收、Pod
+同步例程以及每个 gRPC 方法中收集 span。CRI-O 和 containerd
+这类关联的容器运行时可以将链路链接到其导出的 span,以提供更多上下文信息。
+
+
+请注意导出 span 始终会对网络和 CPU 产生少量性能开销,具体取决于系统的总体配置。
+如果在启用追踪的集群中出现类似性能问题,可以通过降低 `samplingRatePerMillion`
+或通过移除此配置来彻底禁用追踪来缓解问题。
+
 
@@ -198,4 +254,4 @@ there are no guarantees of backwards compatibility for tracing instrumentation.
 
-* 阅读[Getting Started with the OpenTelemetry Collector](https://opentelemetry.io/docs/collector/getting-started/)
+* 阅读 [Getting Started with the OpenTelemetry Collector](https://opentelemetry.io/docs/collector/getting-started/)

From 29856082897c1d78c14e8240666167699558fb28 Mon Sep 17 00:00:00 2001
From: ystkfujii 
Date: Sat, 11 Mar 2023 17:34:29 +0900
Subject: [PATCH 178/272] Translate blog:forensic-container-analysis into ja

---
 .../index.md                                  | 315 ++++++++++++++++++
 1 file changed, 315 insertions(+)
 create mode 100644 content/ja/blog/_posts/2023-03-10-forensic-container-analysis/index.md

diff --git a/content/ja/blog/_posts/2023-03-10-forensic-container-analysis/index.md b/content/ja/blog/_posts/2023-03-10-forensic-container-analysis/index.md
new file mode 100644
index 00000000000..a78cd333332
--- /dev/null
+++ b/content/ja/blog/_posts/2023-03-10-forensic-container-analysis/index.md
@@ -0,0 +1,315 @@
+---
+layout: blog
+title: "フォレンジックコンテナ分析"
+date: 2023-03-10
+slug: forensic-container-analysis
+---
+
+**Authors:** Adrian Reber (Red Hat)
+
+前回投稿した[Kubernetesにおけるフォレンジックコンテナチェックポイント処理][forensic-blog]では、Kubernetesでのチェックポイントの作成や、それがどのようにセットアップされ、どのように使用されるのかを紹介しました。
+機能の名前はフォレンジックコンテナチェックポイントですが、Kubernetesによって作成されたチェックポイントの実際の分析方法については、詳細を説明しませんでした。
+この記事では、チェックポイントがどのように分析されるのかについての詳細を提供します。
+
+チェックポイントの作成はまだKubernetesでalpha機能であり、この記事ではその機能が将来どのように動作するのかについてのプレビューを提供します。
+
+## 準備
+
+チェックポイント作成のサポートを有効にするためのKubernetesの設定方法や、基盤となるCRI実装方法についての詳細は[Kubernetesにおけるフォレンジックコンテナチェックポイント処理][forensic-blog]を参照してください。
+
+一例として、この記事内でチェックポイントを作成し分析するコンテナイメージ(`quay.io/adrianreber/counter:blog`)を準備しました。
+このコンテナはコンテナ内でファイルを作成することができ、後でチェックポイント内で探したい情報をメモリーに格納しておくこともできます。
+
+コンテナを実行するためにはPodが必要であり、この例では下記のPodマニフェストを使用します。
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: counters
+spec:
+  containers:
+  - name: counter
+    image: quay.io/adrianreber/counter:blog
+```
+
+この結果、`counter`と呼ばれるコンテナが`counters`と呼ばれるPod内で実行されます。
+
+一度コンテナが実行されると、コンテナで下記アクションが行えます。
+
+```console
+$ kubectl get pod counters --template '{{.status.podIP}}'
+10.88.0.25
+$ curl 10.88.0.25:8088/create?test-file
+$ curl 10.88.0.25:8088/secret?RANDOM_1432_KEY
+$ curl 10.88.0.25:8088
+```
+
+最初のアクセスはコンテナ内で`test-file`という内容で`test-file`と呼ばれるファイルを作成します。
+次のアクセスで、コンテナのメモリー内のどこかにシークレット情報(`RANDOM_1432_KEY`)を記憶します。
+最後のアクセスは内部のログファイルに1行追加するだけです。
+
+チェックポイントを分析する前の最後のステップは、チェックポイントを作成することをKubernetesに指示することです。
+前回の記事で説明したように、これには*kubelet*限定の`チェックポイント`APIエンドポイントへのアクセスを必要とします。
+
+*default*名前空間内の*counters*という名前のPod内の*counter*という名前のコンテナに対して、*kubelet* APIエンドポイントが次の場所で到達可能です。
+```shell
+# Podが実行されているNode上で実行する
+curl -X POST "https://localhost:10250/checkpoint/default/counters/counter"
+```
+
+厳密には、*kubelet*の自己署名証明書を許容し*kubelet* `チェックポイント`APIの使用を認可するために、下記の`curl`コマンドのオプションが必要です。
+
+```shell
+--insecure --cert /var/run/kubernetes/client-admin.crt --key /var/run/kubernetes/client-admin.key
+```
+
+チェックポイントの作成が終了すると、`/var/lib/kubelet/checkpoints/checkpoint-_--.tar`でチェックポイントが利用可能になります。
+
+この記事の後述のステップでは、チェックポイントアーカイブを分析する際に`checkpoint.tar`という名前を使用します。
+
+## `checkpointctl`を使用したチェックポイントアーカイブの分析
+
+チェックポイントが作成したコンテナに関するいくつかの初期情報を得るためには、このように[checkpointctl][checkpointctl]を使用します。
+
+```console
+$ checkpointctl show checkpoint.tar --print-stats
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+| CONTAINER |              IMAGE               |      ID      | RUNTIME |       CREATED       | ENGINE |     IP     | CHKPT SIZE | ROOT FS DIFF SIZE |
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+| counter   | quay.io/adrianreber/counter:blog | 059a219a22e5 | runc    | 2023-03-02T06:06:49 | CRI-O  | 10.88.0.23 | 8.6 MiB    | 3.0 KiB           |
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+CRIU dump statistics
++---------------+-------------+--------------+---------------+---------------+---------------+
+| FREEZING TIME | FROZEN TIME | MEMDUMP TIME | MEMWRITE TIME | PAGES SCANNED | PAGES WRITTEN |
++---------------+-------------+--------------+---------------+---------------+---------------+
+| 100809 us     | 119627 us   | 11602 us     | 7379 us       |          7800 |          2198 |
++---------------+-------------+--------------+---------------+---------------+---------------+
+```
+
+これによって、チェックポイントアーカイブ内のチェックポイントについてのいくつかの情報が、すでに取得できています。
+コンテナの名前やコンテナランタイムやコンテナエンジンについての情報を見ることができます。
+チェックポイントのサイズ(`CHKPT SIZE`)もリスト化されます。
+これは大部分がチェックポイントに含まれるメモリーページのサイズですが、コンテナ内の全ての変更されたファイルのサイズ(`ROOT FS DIFF SIZE`)についての情報もあります。
+
+追加のパラメーター`--print-stats`はチェックポイントアーカイブ内の情報を復号化し、2番目のテーブル(*CRIU dump statistics*)で表示します。
+この情報はチェックポイント作成中に収集され、CRIUがコンテナ内のプロセスをチェックポイントするために必要な時間と、チェックポイント作成中に分析され書き込まれたメモリーページ数の概要を示します。
+
+## より深く掘り下げる
+
+`checkpointctl`の助けを借りて、チェックポイントアーカイブについてのハイレベルな情報を得ることができます。
+チェックポイントアーカイブをさらに分析するには、それを展開する必要があります。
+チェックポイントアーカイブは*tar*アーカイブであり、`tar xf checkpoint.tar`の助けを借りて展開可能です。
+
+チェックポイントアーカイブを展開すると、下記のファイルやディレクトリが作成されます。
+
+* `bind.mounts` - このファイルにはバインドマウントについての情報が含まれており、復元中に全ての外部ファイルとディレクトリを正しい場所にマウントするために必要になります。
+* `checkpoint/` - このディレクトリにはCRIUによって作成された実際のチェックポイントが含まれています。
+* `config.dump`と`spec.dump` - これらのファイルには、復元中に必要とされるコンテナについてのメタデータが含まれています。
+* `dump.log` - このファイルにはチェックポイント作成中に作成されたCRIUのデバッグ出力が含まれています。
+* `stats-dump` - このファイルには、`checkpointctl`が`--print-stats`でダンプ統計情報を表示するために使用するデータが含まれています。
+* `rootfs-diff.tar` - このファイルには、コンテナのファイルシステム上で変更された全てのファイルが含まれています。
+
+### ファイルシステムの変更 - `rootfs-diff.tar`
+
+コンテナのチェックポイントをさらに分析するための最初のステップは、コンテナ内で変更されたファイルを見ることです。
+これは`rootfs-diff.tar`ファイルを参照することで行えます。
+
+```console
+$ tar xvf rootfs-diff.tar
+home/counter/logfile
+home/counter/test-file
+```
+
+これでコンテナ内で変更されたファイルを調べられます。
+
+```console
+$ cat home/counter/logfile
+10.88.0.1 - - [02/Mar/2023 06:07:29] "GET /create?test-file HTTP/1.1" 200 -
+10.88.0.1 - - [02/Mar/2023 06:07:40] "GET /secret?RANDOM_1432_KEY HTTP/1.1" 200 -
+10.88.0.1 - - [02/Mar/2023 06:07:43] "GET / HTTP/1.1" 200 -
+$ cat home/counter/test-file
+test-file 
+```
+
+このコンテナのベースになっているコンテナイメージ(`quay.io/adrianreber/counter:blog`)と比較すると、コンテナが提供するサービスへの全てのアクセス情報を含んだ`logfile`や予想通り作成された`test-file`ファイルを確認することができます。
+
+`rootfs-diff.tar`の助けを借りることで、作成または変更された全てのファイルを、コンテナのベースイメージと比較して検査することが可能です。
+
+### チェックポイント処理したプロセスを分析する - `checkpoint/`
+
+ディレクトリ`checkpoint/`はコンテナ内でプロセスをチェックポイントしている間にCRIUによって作成されたデータを含んでいます。
+ディレクトリ`checkpoint/`の内容は、CRIUの一部として配布されている[CRIT][crit]ツールを使用して分析できるさまざまな[イメージファイル][image-files]で構成されています。
+
+まず、コンテナの内部プロセスの概要を取得してみましょう。
+
+```console
+$ crit show checkpoint/pstree.img | jq .entries[].pid
+1
+7
+8
+```
+
+この出力はコンテナのPID名前空間の内部に3つのプロセス(PIDが1と7と8)があることを意味しています。
+
+これはコンテナのPID名前空間の内部からの視界を表示しているだけです。
+復元中に正確にそれらのPIDが再作成されます。
+コンテナのPID名前空間の外部からPIDは復元後に変更されます。
+
+次のステップは、それらの3つのプロセスについての追加情報を取得することです。
+
+```console
+$ crit show checkpoint/core-1.img | jq .entries[0].tc.comm
+"bash"
+$ crit show checkpoint/core-7.img | jq .entries[0].tc.comm
+"counter.py"
+$ crit show checkpoint/core-8.img | jq .entries[0].tc.comm
+"tee"
+```
+
+これは、コンテナ内の3つのプロセスが`bash`と`counter.py`(Pythonインタプリター)と`tee`であることを意味しています。
+プロセスの親子関係についての詳細は、`checkpoint/pstree.img`に分析するデータがさらにあります。
+
+ここまでで収集した情報をまだ実行中のコンテナと比較してみましょう。
+
+```console
+$ crictl inspect --output go-template --template "{{(index .info.pid)}}" 059a219a22e56
+722520
+$ ps auxf | grep -A 2 722520
+fedora    722520  \_ bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile
+fedora    722541      \_ /usr/bin/python3 /home/counter/counter.py
+fedora    722542      \_ /usr/bin/coreutils --coreutils-prog-shebang=tee /usr/bin/tee /home/counter/logfile
+$ cat /proc/722520/comm
+bash
+$ cat /proc/722541/comm
+counter.py
+$ cat /proc/722542/comm
+tee
+```
+
+この出力では、まずコンテナ内の最初のプロセスのPIDを取得しています。
+そしてコンテナを実行しているシステム上で、そのPIDと子プロセスを探しています。
+3つのプロセスが表示され、最初のものはコンテナPID名前空間の中でPID 1である"bash"です。
+次に`/proc//comm`を見ると、チェックポイントイメージと正確に同じ値を見つけることができます。
+
+覚えておく重要なことは、チェックポイントはコンテナのPID名前空間内の視界が含まれていることです。
+なぜなら、これらの情報はプロセスを復元するために重要だからです。
+
+`crit`がコンテナについて教えてくれる最後の例は、UTS名前空間に関する情報です。
+
+```console
+$ crit show checkpoint/utsns-12.img
+{
+    "magic": "UTSNS",
+    "entries": [
+        {
+            "nodename": "counters",
+            "domainname": "(none)"
+        }
+    ]
+}
+```
+
+UTS名前空間内のホストネームが`counters`であることを教えてくれます。
+
+チェックポイント作成中に収集された各リソースCRIUについて、`checkpoint/`ディレクトリは対応するイメージファイルを含んでいます。
+このイメージファイルは`crit`を使用することで分析可能です。
+
+#### メモリーページを見る
+
+CRITを使用して復号化できるCRIUからの情報に加えて、CRIUがディスクに書き込んだ生のメモリーページを含んでいるファイルもあります。
+
+```console
+$ ls  checkpoint/pages-*
+checkpoint/pages-1.img  checkpoint/pages-2.img  checkpoint/pages-3.img
+```
+
+最初にコンテナを使用した際に、メモリー内のどこかにランダムキー(`RANDOM_1432_KEY`)を保存しました。
+見つけることができるかどうか見てみましょう。
+
+```console
+$ grep -ao RANDOM_1432_KEY checkpoint/pages-*
+checkpoint/pages-2.img:RANDOM_1432_KEY
+```
+
+そして実際に、私のデータがあります。
+この方法で、コンテナ内のプロセスの全てのメモリーページの内容を簡単に見ることができます。
+しかし、チェックポイントアーカイブにアクセスできるなら誰でも、コンテナのプロセスのメモリー内に保存された全ての情報にアクセスできることを覚えておくことも重要です。
+
+#### さらなる分析のためにgdbを使用する
+
+チェックポイントイメージを見るための他の方法は`gdb`です。
+CRIUリポジトリは、チェックポイントをコアダンプファイルに変換する[coredump][criu-coredump]スクリプトを含んでいます。
+
+```console
+$ /home/criu/coredump/coredump-python3
+$ ls -al core*
+core.1  core.7  core.8
+```
+
+`coredump-python3`スクリプトを実行すると、チェックポイントイメージがコンテナ内の各プロセスに対し1つのコアダンプファイルに変換されます。
+`gdb`を使用してプロセスの詳細を見ることもできます。
+
+```console
+$ echo info registers | gdb --core checkpoint/core.1 -q
+
+[New LWP 1]
+
+Core was generated by `bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile'.
+
+#0  0x00007fefba110198 in ?? ()
+(gdb)
+rax            0x3d                61
+rbx            0x8                 8
+rcx            0x7fefba11019a      140667595587994
+rdx            0x0                 0
+rsi            0x7fffed9c1110      140737179816208
+rdi            0xffffffff          4294967295
+rbp            0x1                 0x1
+rsp            0x7fffed9c10e8      0x7fffed9c10e8
+r8             0x1                 1
+r9             0x0                 0
+r10            0x0                 0
+r11            0x246               582
+r12            0x0                 0
+r13            0x7fffed9c1170      140737179816304
+r14            0x0                 0
+r15            0x0                 0
+rip            0x7fefba110198      0x7fefba110198
+eflags         0x246               [ PF ZF IF ]
+cs             0x33                51
+ss             0x2b                43
+ds             0x0                 0
+es             0x0                 0
+fs             0x0                 0
+gs             0x0                 0
+```
+
+この例では、チェックポイント中の全てのレジストリの値を見ることができ、コンテナのPID 1のプロセスの完全なコマンドライン(`bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile`)を見ることもできます。
+
+## まとめ
+
+コンテナチェックポイントを作成することで、コンテナを停止することやチェックポイントが作成されたことを知ることなく、実行中のコンテナのチェックポイントを作成することが可能です。
+Kubernetesにおいてコンテナのチェックポイントを作成した結果がチェックポイントアーカイブです。
+`checkpointctl`や`tar`、`crit`、`gdb`のような異なるツールを使用して、チェックポイントを分析できます。
+`grep`のようなシンプルなツールでさえ、チェックポイントアーカイブ内の情報を見つけることが可能です。
+
+この記事で示したチェックポイントの分析方法のさまざまな例は出発点にすぎません。
+この記事ではチェックポイントの分析を始める方法を紹介しましたが、要件によってはかなり詳細に特定の物事を見ることも可能です。
+
+## 参加するためにはどうすればよいですか?
+
+SIG Nodeにはいくつかの方法でアクセスできます。
+
+* Slack: [#sig-node][slack-sig-node]
+* Slack: [#sig-security][slack-sig-security]
+* [メーリングリスト][sig-node-ml]
+
+[forensic-blog]: https://kubernetes.io/ja/blog/2022/12/05/forensic-container-checkpointing-alpha/
+[checkpointctl]: https://github.com/checkpoint-restore/checkpointctl
+[image-files]: https://criu.org/Images
+[crit]: https://criu.org/CRIT
+[slack-sig-node]: https://kubernetes.slack.com/messages/sig-node
+[slack-sig-security]: https://kubernetes.slack.com/messages/sig-security
+[sig-node-ml]: https://groups.google.com/forum/#!forum/kubernetes-sig-node
+[criu-coredump]: https://github.com/checkpoint-restore/criu/tree/criu-dev/coredump

From c0c46070979e69ac16ea551f9f7d42fb455be511 Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Thu, 13 Apr 2023 09:46:22 +0800
Subject: [PATCH 179/272] [zh] sync 1.27 device-plugins.md

---
 .../compute-storage-net/device-plugins.md     | 173 +++++++++++++++++-
 1 file changed, 172 insertions(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
index 2b0a54b4e2d..cd03b2d62b0 100644
--- a/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
@@ -371,6 +371,16 @@ identifying containers using `pod`, `namespace`, and `container` prometheus labe
 
 kubelet 提供了 gRPC 服务来使得正在使用中的设备被发现,并且还为这些设备提供了元数据:
 
@@ -380,6 +390,7 @@ kubelet 提供了 gRPC 服务来使得正在使用中的设备被发现,并且
 service PodResourcesLister {
     rpc List(ListPodResourcesRequest) returns (ListPodResourcesResponse) {}
     rpc GetAllocatableResources(AllocatableResourcesRequest) returns (AllocatableResourcesResponse) {}
+    rpc Get(GetPodResourcesRequest) returns (GetPodResourcesResponse) {}
 }
 ```
 
@@ -398,6 +409,89 @@ information about memory and hugepages reserved for a container.
 CPU ID、设备插件所报告的设备 ID 以及这些设备分配所处的 NUMA 节点 ID。
 此外,对于基于 NUMA 的机器,它还会包含为容器保留的内存和大页的信息。
 
+
+从 Kubernetes v1.27 开始,`List` 端点可以通过 `DynamicResourceAllocation` API 提供在
+`ResourceClaims` 中分配的当前运行 Pod 的资源信息。
+要启用此特性,必须使用以下标志启动 `kubelet`:
+
+```
+--feature-gates=DynamicResourceAllocation=true,KubeletPodResourcesDynamiceResources=true
+```
+
+
 ```gRPC
 // ListPodResourcesResponse 是 List 函数的响应
 message ListPodResourcesResponse {
@@ -417,6 +511,7 @@ message ContainerResources {
     repeated ContainerDevices devices = 2;
     repeated int64 cpu_ids = 3;
     repeated ContainerMemory memory = 4;
+    repeated DynamicResource dynamic_resources = 5;
 }
 
 // ContainerMemory 包含分配给容器的内存和大页信息
@@ -442,6 +537,28 @@ message ContainerDevices {
     repeated string device_ids = 2;
     TopologyInfo topology = 3;
 }
+
+// DynamicResource 包含通过 Dynamic Resource Allocation 分配到容器的设备信息
+message DynamicResource {
+    string class_name = 1;
+    string claim_name = 2;
+    string claim_namespace = 3;
+    repeated ClaimResource claim_resources = 4;
+}
+
+// ClaimResource 包含每个插件的资源信息
+message ClaimResource {
+    repeated CDIDevice cdi_devices = 1 [(gogoproto.customname) = "CDIDevices"];
+}
+
+// CDIDevice 指定 CDI 设备信息
+message CDIDevice {
+    // 完全合格的 CDI 设备名称
+    // 例如:vendor.com/gpu=gpudevice1
+    // 参阅 CDI 规范中的更多细节:
+    // https://github.com/container-orchestrated-devices/container-device-interface/blob/main/SPEC.md
+    string name = 1;
+}
 ```
 
 {{< note >}}
@@ -560,6 +677,59 @@ gRPC 服务通过 `/var/lib/kubelet/pod-resources/kubelet.sock` 的 UNIX 套接
 [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 从 Kubernetes 1.15 开始默认启用,自从 Kubernetes 1.20 开始为 v1。
 
+
+### `Get` gRPC 端点   {#grpc-endpoint-get}
+
+{{< feature-state state="alpha" for_k8s_version="v1.27" >}}
+
+
+`Get` 端点提供了当前运行 Pod 的资源信息。它会暴露与 `List` 端点中所述类似的信息。
+`Get` 端点需要当前运行 Pod 的 `PodName` 和 `PodNamespace`。
+
+
+```gRPC
+// GetPodResourcesRequest 包含 Pod 相关信息
+message GetPodResourcesRequest {
+    string pod_name = 1;
+    string pod_namespace = 2;
+}
+```
+
+
+要启用此特性,你必须使用以下标志启动 kubelet 服务:
+
+```
+--feature-gates=KubeletPodResourcesGet=true
+```
+
+
+`Get` 端点可以提供与动态资源分配 API 所分配的动态资源相关的 Pod 信息。
+要启用此特性,你必须确保使用以下标志启动 kubelet 服务:
+
+```
+--feature-gates=KubeletPodResourcesGet=true,DynamicResourceAllocation=true,KubeletPodResourcesDynamiceResources=true
+```
+
 
@@ -639,7 +809,8 @@ Here are some examples of device plugin implementations:
 下面是一些设备插件实现的示例:
 
 * [AMD GPU 设备插件](https://github.com/RadeonOpenCompute/k8s-device-plugin)
-* [Intel 设备插件](https://github.com/intel/intel-device-plugins-for-kubernetes)支持 Intel GPU、FPGA、QAT、VPU、SGX、DSA、DLB 和 IAA 设备
+* [Intel 设备插件](https://github.com/intel/intel-device-plugins-for-kubernetes)支持
+  Intel GPU、FPGA、QAT、VPU、SGX、DSA、DLB 和 IAA 设备
 * [KubeVirt 设备插件](https://github.com/kubevirt/kubernetes-device-plugins) 用于硬件辅助的虚拟化
 * [为 Container-Optimized OS 所提供的 NVIDIA GPU 设备插件](https://github.com/GoogleCloudPlatform/container-engine-accelerators/tree/master/cmd/nvidia_gpu)
 * [RDMA 设备插件](https://github.com/hustcat/k8s-rdma-device-plugin)

From 48b79a8044c7bb9bbb189716a30663ba8799b72e Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Wed, 12 Apr 2023 17:01:41 +0800
Subject: [PATCH 180/272] [zh] sync 1.27 system-logs.md

---
 .../cluster-administration/system-logs.md     | 103 ++++++++++++++++++
 1 file changed, 103 insertions(+)

diff --git a/content/zh-cn/docs/concepts/cluster-administration/system-logs.md b/content/zh-cn/docs/concepts/cluster-administration/system-logs.md
index adb09c51187..54ac577a398 100644
--- a/content/zh-cn/docs/concepts/cluster-administration/system-logs.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/system-logs.md
@@ -387,6 +387,109 @@ The `logrotate` tool rotates logs daily, or once the log size is greater than 10
 在 `kube-up.sh` 脚本创建的 Kubernetes 集群中,日志轮转由 `logrotate` 工具配置。
 `logrotate` 工具,每天或者当日志大于 100MB 时,轮转日志。
 
+
+## 日志查询   {#log-query}
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+
+为了帮助在节点上调试问题,Kubernetes v1.27 引入了一个特性来查看节点上当前运行服务的日志。
+要使用此特性,请确保已为节点启用了 `NodeLogQuery`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/),
+且 kubelet 配置选项 `enableSystemLogHandler` 和 `enableSystemLogQuery` 均被设置为 true。
+在 Linux 上,我们假设可以通过 journald 查看服务日志。
+在 Windows 上,我们假设可以在应用日志提供程序中查看服务日志。
+在两种操作系统上,都可以通过读取 `/var/log/` 内的文件查看日志。
+
+
+假如你被授权与节点对象交互,你可以在所有节点或只是某个子集上试用此 Alpha 特性。
+这里有一个从节点中检索 kubelet 服务日志的例子:
+
+```shell
+# 从名为 node-1.example 的节点中获取 kubelet 日志
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet"
+```
+
+
+你也可以获取文件,前提是日志文件位于 kubelet 允许进行日志获取的目录中。
+例如你可以从 Linux 节点上的 `/var/log` 中获取日志。
+
+```shell
+kubectl get --raw "/api/v1/nodes//proxy/logs/?query=/"
+```
+
+
+kubelet 使用启发方式来检索日志。
+如果你还未意识到给定的系统服务正将日志写入到操作系统的原生日志记录程序(例如 journald)
+或 `/var/log/` 中的日志文件,这会很有帮助。
+这种启发方式先检查原生的日志记录程序,如果不可用,则尝试从
+`/var/log/`、`/var/log/.log` 或 `/var/log//.log`
+中检索第一批日志。
+
+可用选项的完整列表如下:
+
+
+选项 | 描述
+------ | -----------
+`boot` | `boot` 显示来自特定系统引导的消息
+`pattern` | `pattern` 通过提供的兼容 PERL 的正则表达式来过滤日志条目
+`query` | `query` 是必需的,指定返回日志的服务或文件
+`sinceTime` | 显示日志的 [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) 起始时间戳(包含)
+`untilTime` | 显示日志的 [RFC3339](https://www.rfc-editor.org/rfc/rfc3339) 结束时间戳(包含)
+`tailLines` | 指定要从日志的末尾检索的行数;默认为获取全部日志
+
+
+更复杂的查询示例:
+
+```shell
+# 从名为 node-1.example 且带有单词 "error" 的节点中获取 kubelet 日志
+kubectl get --raw "/api/v1/nodes/node-1.example/proxy/logs/?query=kubelet&pattern=error"
+```
+
 ## {{% heading "whatsnext" %}}
 
 
 `Guaranteed` Pod 具有最严格的资源限制,并且最不可能面临驱逐。
-在这些 Pod 超过其自身的限制或者从 Node 上没有可以抢占的低优先级 Pod 之前,
+在这些 Pod 超过其自身的限制或者没有可以从 Node 抢占的低优先级 Pod 之前,
 这些 Pod 保证不会被杀死。这些 Pod 不可以获得超出其指定 limit 的资源。这些 Pod 也可以使用
 [`static`](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/#static-policy)
 CPU 管理策略来使用独占的 CPU。
@@ -124,7 +124,7 @@ A Pod is given a QoS class of `Burstable` if:
 Pod 被赋予 `Burstable` QoS 类的几个判据:
 
 * Pod 不满足针对 QoS 类 `Guaranteed` 的判据。
-* Pod 中至少一个容器有内存或 CPU request 或 limit。
+* Pod 中至少一个容器有内存或 CPU 的 request 或 limit。
 
 ### BestEffort
 
@@ -219,7 +219,7 @@ Certain behavior is independent of the QoS class assigned by Kubernetes. For exa
   Preemption can occur when a cluster does not have enough resources to run all the Pods
   you defined.
 -->
-* Pod 的资源 request 等于其成员容器的资源 request 之和,Pod 的资源 limit 等于其组成容器的资源 limit 之和。
+* Pod 的资源 request 等于其成员容器的资源 request 之和,Pod 的资源 limit 等于其成员容器的资源 limit 之和。
 * kube-scheduler 在选择要[抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption)的
   Pod 时不考虑 QoS 类。当集群没有足够的资源来运行你所定义的所有 Pod 时,就会发生抢占。
 

From f03ac425ebefcda184408057be07226fb326d0ac Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Thu, 13 Apr 2023 12:23:02 +0900
Subject: [PATCH 182/272] fix based on the suggestion

---
 ...=> 2023-04-17-topology-spread-features.md} | 57 ++++++++++---------
 1 file changed, 31 insertions(+), 26 deletions(-)
 rename content/en/blog/_posts/{2023-04-11-topology-spread-features.md => 2023-04-17-topology-spread-features.md} (71%)

diff --git a/content/en/blog/_posts/2023-04-11-topology-spread-features.md b/content/en/blog/_posts/2023-04-17-topology-spread-features.md
similarity index 71%
rename from content/en/blog/_posts/2023-04-11-topology-spread-features.md
rename to content/en/blog/_posts/2023-04-17-topology-spread-features.md
index 2bd8e45f7dd..170496742c8 100644
--- a/content/en/blog/_posts/2023-04-11-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-17-topology-spread-features.md
@@ -1,17 +1,16 @@
 ---
 layout: blog
 title: "Kubernetes 1.27: More fine-grained pod topology spread policies reached beta"
-date: 2023-04-11
+date: 2023-04-17
 slug: fine-grained-pod-topology-spread-features-beta
-evergreen: true
 ---
 
 **Authors:** [Alex Wang](https://github.com/denkensk)(Shopee), [Kante Yin](https://github.com/kerthcet)(DaoCloud), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
 
-In Kubernetes v1.19, [Pod Topology Spread Constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to GA.
-It is the feature to control how Pods are spread in the cluster topology or failure domains (regions, zones, nodes etc).
+In Kubernetes v1.19, [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/)
+went to general availability (GA).
 
-As time passed, we received feedback from users,
+As time passed, we - SIG Scheduling - received feedback from users,
 and, as a result, we're actively working on improving the Topology Spread feature via three KEPs.
 All of these features have reached beta in Kubernetes v1.27 and are enabled by default.
 
@@ -24,16 +23,18 @@ Pod Topology Spread has the `maxSkew` parameter to define the degree to which Po
 But, there wasn't a way to control the number of domains over which we should spread.
 Some users want to force spreading Pods over a minimum number of domains, and if there aren't enough already present, make the cluster-autoscaler provision them.
 
-Then, we introduced the `minDomains` parameter in the Pod Topology Spread.
+Kubernetes v1.24 introduced the `minDomains` parameter for pod topology spread constraints,
+as an alpha feature.
 Via `minDomains` parameter, you can define the minimum number of domains.
 
 For example, assume there are 3 Nodes with the enough capacity,
-and a newly created replicaset has the following `topologySpreadConstraints` in template.
+and a newly created ReplicaSet has the following `topologySpreadConstraints` in its Pod template.
 
 ```yaml
+...
 topologySpreadConstraints:
 - maxSkew: 1
-  minDomains: 5 # requires 5 Nodes at least.
+  minDomains: 5 # requires 5 Nodes at least (because each Node has a unique hostname).
   whenUnsatisfiable: DoNotSchedule # minDomains is valid only when DoNotSchedule is used.
   topologyKey: kubernetes.io/hostname
   labelSelector:
@@ -44,10 +45,10 @@ topologySpreadConstraints:
 In this case, 3 Pods will be scheduled to those 3 Nodes,
 but other 2 Pods from this replicaset will be unschedulable until more Nodes join the cluster.
 
-The cluster autoscaler provisions new Nodes based on these unschedulable Pods,
+You can imagine that the cluster autoscaler provisions new Nodes based on these unschedulable Pods,
 and as a result, the replicas are finally spread over 5 Nodes.
 
-## KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew
+## KEP-3094: Take taints/tolerations into consideration when calculating podTopologySpread skew
 
 Before this enhancement, when you deploy a pod with `podTopologySpread` configured, kube-scheduler would
 take the Nodes that satisfy the Pod's nodeAffinity and nodeSelector into consideration
@@ -55,8 +56,9 @@ in filtering and scoring, but would not care about whether the node taints are t
 This may lead to a node with untolerated taint as the only candidate for spreading, and as a result,
 the pod will stuck in Pending if it doesn't tolerate the taint.
 
- To allow more fine-gained decisions about which Nodes to account for when calculating spreading skew, we introduced
- two new fields in `TopologySpreadConstraint` to define node inclusion policies including nodeAffinity and nodeTaint.
+To allow more fine-gained decisions about which Nodes to account for when calculating spreading skew,
+Kubernetes 1.25 introduced two new fields within `topologySpreadConstraints` to define node inclusion policies:
+`nodeAffinityPolicy` and `nodeTaintPolicy`.
 
 A manifest that applies these policies looks like the following:
 
@@ -75,24 +77,27 @@ spec:
   # other Pod fields go here
 ```
 
-**nodeAffinityPolicy** indicates how we'll treat Pod's nodeAffinity/nodeSelector in pod topology spreading.
-If `Honor`, kube-scheduler will filter out nodes not matching nodeAffinity/nodeSelector in the calculation of spreading skew.
-If `Ignore`, all nodes will be included, regardless of whether they match the Pod's nodeAffinity/nodeSelector or not.
+The `nodeAffinityPolicy` field indicates how Kubernetes treats a Pod's `nodeAffinity` or `nodeSelector` for
+pod topology spreading.
+If `Honor`, kube-scheduler filters out nodes not matching `nodeAffinity`/`nodeSelector` in the calculation of
+spreading skew.
+If `Ignore`, all nodes will be included, regardless of whether they match the Pod's `nodeAffinity`/`nodeSelector`
+or not.
 
-For backwards-compatibility, nodeAffinityPolicy defaults to `Honor`.
+For backwards compatibility, `nodeAffinityPolicy` defaults to `Honor`.
 
-**nodeTaintsPolicy** indicates how we'll treat node taints in pod topology spreading.
+The `nodeTaintsPolicy` field defines how Kubernetes considers node taints for pod topology spreading.
 If `Honor`, only tainted nodes for which the incoming pod has a toleration, will be included in the calculation of spreading skew.
 If `Ignore`, kube-scheduler will not consider the node taints at all in the calculation of spreading skew, so a node with
 pod untolerated taint will also be included.
 
-For backwards-compatibility, nodeTaintsPolicy defaults to the `Ignore`.
+For backwards compatibility, `nodeTaintsPolicy` defaults to `Ignore`.
 
-The feature was introduced in v1.25 as alpha level. By default, it was disabled, so if you want to use this feature in v1.25,
-you have to enable the feature gate `NodeInclusionPolicyInPodTopologySpread` actively. In the following v1.26, we graduated
-this feature to beta and it was enabled by default since.
+The feature was introduced in v1.25 as alpha. By default, it was disabled, so if you want to use this feature in v1.25,
+you had to explictly enable the feature gate `NodeInclusionPolicyInPodTopologySpread`. In the following v1.26
+release, that associated feature graduated to beta and is enabled by default.
 
-## KEP-3243: Respect PodTopologySpread after rolling upgrades
+## KEP-3243: Respect Pod topology spread after rolling upgrades
 
 Pod Topology Spread uses the field `labelSelector` to identify the group of pods over which
 spreading will be calculated. When using topology spreading with Deployments, it is common
@@ -104,9 +109,9 @@ time the new ReplicaSet is completely rolled out and the old one is rolled back,
 we are left with may not match expectations because the deleted pods from the older ReplicaSet will cause
 skewed distribution for the remaining pods. To avoid this problem, in the past users needed to add a
 revision label to Deployment and update it manually at each rolling upgrade (both the label on the
-podTemplate and the `labelSelector` in the `topologySpreadConstraints`).
+pod template and the `labelSelector` in the `topologySpreadConstraints`).
 
-To solve this problem with a simpler API, we added a new field named
+To solve this problem with a simpler API, Kubernetes v1.25 introduced a new field named
 `matchLabelKeys` to `topologySpreadConstraints`. `matchLabelKeys` is a list of pod label keys to select
 the pods over which spreading will be calculated. The keys are used to lookup values from the labels of
 the Pod being scheduled, those key-value labels are ANDed with `labelSelector` to select the group of
@@ -134,13 +139,13 @@ topologySpreadConstraints:
 
 ## Getting involved
 
-These features are managed by the [SIG/Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling).
+These features are managed by Kubernetes [SIG Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling).
 
 Please join us and share your feedback. We look forward to hearing from you!
 
 ## How can I learn more?
 
-- [Pod Topology Spread Constraints | Kubernetes](/docs/concepts/scheduling-eviction/topology-spread-constraints/)
+- [Pod Topology Spread Constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/) in the Kubernetes documentation
 - [KEP-3022: min domains in Pod Topology Spread](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3022-min-domains-in-pod-topology-spread)
 - [KEP-3094: Take taints/tolerations into consideration when calculating PodTopologySpread skew](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3094-pod-topology-spread-considering-taints)
 - [KEP-3243: Respect PodTopologySpread after rolling upgrades](https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/3243-respect-pod-topology-spread-after-rolling-upgrades)
\ No newline at end of file

From 9c88b40f0555fe58e97997201f9c01739d8f9451 Mon Sep 17 00:00:00 2001
From: Wei Huang 
Date: Wed, 12 Apr 2023 18:19:24 -0700
Subject: [PATCH 183/272] Update scheduler framework doc to include PreEnqueue

---
 .../scheduling-framework.md                   |   8 ++++++++
 .../docs/scheduling-framework-extensions.png  | Bin 60826 -> 119081 bytes
 2 files changed, 8 insertions(+)

diff --git a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
index d09934aa7d3..507992b445f 100644
--- a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
+++ b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
@@ -54,6 +54,14 @@ stateful tasks.
 
 {{< figure src="/images/docs/scheduling-framework-extensions.png" title="scheduling framework extension points" class="diagram-large">}}
 
+### PreEnqueue {#pre-enqueue}
+
+These plugins are called prior to adding Pods to the internal active queue, where Pods are marked as
+ready for scheduling.
+
+Only when all PreEnqueue plugins return `Success`, the Pod can enter the aforementioned scheduling
+cycle. Otherwise, it's moved and parked in the internal unschedulable Pods pool.
+
 ### QueueSort {#queue-sort}
 
 These plugins are used to sort Pods in the scheduling queue. A queue sort plugin
diff --git a/static/images/docs/scheduling-framework-extensions.png b/static/images/docs/scheduling-framework-extensions.png
index d27f89abc4963bcf87366aa2b66c09a2eb962712..43fe0f233e133beb68737eb4b8a70a26c7b16554 100644
GIT binary patch
literal 119081
zcmd?RXFyZww=az2APNei6bFHbC{^h-Gz9^X&_gd#igXYNAT^FuK|l>i4MjRglMX@z
z1q3nlmQbXIlF$hyly@_CX2f&;@45GWzWa;7UVE+etomEeezq^PHB~QAvrtn|P+U;E
ze@~Z!;*358#cwHR&j5dMlahr{P&}hhyLT7*)PjJbO1Rq66pF`?YJ-}dX^7?|XwF}O
zh_amzwiFsmcwCpCb2ZsQ>73lThTw6(vt0e!5Z9dGOV|Fqc*yXk8=vNC=)v;+fnjz%
zaycLkAK*mnEY2FZ@0X+{YIPnE_W%5KC$6VEcj#zTfvM1R8yqO
z8CWVCB3e;l#*gYp@a%BAeZ|v1x!fUtg?Czc%53GFCZtQ-?z+5{J_C6HbNWd^VJDNQ
z>GM8NtM1^M%+u7n6SOHsM+<8-v?oZMIr}(bDkt;3K@MTJgxVwz9uxg^_TQb9v(yf6
zwIV)kJ&h##N1i`$MgJL43@`CC-=8{3^{pNL#md=-v=UwMIX-DyAz)8pbjD(Z-R%Ss
z#k04s7lPZc8z~bYXVqKiPw1<@+aKE+<}SE#p3v#pTs!=em9y{orWN5$p}=~VMT6hr
zc*AnQbm$2x3Jv6fe;amdzb&TxTS@sB1z(9xe{2Kk^i=Cfs_b_7M=NLYH}0I_*U7iY
z`dt=VqN7U+rlZ$RP^C*HYI+mci)#lSzy`P9BR*ID$>EmC!>KBjTm6YWFwCIz$;S+2
zO`nhN6S4?izlo?zu9kBzDae#LB^%#trf+-m#43T}bj!Ey(*w`W-K9&4?dQ?3|t5Kd5v
z(LlVdhf7XU{R<`08ie=8fFLXmj8?qJ@ohAORJr3_OyJbJvcsB$Yg8`1@KcoO>jk^E
z<=Mx6(TC~*0Vr@czwr9!Fuqw@S_@BkkSpQFoMcF509Xd+nN~|GwI02LRkID|J4h*
z7vquT!H5h!*U~L!l(g>PiT{-M{>q~~k!p_$kMY)CS&b0BjRZK_<{j~SS%q4RPnHLI
z^hi=5?{zOU@46Tpjv0eEgF6eWR=$TM`>E2&Pw%OFH{16JHIO#S>!1w0TRp6W4jvB&pxO+7mkF=Ba*
z2Q59}1lS{;S5*jrVs+tt#rQH=E4ZNa)NqF1
z_j|H3LI+KJTC*m@pEGILh-0(*Od3#RG>mS}2{}GQ$<=^vfyi5*4Pp%8JMugnlWwnl
z;~|MG7JTR2;IZW;zR;+bLX!md6{Ea~Wh&O!y#>`l(WP8Xg6lk`yfh&L>NNZYSYKl=
zg<*5PF)SHg5j7ayGp&EImx0=M6T2|#<083m;1KcQ)tn+@)GM8548^8Ozq+&y?By!S
zf^LOD>hAkUuVy^ZOC2?mnavv|DW!1F9imn5MiDk)ERz{JjMZmwvek+3HBSZ4ctu7w
zy(Z!UphsRq}y>5EW@-!?>%%iEc}
zjbHs(3+x_|q^^XcUKK7W#ht3fv1^>lA!d41GcMb0M&yjIx9xQMB=NE~0RF5MtReO=
zn1Ndb-K(dyXR}9%IRs?k)y&smYHKl1EY<5Ium;(s&qxMTV26tD`P287$KC__V7`Bi
z)J<%M7h7$YEB+Z_=a}anr8czr%J81eby|H|(S-xMtd99h7-wA*mV&1hgY9oIkq{Q$
zyl9o^rx781Xc`wkl?3<%@>sNTmuef!Sg;(#ZNF^U%i<3o=VHR^R_ynZeBJZ^#V5mM
ze#T9Alq+sR|FG>15PL8)I(k%TasNJRfs;e8@8V8OkL60e48CK`#Xe7jtNM1QkzWYhKJ6n$`&Nf_wp8D75cBd1gy$I}Hchax>=k=zT
ztSE5`h*96u3$)kq?y^IMQq#>Wh9^Vn(wJUvXX;6aEbMVp+Xx6P@Wj(Wz=~E~W^6sZ
z+BU|>P;P2P2BVbueWhXyeJ%JMkUHc6tDfn8mRl>yV(BBd@|eT;niV99O57vVR7>pE
zd?;0DD7O@g#TMjQUh7eZs8hd%yX>)?aL_Y}*FcZKRtNpYm|NTMQL
zg*^nqoU|z{7N!tJ9VvGG{?Sma9WQlJMHjW(PZQqp=IEP@u5_k4^D~wyD8!X>`q&%|
zfBRVkD4taz7oN6ZWAFSdx)kXF*5HXU(hcpO{3z@c5^0~lzkLq+ua_t&I+SuQvpcH(
z!fyTbLUgRC{`co)msU-T&doI!-^CT!~4u-2zI2?FUaKDtsZ6P`mX~C?=`I
zyz{%~a=l}^rt31iVIq&6KE^oB>mMP2yWB3rmK(s`a@B(&
z;8)4zaTnxMkTDFltzjm)`OVe~rZBELIFOh&Rc8^`vXvdpICNpZTfOnHj7_|ZcEfh7YZ>)v$~7AlHmh>0SQ9B
z5;(i0eJdej-3WAr>0^-3AbsKE#n8j;xG_=k*FIX)n*bedXuFfZsU`n(7N7%7VEM~q
zWFPfDNc=~m!Q>AU)Lx@pG$WH6v^xeRKIW+1PX{vUkC6Z92mJdifdeCm@=A_k+FK~Z
zdw+*_SP^|EN+hc2%;o27wvVKzLQh02MM%nYMW$h5+u`ctwI2H6+xtN%`6%8`Cm25H
zu5WByURj2bu?@H{D8lfVzwOEkx6>!MJd5qotncmhcq}tqM&2cT`QyLbHAi_>mqpqD
zcV+has+I)BIxAloPlx^lb`;%X##X%o>H(`?^^;psOT!mXzMmonE6@4(k7}RLrB2Rk
z?hE%60C!R~WlDvii7eHZf8KuP5_1#UlyagoQBY_+Jf|raZ}F?x+TZEDW#ihtv;5WqZL~4G3F6CD}~AOw2Xnf5D0N4NkXGpvzauK
zKc|vAwb!6ciW8%L_eSqy|9pNX%727g!0wbMrX0oGN@@N|5VhTMRlT%yBR54uuG$si
zyZm6cN-bvg4-_s?@dWOs=s24}&4l$-j2q_~+wQGNr|C`7p0&m!P?FL|lLVO2Xt-jW
zZKm^SRAhpfQ*W)0EYDRGPUVC_v^mb|muf4reST1Z+0@6+Ssb6#Yu8s&wx#f01IA6ekBSK}3|&g$T!+~0
zVGfMKYzNv~erDgec+{h0<2PjJ`GSoQwHUWI8|Uy5m|P9tmmpM(6tfnoGqcSjdt-&G
zh}#ytP0OG7HjFPhVe<-E#t*3O-+2IiYPDxsknE1Nqr{$C+)39nKG&wCDe}*APu}oA
zhTe>q_VzgBGF(YCLrJ6j=BhNjmls)+`1N=)i9<4o<{u`_OxNLj)%nCsLBZF-WLm7SU*c`?@lllrTRrM%d;fPC
z;XIJw-y=Ja
zdwNJPe3c-wo(Lk-Mv3b}i;1?s<4i6U@Z8tYcK0jQ$aI9i=MQpb9|#zcmetPGWw>F#
zCq(qt*A=yayIei#zU)#_Zh3ld0LVc(-}c{tfS>2HiUFGRY+W47ts?W*0C3G@M((`4
zq8L`0Q&Oz?9uKr9oIzpz%d}ElNG8$uCAQI^R3q}MBQ#u9FQ&-8*B5=hs`>_0`fC=M
zm*JdGQx?ro7n8GL-V`jxa@>KsYjS?n>m+P=@Ce9NTdGh#YI@6P5&N;59@UWmMEvgT
z*m2X{ld<4qDj5+@r~mjxl_QIYGl#=2WxnRfsTgBsVo7WfRD^wy>nx9q_
z^(XPQT=~`6k;fwRFBYUE;&LkQTQZ3*G|G8YTPAGF
zC>L6yxNgG)hfgMC_dsbdUqU%x4U=#8s!QzNKk8hpb*7e8JR_~(b~rG?UtQFY(Qz5G
zf(i%-VMPnsH^3-yKmhJZ9d${I3Y;DOn$`C4=C3SUjFv~ORKEK!V9F9{y$FF`W!lRA
zll$>%L+r)^)fz{J4SuN0DSpXt^Gi{DBfN&H6_QYC32)Qw@&6-NY#~*V46n_ee
z*mH`EPMaUCR7XNnw~|zr(rYq)-lTwg1C_5^a+{rA^3sVv1CZ17)~)`;1J7=4
z%Qzo3${mS%Wm2M(0QfSYA@f9eDPYALXA7R49k6}r@?Ni#E_WqiMAgD=5t~?-fjIoE
znHVrrqG`epV4`wvZw!G`FtJJ{$7Ptz@4i)`Q)0FclM)s6s=IxNc+@l-lmYYy&|
z*X2+Jz}!;2H$c^uA}azsk0@EDU)h+Hi+9;ix7bL*GfPmN(2u7@7o(8i&+SJz0{~W8
zO8~GAVGM8oIEO5{TIT?O*{(zY%rXKP_UQ7F<=1cttev=m-
zsmo9TNOqFj2QRS20$8{b<2e=ej~KSQ3iv1Z_dQZ<-Sg^dvJ8Ayu7A+2IS}`^VUz=+kJd?zn9_g
z`sM_t4W*jY%O*Z+sg6WwTD|*F+==Bns;Q3Y=x8zELV%L**?gn4AuHQdK7TIn89na!
z0c|-*#G!BiYRFgFWG{Z(R^0Uyoy~LQc}NgmIp-^YOGLACQS)}GBD-xl+F3>KXZ(k(
z(_DqoUhJ{U2J{SPcgR>yzNL;l(Fp~YgXXGBtPj_>GhoVLFEP&XXr5aIzKam7z|^(u
z*b=FDEz)~-6|k)oa|BJ@73zS^ZyPexKY?SOITqMf5RdoC=j8{#aS!HG5M8*>fJjM$
zfZNCeTx{8#xiUx0{ja$l@zi(nbd#2^6l{vyQw0u_7zkrT*|Ds?PxHI-mj`r`Ery^}
zET?il8N}4{hw)v&3_oLfm`#b4Zdy=$oS|_!yY{xC^ds1S7p3%X9KEmbL
z(4Z|It&>MD$HkpijOzvZbpQ3qje{6_$s5{>F(4)tzncnD_4D>=7hz
zqK7h@P0LRy?zBeW(RAhq-Oi=`rY!RQPz5nC`MGws*cdNVhbnN#B3WA-E5@G;zY$03
zLq{?(c}t(@o$2a*gWAdv$=v|&7afXkMHjv@6&<7pEPJOq_U0#w73rvV$C{F5fLUEw
zjPVVafd3j-EeY*0p$$CZ)iKtSUEaU8y<(4#IL&Q7$^q%AaTpW*Oyu
z2f1_u~{kg{)z;eFKzRA5(jaV|I
zQnFNPwkyJgNXyPya-gpCJ2Hbsb(l1N<}%NnQASoZ>2@xr*!7ABZ_3W-V;WL|HU=U-
z1gWJ>6x8AzY%fEwRd80h(2W#Fe23Mbqu(i{9@kse}nqY1-)Wz8+;xluUy)U>Ro~;r0$Nt
zUfyQ|y_YTI4nY8lla=DixX?$CzADU$ZeHeqpo2Li%1ipQ@rw6X`cOW9X=`iG`@
zOq{NK!=$I3fxDMN_ZSx%cAD@gct`HJPRZq7+o;)7&?Km=4SSb1O^5f5eG1
z791zxnj(O1zQz;ndY`Fv$po_NmP8KHIPmT0;p;E~A4~eh%*jb&o9j6L?p~JWjUuZ`
zrl`E$uMs&3)(_ICcIog>?H^l=Lyz3L_5(v{hRW+&GOX;bq#M1nLneSW|
zdMvBNcEJ-#6&egyGRTtcM77V=yU(3lphiF6KZ!$3fqgb+lYQ*U)si)#(cQB4_`)D#
z^!1_pQ4?VF*^YkR27?cVOq7&?d)M<}i;l4&;2DLl&VBF3(x^PKmkQ1cg>s>ZuK8Vy;hQYr37aKxN9PvR9{jTIyNw_a
za`I50?wJWy2M|kKcBR?WtJ$~kY83`PP05gzXnh8n9iMO49-I#9WT087l!h2cXbN1O~0WkOsO7{kui5gRo7p1*pQ|mGP=zK1ELE
zW(w5;D@fz$y;+&8&|*XzGZVM79%p1T`AyLUeU*g$Mqj%5n%R4Ojl0v1SrIv{5j|B;7$Q|P
zT7n%L@1wS#h(%!1#?gld*@#FDzoF42KHo#?5`WZEN;yOSeOE`UFf4c2PjThDw?-po
z@@}F$x_LV`hdHvxV`G*@?I$7{3my#RQ%`_fKM!mmZYP^)e@<`?5{U|*H#IW5GyH-j
z=2f>d%*!3hbm^$Ku_z;=8?K$S$Rlf!2aXrdP6WR_@D<4J244+S&`^d(xB*VfG?IOk
z_iiYsU(B8+VLv<)ea}WQ^ZveDlF6z?WCA~2r$G|(=#>zZt5L|$BV<%(h@wk1n$@z
z%9RYkn)L1i6Ag8ZZt#kCh_UeZ5I(>RwJJuu6uc^|FK@w&Qqpx48jJYM`h1nA5=JF<
zV|m%F>3`|FGvzVu55bwP{-Cg(FCgThynV-C!9I)A?oD*7WnF}!$
zpL}@xb=X2>iRbi#b9Q=of=cxo5`4{=6Q}xUUOcIYR*{HRWc#%EaUeWFDEKU}BJ}|V
z>bp>_l1Dqfb`>!Sk}C;>@W?A6;6r)UGdQ|)RUl?3!BCYmJ9R)m)bWePx!k`pSajKG
z$gfpvA?LO9TE7m5$&WEA{SSZ*n$M$4axD0{lau$$#GMU2?CQWU7)?!Ba7IT2&{-7a
zU?oN}4gyf0{+Vx|NyaZVG#Zz8brNlp+J|(cfTUIRwEunlwEQ%1F;ylAL8aySBG1Vre}1K^m$XY{K7&&i?wMHvF*zCjn656l3v*IoBiYfzX^l?6$MwMQXXsx4>o7J?7Ef-IE)c|$KkFpJLm-`*0N_yBs4d;&Hv;m5LJeN7dJZr=<&cN=
z^gqvYQ_oq9Pk@m+-Xe3oZ0XSC
z{WTMj=6iM=cIYllt+Q2-^IFMNWX3{(|G|S$K90rCA;FD<1HRwa@{m|pLsd7^vr2I}
zgNpRoigB1V5PB-M
z!H)f%=0>9e%@TTiH!kRWom^5dFzUZjASRiVBbO18LteKj(*M&0cH+sh$(zkS%VcHIf
zo_I2bj0+-uj|%5emR5}Ocuwp?8CEqPXr$6Xe9wDoN{Tli&*JX*DaHx$EIr8R$a?4}
zrEJ36Od7*#E8C4-MG1bgU>qFHIAf~H62&E_9j`P#D`dAH_<
zxM0=%A$-$7kQ5~;5r>9c)$`n+x33_~p@WxllJ*ZDU2zX64H$dq$2%ypySGNp;#7=#
z@_TH~^;=Xdo?C#UwgsDxl37CT{oKXu*5LI9-j?&bvuS0roKdxDdHQVz^!c}1XOm>*
zzE!*AL4NyaX2{_cAQqc3CZ4oQDHX9#h_T$yiN5Dew(sK5Lf^F#vpsFZ%#(iOLU;R1
z1Mjb$R&mKR^udZ{mL-XUm1}K(T#jq8qn3n8(&`5?#fnSbHW?lni&Ko7Y$CmdFZ0{2
zZs9H!ycF8qe$M0ovH-wzfJPnW1^Vd4-I3UbWcntOE~^8O*2;4-*P%W4k%-xj&GAKZ
zBeU2!%=VvL2t-WcraT%mHW*+B*A)IG+~dybH`6}Vi0fzIPxK$FQ8MTY+x?J}Gpoxp
zC4;g7>Ic2Rmp~QhAj6}!`Wzo>9os@dQ%*h_9oscLSJ8HMJCzXNkU6nkap^<*-qHfz
z{rQWY7AuTSLlsVkJKv+;){M<8wPrl15oiOw`|wJhYeGk`UN`T$e|YW>?Yla>5@Nen
zU+2KP>KVK<`@%WN@S?c47mM>VpD1%ga+_`A8T;U?xgVG{8V`L#T5M?an|0)9RBfgL
zk%B|;01aVm*4E}o`a+i_L-^rPmM25j4w)v1sR7d>uXQHDA5|57@850lXM9K_e{V}pR*
zKc&^T&_vQa56^`xv@xFfo%wg%H~NC`(o7RQ`M5>dA+V7Avz`s=(-a}BfnS2a`KnYl
z97!sC=WBr7zDJ*q+-=qZg6(buD})jpG9oPeU^(^^Qyv1Fqw)Z#%~fk#9#cVyh=gX%DfbXQuYgI}FL!QW
zi(!pnsC|x&M0k@Q%#aQ3nouEnSU)PkCQ10=0u0EolCVeG>T+GyGB$D>G7}OZTU-8&
zJiD64`44X{*9aQsU6&9F+2$TNRScVHLmhc1_u_>JFW+Jfn+%_xj|yEo5(EzL+*@NC
z92bPJ@a^JQCgJy=)boe(fxCdQ5KmudpPNeU(uE?7cvXpv43+V21xgQDtG*4M-{0MS
z12u*6WNsT>apIL7mZ{c))GEd~LrBtJGw!k#?OqNo(j_Xd@D`yNT!xxA)U)fwKUB4c
z-J7g{3A2n%#bn~MpYh()}J-lfPX-k)Dg+f}onxf6
zpxt*kYRD9Md(jizn^j_}XLmaim>dp$1N9(a-A}H-0jBVQl#*nEa2B{tJTB?^HFOcM
ze8sz?lNfJ}Nsn&lD8=4d|69Z3qe&9C@7_gW^Yyz10c-&On`ReVl0xK$K=qTQ@(e5|j%JRiAgTaeZ&%2j!^8~^T}ds^*Ewg&
zjx64OM{zGk>28Ng&Q6kewsu1L>Vg!K-O3P|Dwwe)8;XC47z1TKnSF?4SK>Tf!5*W^
zhX3r*8dH?-ae0|J>qn2*5=w={i$N&3GBH!pG`ALul$=Q6ck<(3-d4LayE2x
z8$kKll_&PgDJbd~15vD$Tr7!t5w{@=3z;V#qi{&&hsfWO7UtWy<=7k28_@97{3P3F
zNw#kIBZ$0^&w$Tc;8>7UlTV4-koMXvb58xgH4fkhS5T2Ta$0Xv6J~tRWA}nt>f|Qv
zyuqf&^4!OftW16RCyn@z6Fw;(hyEu{<(yRLKm9zfc;3@xW^}+OL5+D{>C2#BsoI2U
zW=i=9P4j$xW!j`mybfFJ>C3KTo@jaqIQ(RlUT|efwrw~295|5b{FNOd^|zvZ;-IOM
z>-H#-!tX~TlD_Q1vP2-LzGV)Fy%}#bM-B}Q1wG#$(ZY~XjysZ^KUu*w_P|=6hix-p
zA7+?SzH3aX|GR)6#oWYBLj~0@BILc7S_H=UF{ieuu@Tb3m}*7@oso+N?KiaCPkW^o
zmga28A(y(xo*ZZ(K2Fc6im-hOH0yJvcA8C13x5ft0XeLc>a~XP-@8X(jgi>x!hhG;
zOB{QcKEOJ)KW@)#ZoRhR+Ax^`u@$`Tm7*oLmo#Q~@csQb@AHPZW0p}2HElvY8>w$K?UF)2{
zxgNhicp?M>cxuw<%^6je`Lcbm$RBm9ZnRyx+?Rx+9Oqv7;K@{)@f
zR$#0Arqj`>1qekMa3m(J7UBA2`3J!^Jv$HSEQ)tU9SMzWH~`B{7=veu6M|6^TC#Ji
zW5kL~?(5ernOAE#Np}1G?B$b-US;$&!|Za4qC;v(0ebgBkE^zz)90w6#ZLRM73x*TUR2PzN?+SUW=zAJ<8SfaJnHPHtPhH;s@;kG6fIVA7lL;yBG8gWf
zYhAxQsdt6YDQNMR;smiY-)UjL&vJ&iX-zq-%l^g%BC7{&bkMV-Iz)-&f*4QdCG8Yt
zjXk9TbmEWE+aJ33y}Hb+D~4c!9|AUZO$pmDIY%Pe;?BJCI?of&^RQAzsVWr6X3q5PNM9pqR0$4EPUF=hNERhFY}
zoB110ki|4-TW{e%j_d}tqcYQO%QdI^^xh!%ByT?k&t0T1lh_A786f)DvOYF6_etCV
z`^0z@wHDr!wB*hu_GIF<3=j4OAyj}$a%q8t3-zB$L*CGpGzO66mk){b4JD`eUZ_aA
z5dC{*1m2aOPik2%U6S&fJ{YoTOuv4786a8A<#utkeS|ePj2BgPmP>g*pXW(|!DTWW60m94_G3sirz?C?CkNVZ%TVTxHk+
zhN{d#6Y=wgVzcc!Ib;Y;j=0{YKiUg>>VQ1*nVV>Nw7#sAs3`%Yg~j1PrYiA8+p-na
zcW`$Y{{&dejYL<>Dc+u`S-;R~`WWm)U$*3Tpzm!Tn>e>W5H?h|c9k{#CGZNOb2qaO
zBRV1Lg*DbAIHq-e^|HMpMaT}F
zokksbVOvygJ258FOb8a*0pgn
z-`uI^<^k1UY;!gEPJMUm8Rmph=GK8hR(p`|+;}Im`tcgSEYBpTH8|y_c)es3dh#r7
zc}5AJ_hV(=LFGW1B_q|JDxtJ*j6&e0-@G5b3{$rnv&ffOvLRsmVP|z99`$PB79h{*MKuiZmQ5->?P#s(Gv*Yf
zVG7^uxm>xmopMoBdAJd(SlFTB$m+0W{(!dIWbjGgYz56NsauH(;KScu{3U21FRp*^`anu>fj`M=^%|M5St!b84UiSB&E~q4DutaVHFa!Yq^XN#^;@6d
zwGQ^SjuztZ3LWrHU|qh%S?`@5zO*{T63qmO;`U4lf^Jw)>(*tpH5KRK1
z!qlnJIY*C)zHq1-wp(caa9HtB$>H;S0A2SbFVTexO0TxDs%qDRt+>wkziP(4Tg56*
zyM%401>Ms`2i79ZiZb3ncC+uycDatFEnGadT}&GK=*gA$vepIgD8>WJ=EHSnbUVBQ
zSc;52nscA3Kct7uo-WOhcLPSj%~pn(qxmcIuS=|Ob}6Lu!awJ0?lJEVjBVX#${vb^
zz0|&Y@5_UHdVZz3q%jz%@@as62JG5?VR11={$TiOBCYYg_b$f`?*`OuWo>&(QsK^J
zyN(j;;Eve7=yreM<8Zt8KoS{aHLhXN&Ss&RAXg4f$W
z4-U56j^>m4vyH#lAXk<#x;yQlvaKe3`7n
zmj^j;buji82kys&0{Yo4bF
zsw~{-ssMVlVQ$MW`ca-?g1KV}Z=1%@Duo?wy@1&MCGcQ^Sqo?%rcK=_P(?0UBJc;RH8}oJAhtwx
zr9rH(CnP+4m|lK+So~0xY9ayN{zl;Ynx@~U#xPs3CD3z55ow?IK?J>b+X~NY-}gy~
ziS1|co|_U32sdIEH&I%t9AGx@*BtlXaLGu``PyB$aso;bD}0-PM(
zsOe;uzjrH59;)+owZ$ghlYc8^YxJBxup&LgQFD;jr%$H>1LD3nD|E}enoUu-Fh9}t
zSE0r;0q#=WYe@^VwY@49xzc7PTKCwK_pJU!M>9o6yU=ebUX|jij~nMXEPZZ5IiP??
z&dV+LXC8Q0dPC}r{8ck`L`bV@_154jK$gts%Q0hZu&ec(c8rRQUs&R`DU%*%ZM0cj
zXbALOUGNiutzRtrc&XrG!L{qxLmgO3=_3WF&?RiftMR_G#udfI%Wd)jECkyX*@T6D
zMZo#zj}Ch>s}ShMIspeUeD7LIVd0&;=SI_)3hta+Oc71-no#0;-1vjTa`$iLUN-Di
zP3){V9=X$AIJ77cW0oQU?f5&~jss{&IaI{@Ahd)9yLo-x`Cz_qae)l#*oTg}Y~Zd}
zAdB6dkk0t}w_v-fyNv-H1}F!#TXJz$Fdsk|9^Nwgu+#T&1t|(?>n;Rv>hVF=MN!Ge
z;PT^T_ibC$_6-gUs2%)B*Yc-dqK1g?Jy!=5Ek9QDjSgQQCh5(t?huRT%Xs-iNlX0#
z($(sP2M_XqvpwPAMx8iN?Fhn_9Om(MKaId><&kUdm8dMrW(){6Z+gvtn^+QMmFZ{{
z|4f^*to0`J&+9MUu+no$(_usMiLd|Sn^Kd>Qf2}rN8#W%|2D;~SqI1H%?TVA6{6ZO
z;wp;NiR7{YmmLTBb3Do|0WC1jV*a`A_rDFnFsYU+Hv6`6oISfel7=qKs}A9JD&uz4<#BBxV6TwK_2-CTEy!)ML+VYn(@D@sv+&Om~mK-yU;YTGCQZ8JLcGI
zkca^Wk}t(GjeaiEC6TK4hCXNlpFjO&&S$;s7_h~w}1NJG4ix!`{sft@x=AHEYa0-94SrY<*li!hPblO}VTYXJ#
zYusus`bS;AlF>x7%YG!n8h*!ja0JMl!J1&ci>vB-bDA1#g3Ea-@0kVyrzOnQ&gplM
zcY}t_S;cVIj;dKLm7!N7aco|xZE1lo5zc(Vltv|Wb#)+L65$d0U_BAg+F-n?d?PVB
z&SRBO{us+@DNa5x?7~_!_&PA)V~V4;CCtO~HIMW7tv2Ov<4>?xSI`0*vqk@5A;V0y
zgO=IE`6UhsVvyFvG#YJ>9d|FUK`JlG=%9{vv1{$X%!iFsNlwNP>dj@7cV(D5y{%A@Z&zX|t0K@-h}^7`&+a3pZpJILCzV$s||b&Rd(CGsO15!XGqCuJPOg6aYS3~Hx1jEeMFTzWj
zBU$Z>yXF2OBoamXY9D6XSW&6UCVHqu`%6+fMVdL5^?Ge?T}<}wu#Z|QFdN?)^7l!Y
zukc%G^vvm_mQnfDSj**YMhK13`X3R4?SH%e)wE7-!_-@t&Hq-!_FjDnX<{?%}!
zsOKMVX!wA`P-{}Rg
zXBQhTBLX?z>Q$E2j6K5peVPe45Z`;MC!Yg8rw{%wmFFMLTM>hX>7sgVQAe+o{wbdP
zYz1ZwD~(=T%FN$uzI@!+TY6^xq_|dOcFWUK?GGTThGPGzK;JeIk~7EQ(!TwhVjM;f
zuMkLg{jGXsNzHc-gLE$WXB55W($SR@7X#=FaHbyWbf
zi_iWW<>&Mr^!~G*LxIwi_rFS^IR{kQ4d*O63kWec{Wso_+Sw8VyD<|%;j_9#eix7M
z0RY!r_lgMSdk7TR$p3{ku*Ml3TU4w+N=}n@imEZOmnww1eI-1A9{)j*8|Kpee{vLd4pAXQoaFN8sSuRU9(M7uV0s=jM)i8=PW
zEIy_6gE%uxw%oP$2K25|{Xccilq=(bbHRVkDEMpbS!_M19NoBZ_|78mTM((tPyslm
zTT<)jtIIt;erW|U7iB%6`uJl!?~
z#F%%hh9o_c@CDgL*3bEf{Z~($y;xqr@c65;!;Of;-6)&B)@bKjIHwRs5%ODgpt)7y
zk{oYani7ECRRvLu!$SYFKNqfNbgYJ`?o=7|>Z=qvuOu8=HU(~6xSAT-CH
z(8>smYzM>4k^pVVo5XmZ#*D44Ew9bcWb8!4s>|aE_q=Cn+vU9uj*mMcq_;XFso5uz
zmRw@<^@xi;EdUnsGRRx+p=2Izyl^3^WcInocN=c!k7Z+)*>Nnnhi|ByKd1pb)PTV8
z+8TeMfWG+6UKK`HW^<{aKj%N!0thpWe$|*wS8EU5IEpkpfstD&&GL_~4aF*aB;i{R
z46fAHp==u;iC-=tRIP9%;?ZNpmx+WRJfwr!0)CD>N=9@MCM7hMQFWm;4wr-F&2E48#Hc%(L`X&8^`6PolPF2|F89Q37k)aB>L|WyNKa8
z-)b%r6n1wYKBk0-j0ab)gd84bD~xb>bS3voFN}T@nI%?MW^~*tr~Pn1b-vT7%)aXOJXca7hx6s9z6U=jm500?J^bN*h*RCfEg^Zri}302Fx9-}bboQ27&
z9C95cb$f^s1GLbu^ZC3vNILoFvC$&
zsT}b+KS6nD)MdqIy%K`TaT0*OzDy_2mtQ_WTmQHtHF4MHLu-3G{s3zc(6)laUmQ9&
z;32aTkxaCa9Cu6$*mk{5tIzH?n`u1}ctFODoayR$nhJLTAr6qO9;A77(69%>BeP-a
zHD09c>5oK7;;!MiW!LVOt7u=X_;^<#D7Wq42dLe-A<)*`x2R#Vv5jVN!QcGJKv8>u
z-1-zbak@ek6;q>O*o!%@KLZn}{gT@FnYR7;<^~q?i)uLpE@|zhQ^xP?l{Uh)tA}}ubfZPe~
zz#wZ(y==;<7A-wH+9?d*zaTNzF-YlX!^67fm?g$sFrV_JOHY2SHMbpVvv-sjZwBmp
z%GZ=ZCSQ;Oc6Pl9*d^CDBi@OO236Gxdx}j5gpc@BYKe+vH{V(mr#I&K`>lWPB9!H#
zT>Z8ea5W8vC1+%2H)%v-YKs;V{t9-s0(cHk37rjBP&*qmWhwvLn9|An@LjW>+p{%l
zqR`E>OxvcsOoj``1alb43WBk1klB5mF8TBLuijNJGDo`J&9dT3)x4JSE3v%e90}FBQBmTUJp+si~s6Yn)?F(`r>M$l93*
zjUDxu3sfoL69q>CyL-6B2M0EE?502^D*a|~BAZu(Mxe`*-{$=)N#+7OhRzpwGY8;5
zE>Xi|9||&B?`qp%I6Syx@Oa#^b-dBz-5XDOHdv~DG^_2lnmQ$quGpX(+LlXkjliDF
zI0kGd;kTk!A~_yIr_Zo+t9<_fX=WoZE?Cr8qcWg2&Oif`sIoF|R8RD_TW4i>FDo+L
z&^hfAS(o-#44&1ukefa)Gu^L8?DW92$9e+e_W!wM;cMEn-hv+;U42*W>%Uo0ab@!N
zyA|UaWoh+~d%{eWO12%_+f^g^dp(w`lg_}|E2vmeg3F4Co9^5iqaJFT`gaB<9_ZO`
z3^($EV4Nyb2NA}6P#ub_9&yu`IBDLY`KwVo+9P8zXiL9MLgFn;5Y@RPOUEC#%CVuL
z~1&Czql>_0*dB1qnyltXc6tK00-p@IyL`!D%C-quU3srSc}&hFT6<
zwH19?qz$~2fJBOf$OI-o!fA_d^{g-CCV0%|DoD82E#nb=o3;QJ$Em
zt$eEE%hq6d5EZSHY`ptx4kd!xbnA$gV53yIRyF|ooa%j7zNEpzXDj}K%m4pCA_w^H
zOCz6RvZfDVTnb|?*zr`Qm0OPO46sAd7JbVQQmhWhduN}u&+|%-E+u88BzBR2w%U97
zX6bpSI6T!F4*A%SAP=>FFwleL2n0nb_K+I5*j`JgLN8{ob85-T)HaM2FMzIssociC
zxd!m?@~h^3=wm0_E_PLadah<%w$Ke{7uQwBcThc&hn`c#-VeD;JtRgPqCxDTpMN+V
zosdMxtn{8D+eHE!1UdZns=<7MDee&{SJH^6Ge0~#gz3Xd8Y1xV1h8-NPYZmIzf~^w
zu8bG7Gi{o9Q0n*B_?8&VSDF8x0e2rzfU@733oi`Qjm_h6!>40X420xjfrD3rpmG~`
zQ$6(-Ppg2uOT|Yzx1QK(-p&aelZ(08=fWFn?ApoX^>uWEtF7;AQca+6K;DP_jzXK%
zqa4$fhjeMazK_K^=5T~qLMA1Cdb(Xypb^YF;T123#03^5$bkHK^$cmo3g5G4bo6ki
z>6IRgY&Sxxx`c0sM6^0W0AD~y6
z_RZA8Lg{I3n=MZXh)WnvZ+veUpKhP7{f(D{t4}wx=|nu$ea2@cZ*uDHyJe+*Gms%9
zLC^!(zn2zpOkd~GbK~hRUO1eRY21!AXMnFc8p&7b6BuBctq&o%}_wW(eUCWs(_WsnqaMhb%aFwyCFjra07NnB3K6}1IT32di=IQ2|LZ0EXZva!;nv-U)J8twfNv(Ki_gt#5T=bjK>yn}lU3cy|jJ4}uGC14EY7vwaQgI{gDhTJ7VJn65^~i=KjKr@L59an3d~?dOU~5{XP-RA4ig?^wN9z!
zx6V4bmzEC8ThHuOoANlJ%&rEAn3I8*MVuA4GiW5~eSsw?-KjYm;vcdC9zU@=t>8$L
zn-FqTsIm^PIooOGS=x&dJ~GR7=yaYi?qp@W>bpbk%ope23|zI6UNxQNA*cSpox6!+qAb+
z>M~Iz$s@dq$;8{#Ii(7!E>R1q2~5n|@0IXGy-oCd!0{1R^fDZ^
zq*gx8!&&*2`xfWY4Ma_X|7CU#HMN;lZbi6;g|V*tvC&nZNmf``9T@`+T^tLer0tW3
zO7#yps+Nz^^UFxJt8;eY=ev37&uVnNsC8TqtvaGV=Ai^za@zMMFjEwyHB&t2VmkJ}
zM}X$v4w?N&Af5H$?fGsX)-PUe4`_N{+r(qsQ(PaBQ$p`oKHOB*)L2i3Nv5z8DTC(^-%bKZL&waudiS}h?%gY_yJ*LWEGE8NZtl1mI}xFj&pLbRD&o6zS7}^q{`$n!W_WbFWoSYSca={JAzw1=0PlYc|B+!3}W`7;wgJkJ7R}IrJ
zaYCn2i=?fU4!+B%t0%6WQU{s!M4eoSms*Dk7~Z}6mbtxZqs{%JG7X67;hH#3@%m#$
z)SKan*ymDI?&HV~&zJR5X_3n<8lzvnOC-y@K-9oKU-*0AK3iL_p>#es@3`p7fBXPD
zQng+MNM?U#D{ktPMfP{)#j}|d>@*kn@HkE*aReH%)QTD<+>?tAhdXwSv$ATBCSLiq
z36O5rxqq!u0Yru}-CCDRW+{E2HM80@t{%Ks^8s0B=q64vYR9SLQ^EsFK4^RE_|68*LY(Y{8rsxMt=7-x<#?l$a=W)`IBh%Bb-Iw({Nb
z`x_&$=!&hAT3k7iX3pBVEdWwFtjS=3sIAXX`xs7-qF(z1kjPRENFaI?%8<{cQtU5m
zKx;FX-4q><41+V`x+V+09uHzY^GY776KK2Q`bY}#ks%etBj>>%55v@H2;-2E4_9gS$`
zDvd3=UatHJrXn1y%K&tZ>UN^GDJTJ+iR+Eqs%L!h#VPh5Vp7Z7@?J|n|chbhctH=^S
zGx?=+;R7>GDr2UoL)40=bY7;tB*u3A&+RXNH1d)<+p@YVMYe+dk+@@jA2ZXsgE{(q
zWql=gaq8eV!c9SwoXrRHI_Y1#R4P-iD|~r~G7XhZ%Pl(n@mlU#o(BolNW=r3*KkIj
z_Gs4pDruEEKrZ=sDx#`o)-s>a&O-bOrt`w^)M{K~qN!Bp;Y;a>har#Zl(MqEspeBF
zv>Yod2y-gNInPE8M3tId5x}-m(}&rQ^7R$h_**vb2FA5)_0328U39z)(vt80K9;!$KDl1f`=1sh+QcLg(**gJ7@)
zf&7IH0UiVoLTE*B#=XvK`lP})IB`R;IBAWkxGMW(iGO6ZH|X0pSgs&Fc%Rg626{C3
zIyaBwYo`aIX4xoumZKOv68ePeWQ~Rf@_0GFJ+4wBLV$N={=xUlZ(>`u1s5A#p9EJy
zscm3VZ4IJHaTSpu@YK;3u?0P3XKJSAS_^k>qQN5^ZbRGkj*!IXckr?Lnp4_~xXaTE
zybh9Gl1NYx2#LsoC+g1b8G)K4$y3$)N);DJR77;_g`5@+;?V*GY7cymCZ0(Ksi2*e
z@+R{VsFkQaRmG>n-xwKpj3rW0z0b>#jiv1V=E1N!b9O^Z)(8@!<2FXKiACIUTi(91
zlzZ6o(uKOlV-QK`!20AFmB{#tV%^%?deMviRro^GXgut?1VU&c&TY1m4
z501fRRr9TQp&eu(Eqo)Kzp=pI?QCFXX%9}fP~T!eONB*wX<@yyFcl9IzZX;c_HfrYNRgmt-J_vVgwn2s>UdY_
z(viM5c~;jAe%GH&zePMj#MB^{ja3xJT(M2}O86{yt*HklS{=peC2ppYp
z%Ze@>#HtchK*HV(y4#5tJxzrGk>=xD_u=_ldU}t(8tf}_n$Wy;_f;tfIWk@KIQIYV
zSHx0YYL(}75*#krM(lTNjEQW%Hy_aHdPiYM`y{FD{gk$bF0ml5{9n6ft)S{-I&=E1
z8tuzuxAq17O}v_v65-?Vk-UrLIJtKJ3KsNYQ|dWC0nM1Ay?s$tu=~tF!D$iZy$223
z^xyo|=p9H!b+R_JQ!f@@mc3cnf6Ou11Z_^f}Kd;KSDbz;$@c1qE}|5H>=;2^k*TyItu3W%2L_^lEkzGjh=amrn1A(P6Q4~
z1<7q*^u%|W%!>A2wfoP?wfC1ROP(Y#DT1mDrJx~rrI}1dRw7W4Ja>r%j
zUOB?F_s}6Y=sG}bLw4Kc+NUnQ7mHk$D6h1wDfmg;ytldTwcLYirlLhce_Xg`M1{M>EYZXLJyV^@}JmQM{+)^FEUq8Jz2+t*1NuBeD|Jzrr^%(7Rhtb{=QeOS
zosy3?=JxS7{Ma(9>pe=YAj#wAQ873al!>U
zGdBn7Jicx|75{nk^4ngvpnqfjezx~W|E$PhNZyGi@%d5ABmLIBB8HN_-nHJin0jQb
zXo~9t-h#pV2d*r85`SMHF;)JxijPKa-s`Pjd$dm<&@!pf0w3O&f-4C#h%`t%n*8nZ
z82tPpEEwkd>Y4Ucb}W^cGXU3bBQE5H&rOgn$Nj+E!vH8&{jbh~l0<<|yN
zy)UJ+00~otoPYRhSzFp9iOGa4(>V#>M;tb~cS0*;^fP(^Ga2RrC
zkvn~Dw{**O(T&f&(PJyXMP%RHJOqq488dgYd)eb;!OM;BeaT_jS&E~L*J-t80*ejg
zytaDtA`^0+PvgBppI!L&<2s>^K+&7!q0;*IG0nncPWpV?9LGQ8w_VE<$`o`Z&hmb1
z8IcS-ffT-mR=M;h4WBQI5v%j~LH8Ol6&~yVdiE8N*$tx>1lj>>stFU|!0Y+cNRFU>ulix3^Pql55
zwQKvUB`{N+`x<=U0!6>JxBaE^#UEXbD;Odfb0KqYp=(TftEh#9x
z&}Y;7}~F7Tf>$fPS~4&
zl+LJ=lT5E=fjYGIPk3DsMGMaa&pzw(dN^Rrbn5U4ehXF%Tz_LFV8xJamcwGC96(c6
z;`6zTms5W4HdLGP#5FVA%yz2zCe_M73gi%_=@u!XV*&JJ;2ilr6-S|`UD{nh_>RMP
z?CU-5Z1uOIid^B<7bOGsxc-Y1|80@hB#G7I6cYGHh9>Ogsi{L{TWAXelrxk+ezi_T
z-Ld7Hs%*ibWKMbeRcVECv|9h-zD7!LTRJ@(p6D7pZpLXKKQ+!>Lt5`86a?32;d%8v
zxUz&|+x1&2rt(V2y0u+I?Ouw$Pm^f|8+SQ06&Y5{xwG1GU?_#N$!LNz68M&vDVu9I
zG1yA1rE+;$(1YTeL<2VBQ*OUj$s+#@Rmu{Kls0haVHpr1b$*#d2px=sMd6psIMc~W
zN)cBW%%R{9(1O7+z)vZ4H2&^OF@qg)s^kwKVYqC_$qDNA&d`IoQ|+YQs9dR-Or~eu
zsNOMy39G5tOV1wxTA3+pQpEjZ%r;XSWB>Iy(PZPbB(L~2@J?8suw#0h9v<(eK-<-r
zvv)QO7Xl9Wcb=yPlHvDXl}?QSp~F+mn9k|L7Wqnt5lPiXUG<;=Vpj+f%n7ljVmdDj
zd1r*jjmP)29BycfS+=4_F**9~s1Df?;i(3?{^30uufbYr-A0>a%oE_;N>cV~5)%>I
z&knm&9lNsk>mC>${7y`)QbH6K2RTEQ36`QU}&K&
z>Q}oi2qmpXxy%S3Ao=g+dXZgPPYdar)Q3}gjHerg2UDgp5~%sZgq?(kL-sPiFQk3L
z4F*EqBQw)}vZ{>P*UT4br3=SjZytLgC^eE{_Q>ue!xjD&=>7<^J`n#I7`oL{$l
zBv-fNW9)aL3h`XZgc~U%J3={f(8r}u+a_ygy)NrA^$#zJ(+EK!ijMI+ZE;d_Gd#-;)X#Ehy
zDZU+_;62;=NS2_^HKD_W3xMMn6#yJ-?TiNfeGsMagTZWSrX3HvauUY&Pi1CWJ0;VU
zDv|jzsEx0gGny1#5g}l7<6BO}=+#x8kwq@Tb(Rv}o6l11bLuWEautY99Zx9@<+*Qw
zWmV^j`}mk!C9oTDzsxH|!S;qTMUnR1O(64vTx4hFzNizT`WSm=i#fI+Jee7kqx&Py
zZ3he9^26q%FNbyhU)v6XxUc7JeWMZg9RlD8H
zTGeEgRQx|JaH#U~x{i+1YFRla&p}wR{VK5VvUc{I6&r6-NmFF4_0EH4s6B^IG_}Ye
z<5;QsgvtSrIf4j%>M*Id7K&-U?)2V&duu!Gu?c|ejSkTe(u*#e@Q4{11p}{PtK*i=
z>(KVEL14wi(w%v=10OJC;HqF
zR9hKC`s!drzoZGJq@UB$cun0xM6by;y(4Z4+Lt8M(Q~c(s;X&QFJ!{=RC#T?XI~ik
zG-n&`9gM+`N+`$1xUe5WcUWNDj!bv!zJwUe}z!N3Py
zSdsKENg9WbWWMKYi*5Bdi7s|xCWvdA2dqe@
zWLSz|GEsFdH%Q#XFlC{jV&D4_
zHnQq3xIV^fHO(1QfZbUp;0_wwm)uo!0YgO5H^PI5-^Yu;)eKM}4g#0pr1`};cgN}h
z;MKnK+`4*OSys4RlyQ|(z{$=8N$j3ylq-)?1rpzxY0p56l;#bIR!nD-sVNm&F;GITk*eLX6<+<}1#~
z);|$|9-iND0GVyXku^P1FQLrMrKdFT8R9%}I={vY
zqg_2}ci-Vw@Hps`*VCMnTAh_EdJdIqZc{vO?*C!;adN(0&(VQI_{W)ZXNuz~Oh+rf
ztIp#T>9_{%(Wy=|P1zhEOJc}A$IK5dU1htU4pSkXK_sncWH)3wEVt|x|AbV5?(IkV
z;_0$!?GlmH1Ztgx`SrD!AHT_{`pkmZTp7kxl>=PZH)J&GCFhV~=ed$GIm>K2?O_65
zhHSV^)sIr>$8deNa_qCZ!3jWZf4R{=o;fGi9gE3C{1M?){;!q25DMC{4=n*CnlcqF
z*6hMHU-IvcE!`>Mu}h31oqTlHwkn@W^kwSBD!#Mt#$$R<8i2*$7k3#%T#_T8@yHt{
zPTA=4n#dn-&sx*9ex|(@hjTW{uzkl3&y$7P|K7PoQN2ci2z*xC;6q3V*dUmmlkAHz
z`K;!A;x9^^w`oVm?TW%enPFPW2-Wk^CQ@@F{@ErL9-zVZJ
z8T+M+D5FE=PT*9huxr*?iRG3{;Uc@yI^!qu`Fq9*PDJeTGenT_qNa!vn(Ungk(VUp
z0dtsK9C)%uk0?-r9vuJ+(EuYNUZZQDB4@$t)0wen3+_i-6oi(|C(10!0T0#NCD+qA
z8IpJJrw0UnzHx^fZ@sIT4IB)<^jS9mcw&f{s+&vO&1%0ZKKQ@3%m8}Vc;|K0upDtp
zvMY6)AiXw;_^n7_&#ov#`@v|Y3mdL)yZ6Vyh@&%uCPzo8gZJ^%q`NNyt{tlB3Z~%u
z$s{gOLkPPHaLht~=de+dQ7{6h8zhJIW>UoGTQA6YnX$q8_ajLMk3^7^*JUHKsJ
z*5h%PGJ`{`;xbugy=!MdL}hyNcxv%ZmixXqaGDDLvC(GfR8m%)ib&ejjHHc)f+!Ee
z=+UAUAsS9__9vHJ)zmAZdKwo%LFmtB;4G%rh^TO0#8eJQ*xZoOuaU-X?2PZQ-VY%k
zxBLq~Usn#O3n;?+oOYQ5^4IEQ!ZVMm!jtOLhxaPMK`LH3)Pjw(~6Ue!%Fn6v>#&hQmVMWX1qIwS01c
zK_{Du;Zm!9hDhDJ*6}6R6kWzUG7q=DH=@k@pqjeobbxF&-dt;RR*(%?+Aimh+bWFq
zp6y>
z9h7tNMeixEnySyv7PiK#zM?e64>7Q&7Ot8&+fPnet>}}peKcVXo&=7?Bo_(TN=$uw
zjjRfFP&vFXDE9-2ums_%O=9i52LQGdi3s*8%dhf1`m?<<1cN^~+!!uYw&pD+R>K;9
zMs6Z3<7a^(-cF$x%Z>FtE09#9JAT?TkaBWY0_sR%T>sT@eR7U
z7{K_Uk&$dZgdL~Gn}K>L*`oz?l=Jpl^Pz&ODy^A)lCBGm^rq1*t`GZ9eB>Xv*D!W}
z4Zm}s{I&bj`o14boQ?R1S%;fPouuj3ZT0cd8pC(I+P`FykSD5X`dB<(-WLZgFAxVg
zU6v5$?Q-XdQ+N!CEV?q|{aImLnnmu3V3Y&1?%c5*cAEl|yyh;6P9(;NuPoXeeiS|r
zh%tK<&f4&pkg}l36b2^qSYYa5$d;Uasr3(naE1`%bcq;>CYN~EvL;V>rL$0NQBHWN
zVQi_eAT;mlG&0~rhWEw4EoX>nu39h9e?^10G__P*BOJ1giVC2sQi)TzubQ)qUhmue{x_7D=L(K&LAZFXb`7?a95x*&CB
z7!cJGy9W0Y@}w!Yk&5{&LQkhD#t6d2
zog<5-v%gi0>5D@?{~;H7q_G_v`nfr}SzpvI;CBBfpz1kF+Y?c7JjPt(KQs8AyC(K7
z&VTU*^O=FHkt@>7U^YAi+@N6BLaVdjU%}ci+to>+EkmSpO_{{yAun!IRPT4so6nCp
ztC!m}wO(a0B6&T<;Sx!Cika^viLHpGXtJ+0f%0p8&l<0ZI%-LYlk2I>KEo&VJ~{yy
zj(CH3lBrY-o@yj@-BBY0h*h11+VCUZwf^DT2TlP5YOZdt*U?$C{VgbT;#o0q$-{C$ytn*8C|hyo-I1qcx~vL
zs2%bTyd#VKqzw&WLI1l4zM{+acotlADHez%b~nKA@>WA#BrxrHf|TgfF-SX=^DDMU
zQf0c^%mkp=P1iRu&~Z}q<6+WBNQ))Ywo0svA+L>5VN{X+C4CJS!T1w}j%>qBnn}m$
zVwrq4gp$JS0uqc~IzyK0I9E&Bz8^-M!kzHE-IZLD@)f}>oEdlDusSc3Bh6}f*`LLU
zA^SD@W_j{c0sxMqOI<`z6jmESx`wNluR_&+yQ7JlVE9V59?tlh=Z74q$3%}$|N@S
zs^XRw0Tov(6fALiuzP4zI?Y5SbO|Xxh>|yCBP%ti3CvU3a5VKSj#&YD+QVx(0QJLeAN+IVTvhgTw)T{L}a-j29~rd;HCm&X!~+KX||3
z{2Uiv!{CaLMkZFl5Tu38g!%OgY^U4H;nsDLsC9^p4r=Z7H<2aLobJ{?9kZKDM5
zo^KL%y*7~i@T$Q81GHs?^%{};^#iFdSE}6+#s#N%cpgtMO*R8Ib)(dn)QkMxvyuQ*
zAzd2*ME)ISRzf-3(OLRLQOzfMpzCo7&h31OP`U@J0_57Rg`BZv4A=W1h5i$zKX6oL
z?-tMd3pDwWb%~B`PZw+Ca?Cn>6y2){hX0>Z*+|Xdv-0J_{6@_pAFZqo9Bv;93uFSp8s#P7HPD^EK;w76Pq
zWSmec{m&i<{QP71SmByupjEjOAollaim*Jd#mm6FVh`DLLEx5ALq<2$X4$c|y;bFV
zpru~Sk_TYpg}L#Hg7SkCPzqz1DeldgSLz8}2sTc%=|&G96^J9oEs{7TO|!9Agm4kM
zp3F!0H|3!Zj90k+Yf)MZXe&pYtieCCJa*?vCO
zrCs~(_M4+76LM$^*oIHtO!$kVx%FFxgTQR&VH~@Q?E+nRS)4-AJ8oJg9c-nu>dXx|
z5+!AEh!9XD|hoq
zYEn6Y!S*(^sgWhIdE=^Yef(JS@%+FR$^jzDc9?N*`i8*hPPfpg8L#+3AixhgUaD#d
zJA6&DZ^E{o`_Z?xf`Ma*+(Fg2iBO9q^DxJz692q+$na7;N#ZsV^|5`?Ew;_D@oeBv
zb+b1_K_9z-Sb6Oz5|7;yLOAcv9qD_S2W#3_(cHv;wP6e?A%-wNQkREj?@Nh83|FYpmD^xE8La~}__KQx3z`fM7uhc;uKam7#&XP4`oG!?7T$!@PD
zgFjaPyVOS_>NAh{X2|OfF9}Uj<-twz`_l*5n@1B+qX3?R671
zZ!?N6WA_KFQ_Q#TMB$S+#i50YzOa{(lc_uMzCQlUC#{5&Saop!p*X8_|MYnm1&75|0hdPl$64Nb7lU#D{NZ`5
z=@6s%bvrUQrdN}T
z3=g>0pz!tS9tiIh0Z9%=v*cqPwqok@vHf##0mAQ^Sxq7MLLe^ns9t^vT`^UI^A)%7
z6#+wq`TT(t(s;JE%J|2PcISvgTFxLa#DvL4A=xPh(H`LF`mEY*m%g$}-D_W-gBJ(!
zAa~qga%Jq@dPn>vAfUC5e_#Z(hugc`6Kye&@4*(4
zpxvzp5)JnuHB-arG<1G|%k(NPW1p+R?F4QWkpr}z$-|Qem*0J^T}KazsGOGTVbGPmQgNjY}+K5AbD7*bq?+*@cPkO41*j
z;Z1&cH+v+e8r)Xf9SAr(DMOZSOwJ!j->(d3$@8U>sEtAto)f{*tV>MUvm%&$*LhtTI3FiWwSmY4-D@Xj&r1GMwh~};
zMSeq^5N27QwPu`$dKF_eJ;XoH0bs}|iZV!6{(}HNB~XJ}H~3cTux8_ZrtG`n5?9vy
zBnYi3d(U{=W9!m1qmmu7qKiQ^2%KADNdzWh4bACzF
z?bXnIWW~~J;2&0;7a8Y#5dbJ3m3+{R=FYcA_@D8My;TgIK#fxja##>GByIxQ+<@pbk`R$B>t
zq6eJyL72sj)ECc!d5ripe&%BUFK+L9h22&|Z!)3zfUAVUgHiVpUDl
zPX_`JQLyVRn^~Z@xAcDAZlvz5dGH2t(wZ@i1K_5FtO%=*g
zr&PXGfJ-|5Yi(1>k4}O$?Kx9f2Jttnfbb+}&10STn^yiAR2s{z*sNnlDHzoyu~a;E
zJ84~vQv|vI>8~z8NqXmAd~v`?reaQXc~8C3HCZ72^Ej(RQ#%HBz47+wbnTG~sbXc@
zCAB2+q&scZMu~&ps2v)UxZN$ZWj}e@`TOJcuQal`+(J-S!7TN%uYmkOJBr%G6{cXt
zMUP;<1Y!Y)XHJaSw)fzy_;FCD!AB*1|Mff3$>E$o5Un^+yeyRZAnQ9a@n8vb6|4AZ
ztA2nLjfshND$HBh=x&%yIY(@3TahcD!~w^%Xf@EE#pNF{EKA!P!(%IfC-?i}!MatO
zn?DWLQTVwY^QbVZZai54&3D7NVUY{W-5N{em65d$0^p~?+EC8QU0&-bva?XTkP7Bp
zy>ho$24&;^5-ky{?ut;OrMYiLN_)t(iz))O&lA(NkZ}q5nUEM}l8FyU~e;>XHmW;7HrKRmm2Erf!3B;T94!EEJX9Je5i-f-IY??@$+(AW}>8GXrpc@4J
zZDFY!1HSTk*Q}YF@`Bji9{#}wc}-`mq9zX+&5MuBp5*EkBHTpvdQP$M@OT8%*mdcdG3!a>`w!~?+}w%
zeH(ff;0UwCk{Y*~ik{iKh@6VEao(QRIrb|^4KCzWBBK7Y=l+La48U{;aIuxQfQ%oI
zE+b&Sp{$HS`U(r2PEVy!VfeLrBavdN?u`1!!1zX$cE)3Bz(dPf|DF|!XjbGlMDv-&
z=S}3bSseh-_#STEuFsn6HV{gyvsQnNo(47DuH)ur4hD*E5To=p*ZII?5tC2Vr)?8c
z9nCUlnno>LwE6NZ+SRaDw@cK~+_)j@j|n-?PBC#Q$h!zzF=t|a
zM;`xs6{ON>z9BzJ;kNBv&%Gtq@cEv&L_N7n)?Vk366U2b4_e&f6Id|)@1^vRGB~J
zzP#49L^dDjRC?I5H&k~=BrflZ0F{0nn3;ig*j91N{ZvhVgr8KGgtgvsh*X5LstL2A
zcjZ|X9kU1;TwOCw#Y_z2aeb+v^6_6JOaZWWHYPu(xi2hi8yP==h6FXa{Ly!?l)-=J
zMXpj#48A~0s+S-bJa%veB%B@%7Zs&v$GOHjiC%Wqo?mE)Fa`C<`>JtAdl~m=z-u0A
zB9YV()Tj1kVhSw9l1KN471I8Xm+g?UK`h#yO06Z9zTI74_Xh!K}>L^p$
zB;e<3j9d&C=q-+7;EE82F1>CPrZctyywkJU>Ut|xRW~3`=HW(T9oIt|5U}0(yX=s4
z2Qn&sjQu)DUk@@jUX*c1egSF8t4oACT2Q)L5($ImT?tyjS8G?C&LI`E_IUrZ-(;aD
zYO43!3DcJ+enKZnceVO#f5Dx9v%H1SPIrCOSgGYuTV_wqlBjh<6wnPJ
zk;A3!B3oZlFRE2)E7r$NlB`f6F|(jsoXpWOG{Ld016_KxrzbTqnEiC?3y+um?j@`?
z@!R{okI#HHQ@&B<*Zy8BQ~(Ap32*#29}M8`Zf28@U0$v9mM(8J-wFLoCA(`OHT-8>
z3Y#_iq$DtIdD45%GqeQgTs!9Uka57?em{gGL**WYs0Y$v=NA{4l*`AdZ&7}lT5DGZ
z%|_W7mB@Qn_A=lX++1!+CF#B_4_yl0m~;Olx4{PFCuLj^9}6m^6%$W;lP}3#zlDZ?
zVLP{UT4*azI<Nxh_XJ`WVVh(ovoiRsoo@1-?b
zO*(68D>nAe1?hJ@4<>|8U++cvKDOVgrqW+t|BAXwiD;553;eux3>L~uZ39ZUD3847
zpWo7k5MKEP*pW=5@qbo8S-?ZRxzW%ZzIP@Il|xK>c--Zvw5;X2@?}zw^)`yHe+6Db
z3PvdATBcdzsj*0CwNM&nGc>yMh0i7Q4l@@8tXuyM)iqtwq$^pfokyou08Zo+k`Y-p
z2?)gwspl774o>frAQ?)j_M1JGKG*Tozjvac4DSI9tH1%G*f>QE#br>vC-wzVqDMq7_XFH-Pxfjb(LhE8SJH>*2z1h|@+5
zv~WlFZyG8Iyt4DdYw@$32fm0)0T5L_PD-wF?25^#XZS~K*6sC}T&l~U9kYg<*ZxOp
z-5EdJ0##ARAA_yJhvSKI#!3Pn(TM8x;5fs>RHsHp5u08pCTqrvSaOZBi!Vw-jLP2l
zt++F(zumbjior?Sk4{niJDs_TDd8a)D$wXTz8Lt6S2r>Me$s5XOv*8YXs*lT4
zyh3p6Sbra!NC#(!W;NmPt(%y%DTYF(zw;n^Gk_x==i+R>2*75D-t)6Bg;4=D9%lz#
z8AFn)b2_=sb4#BOwS%9O0FR=a?8!nq7jyCpRH-zKZ&UE?`W2dJjIcvQ|EBeLYE(L>
zUpcE?3Q$I(b%4w}4Wy7he(l*a@4FE2?vmJpdU{)cvkyjHL{r;tgt1dY2ng}|mxJfu
zZTA2p9Ix54iFp2!Kg9=Q|Lj%D$*}8lZcMr9K+cOEk@RCA{*_6DpU074!wQdV9Exi<
zwxhLdV~B5hYafbGY3!1Z>VoL>5Do+cw;fd~y~dsS!)#X}2H<@SQSnl9XtkLho?2U2
z^<(uqtx(+>3l7%aYkt@($H>cYcNIeArL+tiBnr*%Sy)WK6+zkmC>ir(W8>OtU{8M->k%&w}Gn$f$Yg
zmss9HK$hNc)x3Ehk5$p_LSQbMr)K@Ni3=fXPi#-rS*pjBK7~%~cuiIMpJ78w1=U^a
zhL`2Hc~xXp4VnHe@qMtV
zvy;57qF2l3#+ZHpl8kHrE&!_m`(l3@ZwKE)hceqVa5FFV`@-y(HYUI^jMqq4KQ#{%
zHVEG`rt(;&tiQ^!d4JnT^_a_m7kRsL?g2{~;dN@73(>qIcg;PC8H73G^9z4Lu_R*(
z6a9!;d2#WCc%@Vgh^fubw!B`kJ*V?OFBd^|#1#PfaP6l@T772g7&`Z(5Mi9!aV*v+
z)4wdrwFI82roJy0Jqx6|L^(X{Kc`IgC@pBi42IwXy|*U^waVMV6+^FLz=-|DobC2K
zwhC1fj9Nt{96f;t%M00UdYG@?xx{DbV&OSHwxLBN;QlEBFkJn4Gae?^;WxPM}+p*7_+7V0v(>w
zoyV`em23v`YpLC_-ct7`KD44DbdWTd1wyvJWpuCB`N8}oHhd2_xZPYKu~Lo9l*BW`
zgpUtkMji=Vu7LZ4XX;%;ldS_JGV3Eo4ZE(xb-yVQs99Vfww@Y$_*v)!&3h3%$5MoyXV?^v9eXd}-}R#8hmqP_brlON{bLMf&K
z+hg>{+7TDlv%3-yh`csQ8aiMH`4@!|AN1wgreE|eFsXqfwB4p7c2n2~frrZ4$WOJj
z>w!y&`-h{e_WFJ{*EM`RDpDRbD(NqHJ;zZ)9kINtgVydzP
zrGWrT1c1X5Fd>IT{m`W8yio^askP{o8IwGp2HF1%f&mtJ%syudNf(a)SXWC>iJSRz
zLS;tzCYy+>fM+de6oS>5=rZ9Ep;^<-_5nus#`mwjkSq4O4DOcWH-u`DhOer@=ZjNo
zKSV7uN)eI#>8oai0DjbKrtF5F$d}=m_oQd)?Yh-uxZvg|3Nvxr<#a8>io)RKxsR?%
zR_oQkAV%9c%{~D)77Kxz98TShUpztzA5aI$)7UuOEva}iu25z!4ejO+LZ#psTqoez
zPufPtGDPK~F1Ga~4Knmy4FH$Cvl!GGyX^poC4hs_(rB0f`NE{=p<8wyMXG*siZe&3
zmyR=2{0}e8?Pxx93ZPYQdaiiYFCkY6D1d;iv}4bns}ASvA!Bx%qgF3RFK<n`P&U23=9xz>ADuTurYwNu>B7Dji~8X0&+=sB#jL-m^+h`6!iYf(F)
ztVYO|H}oWmW;g6WmI*9f>K=1f$u`bVZ7RVrdT{nml3}AC;-rXgdiVJj53>(Ti$7s!
zKUJ?$mnG;A8u~Bei0R-fiG=L~BoW%_w7<3IrdxfSOB5eTJ%b;|1k&}Vf^T}Sh$ro9wQW?sKyN>wd;g-Z&;=TAWWDQ
zcLZN=>z%dt;?|y0Ew-kcA4A=Bh}f~
zihe^t5nCj~V;;8}tVNlltDGi^rb$vNW@zR-O8a(mXh%xz*=Y=CcLV6cH(`^gQ(pDH
z=gFPie+Fh66kRxWIqiOw|DXVZQv*&D)p6U+FlKP}6HU0xjs)Z+<-z>D%lUvf@^m0V
zJjro~%n_>8KC}SaXFfgMy`gZ|V-sf^63dFn9o?Y|y7&;M)Sb)t!3rh{1aWmlPH?_%
z*P3-cnl{GrxhHGn6dGF{M+I@YQW?l3W42d%x-h<8I`)3j^i=t*=esSH5I`+Ktu!0+d|Y|D
z;-bKUK##ndz09OXhtCJZJkXKxJmwN(2;u_V;=8++ooj@Wq@F7udTr8wgb=IGs$ixj
zTQn3?Ecwm8W)2)ASu6UTK>UjzqKbiwc`~@v?gg}l$wV8kL(xe)ijN0=XRR(?3;V8i
zB>i|Vp5}l#u5lj4=P8^MnF#K`y5b$@xj%5d&I>f%JZ*VyBnFao9s}lm^r?ig?I`w;Ui)>du>YNoK?=oHm*XffLeutIVtWu47L`t^G##Rs3jbg1FK=!==ddkEU1PWq8rN
zSVIjsUsfGRPUDycmDqC3kbEK+)741v!8`3-4$(1O<~>BjfbjJFYC72uwzm~_8&349
z;{^z-T~+CWR!i-YGr0l3^OEDoz-{FMtwqCdD&-)S1I-{J_B39Ds^
zYg=SzqLb7}z3wZ17YefL&kfC?SzIhWWeB?G%!a^J&$DOy_{fs#I*yw{ERMNC6V2`I
z8@y#E70z)w9)2^pP`Ol3l#wxiicl{?1ljU-j=ZmmiJnt|Y_XC%QG){3{=3NhFSe~p
zcwslCXsdIU+qH6D9URHKNz5Unbv%D}h+weKaowpy?-Ewd4y-){jCNYDF$^J=FSxUY
z;M1gAX}1bgEVzSCQn(5&Y1sOO&NzXQnb4be95)krZ=*c*N~{OJp*-iBG(G;2^#nK(
zZxEQm2nfCM^S#{mL^9Xk^;Kh%Z5&VV4|qp}s8bp1(p8I`fBwjv3kV9QR@#pon-5$Nj0sF$5?Gcu4RNBEWKK^VkMd}6-nVxXW
z^$I)x+np=jHa}5Zcz8>4ivB;%ut(Ylyz+OqwB
zAry6de+Z9%?Q)jK*}IFnw!xXV7RSK+_n$ezNF@d0F5p$hwFug>_#T`RtC_|)1GO$-
zsQ&1Zu)aIiFLFik0GUJwyi+?`1mrJlofO94gd7n|T6i&d{I<6#`+Jie16;&NPM;bU
z+v!b;7gH0fournGh@Nt&mooyuMWobCU3Jba!ec&nHns!|MuHo{P)v$P;T>RA@0B-sey}I~Ui0*i1W~9DHUAt1FprR=+Nm#J$1tDL}hQGE<
z7%cjD;2ina*S(t5wgM&t^KBIXdCJJ`$@v|<4f+SORAHk=(WXst>^RK0)SLV3DyrC4
z-7Do7@DUcli>RFQ3qUVCJgX2i%8(ztJ(`qy{$n4|Tt&_(X9qSwG!3B*zz9{+1VDrA
z0Z?=<0_U+BE147e9~&8{rHYo7v~kUB$pM#i^_RH
z@YPa|d_^E?6BP5B_p~Q^a@*lbhPS)E(3RA>&iv}8_jwW;m5R~HM6iGZMUlokPiKnM
zCwF1^_5R44sdO&=MJE-vhh7Om!=&-hA9>9?&?4(Av{s>!P~&AS5w7#KU{*W5D_mHS
z89Aj~TD75g(0S3Q!O7#Z``?%Kq{4y#-Z2P(^%B3+C
zrE43oIHqM4Ja6=qLm>aWd34ktV!iUc=;WaqOcK0Ps1BoL$<#dmz^W~67V@D~Hoq=O
zN%;Ir7P=KB7088(4Xxof<3};kB3OL*X=ej=zx3Cot{n8
zT!+WU
z5a;o!`u{WiRE6X=9tq!ygq0yOcPP^+w~3MhTn}`&{_69`VNzTtKWWpG&0-qYJqF)$
z+0Gq(&~dU0&*%=x+rb+*WPIZNZlmUSv4)VSbh;8Q3Wz3;zAul~8d)+>xBMZfza~{w
zOvpb+=ekp>hg!Dcv4n5v_WGB+
z$dFi9Y0G^=Yq}P>ig8@?_~%9RX)mGOG<&%Qt{J
zgUXdEUi_8P|23%k&&9q^;sApS;b-1MtGEM?H#7}5y}fM6l2u9>O39h5j>4f}Ft
zKnq=CZ{X$k&9^Q{`Gl;zUG0NGD)-v_K;S$xd3cD?aG|LI9kn9q!OxK@|JFr+M^f{p
z-ruurfAX}mf8z=KS=YgpPfkb8CZhINd_<5AlZMoA=^V9_(}~Y~P9O~EoGQVD7&)O#buGt9n{ZWyb&*ej|}Z@2U1^A~WcnrWSNky-U$b&(%i!*G2pi^!OigzB|?TwrGzJcT|fE
z`jUYXMv^)JLLf?59bwqru=$%Z*QMiL4)bQ
zDwx;*#ku)Yb_T4%{R$^5z0)4o%>-H5E2^4&rgMFq^xSvUq<^Ix#<^54l>ZJ!|C8jE
z{l2&ml!qF3UV^4&C(sDEZ3vW9ZbZQ@fIcdH^omB}@bTBH|8{HQ6nk*g^Vv|L-XX*U
z?^wmWa{3`yjPbWe%aurppl*Ja|Jw)@051j<$G=7M8#eNLKqod&S_)`hROu(UZsv$q
zxAqxTUsUg~@2=ZdOqrzL1u=A
z^WhxoboDBSa~H1AW7JB_=5_>>bL>OewPM*&UDVJ$*fu&6*1V#D?c@^K1l*+$^X|ue
zq7$Hjv$g46taJNJW4QvCgEf5|3S3|AlR%7yvR!L?r2Ayo=V%j1NSwx+S1Mi50=-ZF
zL%;~2-|V$>pT@1|-tGso*@BCHeXQEjVsvij^IB;*#^&T$gYL!uqwehUg!q5JKSXWf
zK>3DilhtlC(+(?Q`E^(nNWxea=(^iF?5#}-H#EVz@}~$xLIw~pC^}@r)pi^vOZ>VsjzQ}$>NHdUnrwzF3LgXfXj?-Y
zzsI1Y&=r_~!rk=FKr1Op>8O_qHm9~Pi7VMuW0Q>7BI$s(hX|Qs<6!q9qt(HC3?!|)
zYTXjv5F*&LvRUrLg~D}qudu2fKKq@X{fo5#1P7=drWN$;YM0PWGRdL8Z*9LH@(k)gZDS>xu5qq&NR`ky7FCnQhB
zaUwQABeJ`|d-1(LaKY$@8{9aA6-ufWdc#pcZ}S{!SEL~i!OXd3K-;l3tHTZyRJ>wp
z9n`X##s7k<9NF|1tJ3Oq<7)isTZN{EleO{{%+KR6j>VsuBMQK+xANI#e+50vo9hkO
z%wKQ34Vz3Go5Yo~1=ZA9zZt>*aa1V9RnQIVaLl{?V5jk(O)bT=#r*0j!)TqWf}CbQ
zaqj=dg+6*w=($2IdXQZ0w(y+4KE(n<%0CUl=IIJ!_ljI`F|jQT5Vt_)i{7W1p%Qi9
zYLu@8X}dgZX?_R_4v>Ks{wIio!KTRG%kRtc5DB7W-!7Us32%Sm8Y?)x9NBg@zxDeV
zrQ&=|P{t7upsV3lJK12-J#hA8aChU(OHU>m@*m()q&D4z74T-s3TcCv<|a$v}!O<^ndc$Z<9jJa;%@(r^%3WoXvg1
z$W=j9LhkBwoK<4k2?}9`-L(h%IkMSjw{K~xldFE3`E=vsM`^7Q2IomhgcbfZ4RjpR
zwO(HtMDl?jAOCS(i(Vt|+rGZfMGQzz{EKD~egKv;oIWwqL!r;fU!!SflR9Mo=P4Es
zgf#i$_^SWiMMGTkovgn5Ty$5=tXKV*!TZc&GrtJ~=SSqjm5(HbvY%I9!#jG9W-nx}kTO{+;H
z!w^k?Jj7K$7PU*KeW2v3{_WpHU_*n{O;yrts)xD%Txy_DLMtySyoYjD{Qh$PXJzpp
zRE>Y=wS{GWVNYesK9ABppAUCdRV2jm)UaBc&O&Ne9Y-r4C1=|9E~n@l2JlPhs;HQN
zOq%T4DelINl%E0WHirV1(4`R#UH`Bvl95xBImjgG=C-I?ZfgIQAmj9S{^T0c{X>`N
zKf0~nE2`oO2OwakZubgMF0cbFiYjSTG@yZ&aHh*+rY#&=y$hPLAANslJ_V|AIOL}r
z;PtPVI&ieMwt}N0uKaFKzba6}j0(!S58~H4p?k*W=${o-K!r{Mw3%{;vCTpW{o@!Z
z*+e@a%HpJ)U&|k*9=J8~XP)>o1^#)NH{Hy}<@Go=%tl%}SLi_4uhy0SdWGF~FsBZ5
zf=>JBTuo4jaLEA`b-;+5$rcIL^(aVoO52EW)(wEX;Q-
z-vNPvX&-fHU0tjTzmfeFSM(kQ$|riu)yWC#j;l+%3*#qZoV5}E$qxZ7vFusU8)pkb
zm6kHo{_pVVh&oVe-K=?_#>w`7@VZZARXj6vwPtB}Ojg?Mfo=yi75O=GZd^{tw|?Xt
z*+!tq#PB#l^q!OUbI?k;fAQwUZF!9s;?+1&I~^xQUP$&=P+dIQ!;vHC?im+4A$)E~
z{%}1Xotb&IGBscB37t@`pvW|OTKif^
ze!RQZ#zVdb{Lpwf^Hs;MashtI4Ate+Ucw**P{Y=;(GCAUOB_t{?XghXS4&
z0BOQU`uwi8-;_{HHg?q{FpPOLHOMK!;m?CHs(*$?C-N$!u9;vUP#kwUR;jZn(x+(}HY~Kjbe#6*@ETClux#|0`sDGy8F}j7|Mt
z>v=~)k*V-7Oe)`G_YKIV3-Wj0%Eq69w7Md_^K-QzLmk_o8Y3t~8v#DfAOL0WN&9ox
zH~;s*L-GeHs<)fFaBZa5QI!Y*{fzGEQuVOA8sS4LfV@utn%~kS_IO=`)&~!?h>Ve4
z3}XWOH2z=g)8A9+J9dirb?AA%jTsXPY<47?Oo*;}2TZo?rlW+o)
zPy>@F`ae!W{{gw`S$R%qf0^ajD2eE*5RL-axKYWSbkf)I!7gvK+(Eu>$2gZmT;q1O
zIX$4Nm;kz1%Z-1~#r{$4`8zNX*!e`oGZd;Z8^Uk%WwkdiPOC~^XRS{5+{#3X7MauD
z#g?Pp5njSDZ^_8c42CN=pI11oJ-jXX`K7`C3T*zH%4$(8s7b6YcG?HW@!C9C;QTP*
z8u#r(+||4Scvc+GX4NpiPi6?)8_T88>QdABx=Qpy%$7pF8^2TjYQHJ<=?GV)snS{%
zA!ByNs}$d9c>H&N-{80kKsM&(T^M2l8h?Utpg7ku`WgRUWJDTX(?6;Sq^h_zpuu_`
zr#Tu3&FEav1C77jN6TYMS@JKjN+YJfi&gR}E8<5Lc=R}|Pd1SVok*f4)uAC1UOb+&
zp#mqbapqX3>&nT<+w6zTw@s*8+rZ3qN@<|YyZ#tTk_sY$RgTeHuERH*@`K35`+2Cf
z1-bwtl~q)P;N*AerP?SBOVPKWiX+1XKXl3kpBG34++ODD<;il!+0@cHAK4U@6EX7s
zmJ2G8@nQnZRG>2X`Inrjnzr@GfaQ+rP)n~A8b=-fC9uhB01o0|p8%ij+Vy;gG2T_o
z9-jf~mB?LYazVq!;mdU*uB41RhMjzymb~BEszyq5s^2`v8m&*3#8F4C?URf9>ra)y
zMC~~oO_u3BYz)`<#B>T5#`JJh`*AZf-Ow^sa}ivD#PJvgb*nf*9VA+A%=j5#&2+X}
zH&2Hg#%oiwu+7-NkG(<0OV+4k+d)2-pD!w!YRp^<34qD_QJihmz*+p_oEOCgK|Gs6
z$Ls1sEmk-`+ooxub`kn0gDVl$TRS;J3_~3ZR;!fByym3e+6abp7BzV$rzZ7bldfzB
zAIX!KDz^_-bpV2|kHB9!oA@YH=-^O;wrSyK4$^Jb&fo;*v##cjjn-h$GT!i*F&s+K
zS_C#v4#a_fD!vx>e&Lji1i~)(6q&?}%sk@*kb99w`HxEiuL`y7
z+aokE-v2&Ksv@*!@Qc3`RaIu<^gL!c6M5?kG+!J}85Ciz0PV>Ly#(9s(tx^}JPCj9
zJJPQV=l7QLm%C`+TOSCf7GTy;3{4_%a&bzwP!8Ac)fjCI7HNPWA;M3V18MVzvghWY
zo&2(X-{DyIX4RWcttx3f7nZ@HtARLv7msQGSL|vxV2`tS;}r97I~RhK5_Vnn+|*&8>0o<
zQvwo#Y~ho;65H2S1W_YrFaxP5BcGQuR6`Xd(g~Di(d0Lwzhx`buK3eONEyH6
zcL0!%Jz(DMLZ3>%WPGb~2X;IA5BozgnD6&jtD=_Qtzk~c2Ls=MYT8chIeN0Cyd{d)*2pT;-zvx?D$pR|0e`EL%_2`yD#Dm3Md2
z%-EG%40X95Z!{F~US!<)-CJqH1lUv@<-^}{`nmE>dNUBk3vBR3UCdEUyU}C>8_YNJ
z{_DeQFvqD^(v?7WX|@k|oHPJiDc|+2k&MiPPd4uZJdDHn#DXi?I)t}+V_`SFtBOb6
z<0oYwkZZ7kRJ|IpeRT##Fb|AGck?L6%GEm1w)b1NIWpK5TN9iABIwOYK_^8r`Hfs|
zlfg#RP#SY?&D-TP%a)^k_b~zzkx}3ny7gi5gp4u)MbrtkCnGBz!&azV{;7{=EDw(3
z4Aw8lvEb4xzXH)03!wRJMpsA6{aI%zPQ7!;47O2pK*(t7`%BnuRt6-~V}nS}!7xs}
z-7;!U(4P?}JEo#Izb+45EFU*zg9Cv&k0zPYHNZw$*u4V_%`C=&Y}z5y%pYnzSuS;^
zIjr<{7St4pyxRo0vR(+O@Mli2r4oNljEYg_y&X$D-O=i&%W8?Whx%}A`PdOJnaKWm
z)V>~-*Aqg;Be$JC0x?kbk??ymzc>=`i$#1NR9?(IPKM4!Gk=Z5tO5(cGLS?x)O1oqM+jL-cX`GwHiHQ
z>83g~&caPgp6*`1`)<&ADn?1P^#sQQx36z87-6;x3HG0>?T;dh9Q`|~e-8T;70Q#}
zu#qrsffA)!g_cZ}ks-h_<*_~O=Gtr;z3H8K{g)hl7aNcvA&;3{sQ>YRuY;6?vlu8!
zU575)BcKEE_(jFmZT@y{VDN3Ap5sp^Py0RPIb$%@U9e1ampX_1zS=f9z$<=cBYv5#
zhlzg%#^4;>xtN=Iwh59e#BCWrc7)8a>=weDBj^a5T-QdLCUAnl$So5uSyS!4
zT+FtYhG64D5I~lC=gSOH=;5}_Q(nx)??91eAeh!wGnYi%|MPF@@fslg*#-bfy7qHt
zhr=0ERzC+qS`vjia2*d*J8SAp+1|VJx3bCEn&^S=_=;-)%CC7or6s1B_rIb-lD
zBZ0QU6{bm_Bi+y8#`kXv4`}w3afP1^+DzTyRO>L>hn(lPt$X5Z
z9RP-*^YyRJh3=wpg1AUPaV0&0XNqq*xw@U+B0vKQ>@!%2bwj%^PDn9$FtR-JiVwpn
z4x3zsHr}gazo%|~T@k)j`!}pn@d{{h5Gx{N3u^vgqjjRCa9tE#Gi(GR72DY@Pd`vj
zCmnh{%Fmg9m(mPDE*^2KAkP_GtG$h)4I{`MlXomW;l3n63F?I4$iHq#
zATF?TU9W~gqm3|g+z*!uZ%urvF2Mb_qTsI^hE4-eTs=Wmr6cXu!yB3(K~qbrw#%nX
zaUnq0Qh$F}f<@@f@tpR=Bb77nNj~wu9ex5oiqmr&U1e}zblDfaqb|ash%aEjG6SHF
zAdRU!*F?9b==CCxABFq=RX)J1>__Jqv$=J<`vXbPKwftuPUSVih7*jAk{?L6eaZKZ
zr1d4)McgxPh%n;}F4G}oY>QP~46)A$c_?_G<)Qon#246IWP6ToV1n|mS)F2sq%BX+
z9XR3YgR9YeRLmNDCcTYV7^0Rzuz)<-@wXo;0)D7B^#$>%5}xO@w{n;Dx}f9Evg`iJ
zta`3DXnY__m<80?wZ1XX?WXQaK1XzKE^}7yU|CUdeuC?Cu4;XvJ)`8lPqCI|S>#xn
z19%l^&>jGJ!r2g6$!!46u+y@t4c24q%g}?KqQSLWDvuMj-vGS@O)Hljh>=Mk5pR`H
zsZ7?FsLP}k(UETmG>2bb#j!NQ!b3C9`dn4R>Eywpk@9_3F;~q%R23n};0|}e+Pzjr
zb;L0=dvse7H6qubbBaZ~7term`8|Y7#I2dfvbX;y=M7oIN`Cg`H~d=$ixfbG?YD4#
z6i}8A0SdrQtHPnKifPX6YWV={-}sbcWo-sMlup|L?^IaBX$e;Y4kB9`m(F&8ASfj1
zUYkAyZhaD?pZdoVTycHTQYuMNbqoxl|kR`+wY0I^F(L#J%-bqC#mE~@G
zeNe!Lj;pp3b>?*BWRwJ=`9DRnU*klwU33xvrq4+rarNQLKxW^w0F{qd8g-)d*ZT;Vuaq4VRB2g)XTL_SxRZQ=p@gW1p43fPxe>2
zOm+GEBT5B@%d536O)f$6QKwj}2fPM4S<+D)8!q-q*zV06lwkL+v$*4EtP@#W!tO*u
z)+3bYUDzag?}Pm%JiPjRlbm#JqY=$zcX!Jz_lL5P9MZ7kL(fuoymR7Ic)~8I6>)>~
zah6)O#pWbFE@hc8$|D4#=9UEm-dQh&rkmp)yFoA15`|qf$M1N2k7?}{%GnCuBnbZe
z1iiD^&3#R=+T+%!^Okq1kT?AX*@8$OjX0H4%x=F%U^|1Ekh-8HVf!&RKDV>p>g8;_
zhnl()ROvT0(Az~V#>ORY^j)V%&O=U;lT$JsTGUFHTOIa#;G0id&f$@N2&r@U_(@r5
zX-|464RydjkZi%Cx${HDWDM_wJR5ImyMekuQOWlHI&?O9&m}=wqD3w#wr~5C=qnMS
zD*Lx}K12+ECkA@RR(pKV@@>QnDZ9&PZ*$6nG8rJxu4w77NV&tzIr_GaH!d+ljCs>c
z7%YY~@okk?p65ZE$Ak=)hL>`z_30OVwL*n6D}1G7!mh8Q?X|&zzM1kr!~M2Ha=F%B
z?vIDg0YucSG7Q?%*GS-g3ix8M&ea9wi3`sg4-?Q17`aL8jC@3dc1&HBi{vOL-g(lb
zK&cAs0yQ@teCot(qc59L#U`4S)=x>rK6N`j@4m3Qb3#qQKA|e!9~?gveCC-n&>pL5
zD~bh)8lqgDf!8+>XYuMoxS%mH@$8%^eGe#f7L=_)4#1zS!YOGR=vtuR72$%C^`-syPsw}X2AeVO
zE?@4gQv3FE3Cu?-Jt1mYGMnz$xIGc%ht0g$j}gyUkghtTq+)8g6N*AHAd^2a$^JN~
zZAl&4&fQ}W30dfhy=g&!*Z=503?r|*G-L)%Obp&s)7Z1b-c+0t;Z^87p1n}IwT@J=H-W*oDnq`hAvY&Q>hUvCrYq87n5g%hDheVyFMlaxH{xToDs*yX?fhdxSCh89Nq_#LzyK1v3
z1{H1Mv3zFww!&
zCY9sxhFqOKh|?R!8-I@}sFcrHh*C%!s$CD3)iKObMO^50Q5&{46`63CHwz31N`Da=
z8nrN%g#E#sd|`U})v430k=bl(`}D8PCNF-d;p{qcKU+0B;!s%NzLI7$tMw@ro^{-$
zmrD>PEe5$t8EtrUv#iGsjc2IZNn{q=BPoeOD;&b-YLRLMI~1M^GYDKg`?v_VW30)9r1v
zaaVEK3`sHCXW(gt`*_!(8#>hh&*;gMClN=brj~@NF3(LibDr+%?%(em+Z()TgXS{u
z=)4-4wy&Bq`X$~9Do3OWULIB5e`P(;|I#TY7*^)iJ+scT{l_hpGw)(D?=0Vgf5pwE
zHN6`qvtD)Zv8$DL(=9A}TvbAoeo79U;o%^zX_cHes+yJC7njRw7r#!IT2Hf^(BUmG
zWFN|MDSo&*&KD?xa1+xcDE3oe^8Z8hh;$%Z6-L8t^0Xix!CYG*a0bpc`xs+7m=8^<
z-IQsWx}eO`9jW`Sn1X^rf^N(y#X>7F$t)TXUQX3EPM&RlZL%MwUA`8_*a@q1I6q*l
z7C>X4|CCOeJAA=PsP>&N$I7EJO|_)Gwk(w-M^@9`Jkri_UKvftlZ|bCLGziaN8HoC
zL=G~3%wY(Zm@qN+)xsK=Cn&i+O|F(fkpsiTn3UNirWR9p_y?^UQk4JcB%w
z9TH~tp>do!u&#d7S)*6lH|_}k{v3SG+LkEz58g!5O+i+R2b7hJD%We1<>H^-Eu_FsIr81f_
zH+Ak|_qpdXvho>bNWHKq{GW5~x{FRc)9RJlp<2x{Ls|CP;`zpVLwtvajaSA>
zIOrzeo`9oX-CK^AB=f_?zFe+fyf{uSpb}h^AmiYgb)?t@M61c&izh
zu+01l_hy};{YJm42`1?qNfHqhldKXs)4SUe7%7+J=tbN2-l$o2)kZ_9%Jj3<$k_n&
zofHWY8~F(TOhV*r!ebs(-Yi3QVd2(Y$fv|-Jw=M#8=faKTAbVXvu?YxYC9gghCPV^
zy(jCXCv!sE>ok@I&$RpH`8?8{i(!p+9~8jtCZ(;-?yx=(OYiPNVfls(FGQ)@gHH2g
zi`T|uu-uMJvv9`4pa$LbyA9?hT|)Ng$B-A37jX&F*XWgMErRcXy6iWm~=U
z$(7C+p_u&mv0D}oA{bRJ>N6ltIi6P-U7(Uq4^KFp9@)%sy64Yu+i&bcb*~nG~-?5sY=QUx|4bbYLb++>td{|
zj-MU87UrlslLYQAO?!LpvW?-uLE&=W{Nw55J%I~&Q|B?d6B1I&L4A|z$n?~2KHDz%
z&LF(`%6}kS>kCoOdM019MHI=ZPS5v;-&h-N^VEU^OFi~49c{PI_8v%(h)0rd&Da$v
z#uig$8ldW8^Wnx!lVqC(&ng2;H_=0>yp^$S3QcY_EOen%|x%1x1)LlP1OUeCbv^qwdkOd7c)
z)1=6z(eTzqeZ)d}MS^NlAfh*|t*4ZAcd2tWIt@!e4EKSY9D1-yEI6f<+Df^1zj!P8
zPRH7Vf)aBqlfMcga*C18leQ8o*0mxA^Ro+Eb5FZ?r_K
z7z1EG*qML&W;}T2P$4OYZppjJI!8^H+Ov4pRekDm3a!0qOUGsKRA)SXAFw+wK%DE{
z7V$KL0U>a!^W0X(eUcfK=PERhe|
z0x>zS%bwMz9@j0dPIfjl&NinN40p6hKV5a8MUL_z8n)id+&fiBQ)`ES%_2#Xx#}rH
zBpN&NY=-}F=2<*BwY)c~RaV=VTy}R>d(9~E@We77fq$QpQv=HfiIUHt3S#c%8`6zB
zU@#}o_WpwEJ`FiKpo4rPtJ_HC|D%<7lGLg|9`Q;av*3P#A^~heMaA2dkv!3L7kyFp
zqxw*#>hWeU=2_YfJKEvl0ca&R%EHjaolRhWU>Wd*hQC__d6^{hFX={_a^Y%aO_F=o_ck=jv)1!3U)xBkdHZbmF
zLj|;8C8+8a11mXlf%gZqw`zJQMSqqmvC*!B<;_Ak51w^MmK_U5*Y*7i&DI(F?*4oB
zhy6iHBzSmuUw_U=aQTwz@qAEd%CuKiFD;iv+Ubd-qG_}iI88Rx-5!s1s`jq%ML-wQ
z_|ksNIle{r@(r$zm+|Qcp<+wdU(S02Ltp>AZ@irBXDLJgleKWT&*u$cBYmE7_}(UV
zB>|xz#FWOYAo==jdW&F)@q$(;qF(7B|5Kf_;=M4HvRCM5D9u;rHdev8V@Z;E+@ghi
z_mo}JUq+Qxu8;mYCr5@B{W+?{tH^i21g78ftFS8N5(4INs)`L)Y&?a;D@8O<3dV7soEWi+ZMW
zKzw6juB{B$(OQh{T+*pNPUyGHu#w38cKCR=HS3~MEf#EseAOZmvb4??TijdBeiQQE
zMb0wX1PyM)lqghGxuLd52j`jd5TTzw_gw?NR_3RVF=ANXgQN^Hp{F=Rz`h0y^rJBF
zV0asIxD`wJK(jaOi{5MBS60%Rz)K=Jj2Co>)GXV05}7lQN*#i@<-_`cVG*4-3SJ{(
z<-u-oi}E24xOX1%`#dJ4mG?s>M2v1yf|m&oH)JgIeK)Mla^5^rseLMytx!!lV4)RU
z^}*!nF04*ka}o*i@k|i?&MfRU3k2!KuyeG8ZWk5bW5dYok_Z*(VyZJAm&o+Hh)HMy
zhih_O=jQ5$c9^tv+04z9*6VPyaDxZb_o5Z(xwwFtKjZ7rwgGuo|5@3#{?o_^-{D
zBT+r3;`k)_fSD|vZSmmAx)Y5zR|2$HRN`FtQ@ieddV&y_Vx44HIJR&_vEKhGVrVwkW1iM
zv*3pN{X5~xXwmiB!qqcJFwt5Lx@aA+>~l(Yy&)$u(Gcmr^o|t1P`#*-0U3~LOWS<;
z7XCH_2L;6`OGIiqnEg1OFImnbLw+0uU=`jV2y1`?1}l5a#7vpGo#NVu=1cq(A`i?J
zuaeR{DUgw!{R7P#?lc}YzP?CeJ=vC@fK$;8h3Th4Eno%WJD-A=mS}(@oiy?-UGz~PRmQ_}`Td*3s+W!#w+A^^`tmJgml;G8B16U?
zgg_yw3s(1-MXxrspSD0dbwZwA#d39FV()9<^R~|TDzQE3X5_-u$#uxzoh_2^Jb=#%
z@BV8xAqq@9dDnsyAHF|efa;p!R)3fP=i&wNLD0jc=k^B)Lx1GtTN5@c3JzSRimiQS
z?-vgWq}V~i))%XSjdMWDI{TJkzg4cbOKWe0T1~2wPq=bw*ZD6>zg^_J;#CH$%mB@x~5)Y|bEwE2NtZaG?jN+k$7xR8FVj@Fm
z615A7ukzI7&0)Kc1#Z#W!Oqpoh(X`Ly(>+|_3kN4yX^$2Vv_jz%bo5V2M>*Bnx6o@
zMI--!fTWQ1>Yj3r?jL3C$fur9W+EYsjgzdp8Uf6HQ6|7c|c
zCxV>(#JB(ZtJ&qPx^N|HTacB<%PRkQ!hV16U8KH2N|sf3xxGE|!qHIorp%+Kmbmk4
zn5~j8x4WVBcu`I#Qk=3R-WNh;8hxdnXeovD&-MTP8)DJPQlE^Q=j!d}$LU$`wq69!
z{-P}@dArQCCxkbDLXJVFiW48ge@S)0rFfXv*ude-w_l0PpM&5q9mssLs^0yD0U^Zc
z!!m*kG@>9ck}21r8)Y@#kf(edyKfi0bRP&!9%%`0*Wp~(ug|-@o40Odnzg*y`<73z
z1U=a+r%c5SUzYVKohW?@c326psz3iYBn$*wgY4DnM9Sb7-q{9jX1!-UWbxPl7We1x
ztsm;LDQ_&xTfv4I@maz77mNMY%F1m!{8pf5GnF!a9AFjC=yBJ;ug}Yrv*=k994auH
z#Id)j$NA)p3=ZHD%WrCIRA@PvFdmCCS{j|-O#OPBg*^M^4sLY6Kb`ve$ytjNd5u`*
z6LiZMQk01eJn%+~=}@k;EVZyCb+nPw%q*#+-ETeK{V79qnaNqr!lo
zpp3+cqrQBWgT4%g<2wUl_}-8hA$~$tM}~361uutYIeMw*TD(_9J9ou|`)O^@VWqhG
zwHW#}3yPE&Q0)KpWfWPQtZ^;77HI6pI#e$$5n=iSHC9d=!2-ik{#?JUn!hypx>NK$3W0y#dU
zAL_+y`Qe&94|w?|22B9DJpF3MDE5jUq
zD9dHQHaYP)9LmRajvoiLsU&G%RBZPr+^jJ4v1MwST`-(@jsAAAdDZEM44ba^n`iXT
zsO3dD=nw$Y6=ORUOEb;7T~+LGcYsw-@;EV3^O+l_xhACVyjG@Cl?wl7UPJm?XKky@
zUuQ2c@0j4lLzQ{hfSGEFtX^Vtl+V|s$&a*4TrNqIN7m0P%TLNk2R)5gwl>G6`9wR^
zlI>{{>TJa|ub!obU}=+xGNwwY4_-k_QcI
z%Sf9&jjCfY2g$+|thL2XAMcdCz9)d5H0u@k=yZaOJ8dSgI|Zqe=MJeRH8u7LeJSV0
z$|Ezu*GIlGO}CE@=j&!N4(aM;^0y3=WzwDXs%Zx}We~bFkM>3$Zihn`Tb%1uqr;0e
z@A^P&Z0_|Js0#{I7;#{`VUtlIss!GUFH(-4fzzQ}A5zi>YM?4Xw^@3MB#hE59{OlW
zME<9^=;zFRoIe`w_r#W>*KTThyo6A3Zn*Cz^idJD!iA
zd@2D|TtC=9xX_sir_q+kXBvtyYv)Q8A*UTz{mBt<^?$ZT`U{=jQcN=MK*FOFXUJ&S$?PAWyc%!YP#MW|Ac3(|_O
z044*i7E@s9vPU!&`JPfSZ1`bs|!^
z1f6suE6ZQT9vMwHo)_4eVKvc`n<`gG`x`E`tg+_((~ku@j*t{zi`s}2e=1eWH*40L
zeA)di_ERazcYa`tw^*=Dl^QpXf^PEXz@6@%-6y>?6k_(hY)+)3Y`?&vkW^@FUe4Wh
zebp}0Ezf>)SMhd0NP;lC#W~w9++6n*mT+?|X#C=EZ`1GUhLEw&aHQ9ufFX6}HS*lK
zaRMt*X(^?e&5|)*xfH1O^~kKK3m)-{yS6n#1xAxm;gvj~`RL093thoDkE02jX0r@xmGse#;`qy7cU#gdMms@*IXy>7!*4D`H|eBgicr3xQa|@7GkGB4
z!i!5NQPBV*D$YAmW+VChI@kku6D@0_$}Fd|D|9=yLwZC>i1T;&_T?mN&wb;W9kn5;
z+_Zh(>F}oh;g-2y{K2{d%Yssxi(#W}KOxlU|v`Bc|^)aHA}KE%Y;Y{1uR*gICv
zS?bxhTOMB(OhvDiNoY0JmF#x4CiDud4WB&kEj}r(R@?!VlQctY?df1iuYe^r#A~o>
zoK@jb;U~N3uC?^J+nZ>O=&0qrZZc_EhrOTan+Si_M-61n^9+zTDCNn#&@3`ePT?Z>
zUNFQrRy{oXC4d%GTjp(PGp~6F-%YIIfv^p-#fT#EP}uK*AU6JI#`h@meXEy(R9rl1
z@wKZ$4?KyO7pU9etK+`;?og>w=GR>E`*Py75}*S~_RLL$i7Er`$cR5chfxp=8Fq*9xIU|*r*3%6{hi}q;W#&Iiu(o}G6V)`h_hCd(=Kg;kycD1YG@gPeNTdf4cOBruUH&LqG@gdchyaqrf(b~7+Y
zcW(%>uQzbY5v%?^peP$?{pA#UZo<9TFVxkWo``Sj*LDdD^p-J*d@Ls^{<@MtwoiHw
zICp%d&9fIXoh+?`E7Y`0&hi~WhJI)d<(}{RS|aDXK1M6onen-^cF`P7ypU2`AjD=t
z`x-bxy&#D^s35-z8dS<9f~?GMK_I=xx2QPcVJ>A{65$urQ%brW!Y@dVn8`b)GbyjU
zSxumJd9qq)Fedo4{iwPEkx@!2SX|}>mJmgD&{oq$tsGGILV5t=>gDU{F7N{ht)VJ^
z80++76f^CuaILgl)AAhEx%X5fvFdPT&*RD6iIar(9z_0pt`*H&XWh`D#r3U&4vaMo
zi!a0{oWl5cX%a97Tha~$=)|cMIDY`MgG*4DSg*?H3vL$`mD*u~dh6DvycN>kn$kSK
zCKw#TAk0{3ZW}~~R5bs{xA=T7kE$|FH
zQ{TqH5+Wpno-vT(@ZHb6a{`TBjijidFX$edUf*`?#MlCn7YMF`WsQ)-1^btM3n+s_>xdMcv#r;n{34_Qj|KgCZStBsB*wq+{
z`ny}XUfFfE+a2O$l$YZ#G3I-l7L3Ol#Q@G*_ZGvlEHTU6l
zb`K|gJXOeSE#K3=$7M@;q6oI3`ZG0NgOg;?Oxn^AyW=lqs%OFBCseCJi3bMlCt3xs
ztH++~KAk*D_x!o}Z>wwEcSRDubty0j2n1F+nm_IqseF$sK4w{10^b{V)t*W7`W~+O+ter(v`%teSYcEzQ=*oU
z?}y%Aar)#Wg-yR!GtcxW&UO}#=6%Nq67$lltgHk|KGHbl%(|cGruw9?#ttF*9!
z0;w2yibUipne4g5`X%|zODRewld`6rFdmtFug=CV`<)2TU6?l;FKldq4>pW3!Yk6t
zbuh5rUF4uuBD)7F8o3%yT|+lXZxs#i#@yQ+ySPTEs>z)v5o!@54?Q^|$r82%42+0E
zh{85snKVZc_Pamf=+=)}C0hHQ%h?f}sv+smW2LR=5$x-t8ozh>;(!;sZ!4{zg8c^+
z$0@Nxf%b
z7an>|yyKkDeA^?ww^H9}``rB9BeSwx5UV6n<_cjC@7okGi46KstUf7I2msqMjotR>
zv?vOXOp=LJYBHH#>)G4(p-#nK0O>k8d4gx)tL={$^r6RDAE;ypWi5(7w<$2)y!lD9
z%vhRs$TB08Qz!a>s^ga*Qj}@AK}=g+#UM2<^a8xnBd|Y2!P7;;@(W_g$7QvtrHf}u
z)B1UbgHnC)xo))|1MnAq)18eT-)?;O7{4%y&sM$I#)6KB3P`L(GB?CH=;F99#N8wCPKHP%8>WwPX0;t(@5s
zk+}T7O&GhpP9d1;?sFCZc}9+4a|TjA`(t;6rLT5sF_m@7K*S?|BZfVd%IazBenhy`
zk5DzDhyVMx$DFI{t_A`|t?XIC^`!g0<6_Vr;{Cy((AZF*PFQw#NSX;wB9xO}ZB>$Q
zpf%y<(O}$k#H1AWp6(_;ST-YSKJ`)O$DLWuEM9?EKQuXXfT_fIMRuAQ
z1=&c5l$Y7j$h258O)_joqq^7c!aGU9p#En9k0E3N(VhI-C6!C7n(`
zr;Ovi#h{(7;O1@z!yB#O6ALEzo)y>&H#CcGfl+mD@4Gio&@PoKv^sZ<^P)Dyn#e!Y
zw~a>jSssv)S?Kml3cR6vi)gN3g13x6p4g$uZfulP?ylDAA+DzX0zKKbFsV)=N+O#3
zOmUW~AthW(@vu{L%FV#ZPAl(YoB|Uwv#&t;=Hsz)A&DVQD2oLfsD9!C$}4vT30@3;
z<=1I?dWqOazA*XE49{iz9!*Poi)FrFF0nvP4Xh`3t=kNvc~247t(Rr{I`Ch)AjEl_H5i1j3W{(!18&0rt^Y`_#K
zs&`lnu=0UYGI6d$(9z!9EmR-Zko?mz+#!;c1C}KJ%u4n$pWYYdkT}k=7i9plFEblV
zNeiM+4q6n69wgxUb%@T+ct5&2==7MS=YmHcRmYIF^e?}O*c}xPkQKpl&CLTGHWy1Yxja$HDucnmr`!6eQeZWFee0R3@hTDTNlCdF~bq7Ik
zY8tYzK2{4fAF%j13uvvle2*aqedu6&^wsW5{2=_g-i7vS74Z*e>9aa5{Z0}d0N%)l
zGkGAClJSa3n#l=2x7@!$zc(;&OUXUg*6fGCA6|n*51AD1Rq$)X@*Daa^M#UaO#Dz2
z;1#rS{a_<&nNhhe@R~YXg&oGJD~}dYU2wSJ3QRyc{*TOS2VI+zJzd2`JF#fKJ9Mtr47Pxs0hJj6}H}MRtx2SJ}
zLaU#Ix9n4_2ZscH@%sNLd+)HQukCv{iUOiwL8J+Y3dkT$r8fZq0V%=^y(7{YIx;lr
z(nUn1cNm7=I|xz~r1v%mNEb#JdVSBJNzBc?zvuhr$sc*537>P$-fOS5_CCk3lBm$n
z=PInI-Qw@RoYy+qA77Pm(!NU6mIwngY^
z{55ga&1#vwkPX9*EY}%#6h8TKtPQ^>DM13Zk<~3$PEFu-ib0LH7_QN!;C}FspO)w0
zaVKbUb*9{ceik&L@f9^c8%K+zh@;Ip*pE8@z(S9_r_R;psl9)!sGz+6-*wA!t_;ihqwsxLmvkKWk2p=MbiM8>IA?gq7__3)ZS9f_USN}j!Ckv;WvP`>`;2Ui8w(8+u8(l?!8S8D
z+HtgI#>(MQEOs_56Q^`&qLeG^(YsnOc)9q`LN(U*_oti2J@^qvZS{T3&ot~p=I~A|
z-Sg$1aGVh37iJPW?i2t!Y+!_Zee=~)&27Lum)Ex
z`PsLg^KrIzliXj%xdW%yUAihq9jwGv>)mwu<(Wi}NiK+y85crM!XgNS#W;xRI1tm=
zFt~CQiJXMM8`9~8UQZp+4D}gHj9WMyyiG?=m$>`BA^H;P%-4Q%OrKO#o@`jPI>%Xv
z-}zX4MHza`dFYH^hmD=H|HG3&o-Omze{D1q?F-G6M~*3mj+FHiBJGeB=)%x^>?G})D>t5T!PT%Jy+{x(fM>5F|Q
z`VGtvbs^IEO_?yx|W}70fO@AmN!!E&GuQ8`-G(ZZv3Qd>qXEJ!&TWgxq4L3MqVIJ4Opxm
zj=h2MhU2Uyn*0f`afF@^4&l*j<1hKH|;uc;NnG9LVo2=dRR@mt7
zLtud32yqlHdz2?f`;4}vGYlM}7bptDWH|>b{`dQ90=D0vvLx1fN(~Rw$|@=86wJa8
zrgwIDcVBdH{b3CF!5<{Big>>mr-9_zprK0J55n(3uKR}(XI$~EWmm+NWm&if{lKY>
zpI!`uYy;|25w!Fm#cXGK>;g_eNSx>x5gl2^kZx1nCymwK9`~x`GhHFR)djghv_kBjLwjW3JEYTV-
zg+vLG}SrCipR1
z;8E_Y2r)9lhe7O~MznEI%jqOki_LsnV}L`NC37aIRu4?HYcApEk`WF*Y))cP+ijWnC$e{cO#7fcWZ5d-qILHq-H(==3%nOKokyr!HwA^>>nU!%t
zx6luZmSi#HhULd~JZ0weG$%!*ZK=%0sxe&Jq43IHxfUrISn!(D+=vyFKlcx}J(M_G
z7}-PQ8`JKpC;AsOSS~>T+iBA?+I;ibpc>Z3)OT^-@9{p#bJrSJn+v<^<}At2zo%Z1y}&2(u#AAa6)=xVHJ3^=MG`4uDU)f|R8(
zk>n$fxG(|s{E#F9vB*EZaX~qKe0`txwXm9g6c0No24h2~k^`~(>IFY}j0E9;=sT{~
z=T9~GFq<8f_;cXrY=YPLa3yw3R}t>A)UiLu{eBDp7D0l;;26cLRY8<*e}-ObYtFt9
z-CnuFp}X}obLERE`C`LrP;7h)i`i>l`>Ancj`}*=QMSJ
zoaJ9YW&6pKnH+vmROnY`7}z}dc@K@isOFrugURl+!%5lLhk}Wf-*)JObUj-5C1N?Z
zd@Q+sVTB#Zvy_Xgh)cOq1DhnxinF;w6HUSi9u*-whwVcIuO{uLKf_qlRK4%7|+Fo}4JGD!haU&Z4$1jKbKy;2P
z?gi3n_r8_fK)ujp$sCFrgfVxEs$S3_P!YM`Pr3<}b`TN;*C<)+92{E#=HC`5Z<~W4aDjc%zJ$01xW}=J!-awD
z1cUymGV4@?@%a+>=SZfdtT#&tFAZG1ar!yXnGvGd>*r5<;`59;~lBrwdX&U?HBnQ3!IC|g*A6+4RW3uzw
z#(v|2X;!T|0KWtGYdJra&}Hl1{PK(7tbYN;`K1uVvKL|*xJyP3wU<%jR11RpT0Eu+
zRswV;(yY{JJ)N!ZK9znx1zaPV63IV4QhNibHnx1oCw8Z8WblV^N|M>wRtPuK!nr-Cd(#5U)Y0A~rGTTZ$
z4hm$al4TOIX#d_qkf$l&FQoWbUVpAE-C8wGavR1eByFF7Cy8+&P}#s!tta%p`F{5#
ziCkJkE=!NpnBU`NB$!gv`KikZc^8Mq2mmN;Itpx%*McG~S?d4@CNM{es?db68XZIq
zXwY0Y?!T!iw{$gP5JvK^PdMH9@?B(FcY{n<=i=kDGpXs0*2wjS!G`I{UBlFc+1ZJ7
z2N<}x#r}W54cy@^Y{M_4Eg-E6F>OYqNF&KL3prXPISpMtABb}XqMK^-kq}HtTS4)B
zvJ4?hq>dj||2A4rZk`8*R_hD8d8-Eg@Cz^0*W8h%Z@^vdu`>X=MdGGPXJUBc`uZk&E)P@wVB`HHgrlh
zIDT}(8+SVqr64~H6VFuqkF&qcz}WZoRH_M>54=Zgv3vnW1(V(^%~U?@oz`R_>%G#1
zxsIwSLoub3Gk?{5-m#F;%MAsW?EdE_RcE8ywg1vTaJKWmE5%i;HGOZ~|L
zmJ>Cx!tTdocL~ZId?5$95kCqz3cC{I+IDI4wS^@FTat;6kHBa}-G0svd*&4}GME3A
zC1XOH37b16fgR+AHBneju}IvNw@EB{U}iJ>lXrvVv13asj=*zJ8KO>Z;DoLtQYJpd~y%p8_vdmde
zQx$3JE-s==y-N*gnVD1cEzMI`5*(b)dtfR60RtXUJ==mLE^7^G4%74KB2wY<{}KR8
zwX029GIx}^U(hiDdqJ^=vCzQ
zS7#?`%oI|_+qMMUg`+xty)9IC8TA9>OXM=y?(gs46QjBsQD(@*Gax_#U|L-pXCXH#
zxTJeN&UV`#yoC5shkuovT6%Z-W|n!jJylP(!8;ZCeD>UYr6lh>iV~8Xf0m)IZxtCB
z((i;&344;%{_yK>5$K^o9UM%*Xmi3wShzZ~*Le_$tkR(l7JY3V)L4>DuCY?6>5hgH
z5yHOzniF~%;a==tR7_<-?tNaV+V7)h&Ua?xT&9$Y|lp*}ZRV7nR0rWt@{t94|)!CUHA>N{;>Cl;O+|LNSkX^?>()uoifi7a@LnZ
zt{*0F-W24d(^bjYdq)JW5B_f~NJSI#4_#dbw~za#YtgaY#$>3H@5^ra9oJT(@BHhl
zCi8<+HnCJa+s6KnvG(Wx`$zdg22g`(yTws`l@WB(mV|FhbODx%&jRv>fhkJD6l;8ptS!i)`$L(5U1sSp}QX$O2f~xqRLP$M)q-_)xSIA9IJ`rWYvQb
zIisFX<9Yiu5lpp|h6>kztqmh1y3d7$1I+o%-Vgcbo28NJ0@++hr5^i`&zJ>sHJ^X*c5Y-EE3IT{+Xe=~GEay@Rdxa}lMHJTX4UPX6(!oRKZ*E2vP{EiUnD%g
zp~R(C)KpicPykv;`d>r#`x1NYs-*(Br`ziyK?2(ugS22Q@wwj&!kR;m3{-35KUi++
z?0i21fmXcim+Ii982>SM+SIMOG8e$h344pbic%B$8WZ28v#j7t^hmjOiFqT8B{gk#
zlpgx|{($!&GP8OqK=CY?3T5~Mw8)UiJ7!=`+EQct%*nO4i`l@ZcNh87_y3(=2<)|g
z3lT4>6@>UhwykL2Ef$)Fg}yFJ_M$m#4n+v~QZLu;Ej%&n;qjh6-z4K!YLeABJqC^K
zy!&?0?ljNfSjR62Cc}g*(P@qbzaeT?>}j-lu&}zGLagp=3p;P>HVaw}(O^sa`?NPN
zJb+5e1!NMX6G@N3Bz{qLLeQ7d&K71>ukgdU7$w^Apc_uqG*J~SA%B;0RB_brzk^nB
zYCROGJi1N$sy?7-p)$Z;wJ&hmi3IkJE>6;6Ol6z3uRxa7lo|rU{yVZvQi!4+R7
zXT@vXuq4902^!DR0(Xhc$&z*1)tz=le}(*w@?@E;jeFDY<*!%cjEsNC11}n;!;ct@
z=n6hhMrC!2G}gXoFHMBSv44yieCXKXD!XfR+N)32g$g9V=>!*!W(t*HK|!rD(7TM5
zQfCGBf>sd%0kKPm-R8xni*?K;8_h21&PO|Qn>8z)sdnXVG~-Z=9_1YWU2uit59vpu
zP#{82WI%8#PGehLN+iW;>_OGPnB#L2CU%UU>vSCvdy?$7Wy4
z#8P)lpZer|2Kr`~u1IhZ)ihxOx3E7K!+YMt%Y8nE+kW>uZI&?KjHkRn9za2S??-2zdi3WRany
z0K!!x_O1|rC7IlUhWC22WWW!j;}o`y8LVNtB@!(5Pnzx+x51RjxO4P8SMZ*8On%S+
z)1i7{Dq3D&s&+!&$wS@AAP?gXDc{d%19yh@kLaSZpDKa+3t(zu)A0(=z?cYBA4c^y
zwX}8qaXSdNyZM_W_`ir);CJlI;bK!K+s0@_d^6@i?%lELJr#{kB0y{S)BPOJ;b=|f
z{_;pEtZLYJ?dICXq{8g3AHj3y)~h4CwL)osFBM$zR8yni`eY)O{mwFJ8-1jtF_;As
z%yxP>a5Y6cJ?L7RNF9fKO#W{b7aU^Ow%%8_qD9Tz%Fhn+YHq!WWZ(d=f)HK#zQAre
z8?<-iQAXMS>YA{C=miZdV9sCMZ7;w&@3@#pdxoT0BK4#^aGNoefru3+d#93zte6Zt
zwk3q!Yd8P9q}aAk<OeF%!bl@Uc|w*bPMh2+wnCHapcp9c;(s&Ki(d)(;Hf^
zJMPOie*PFcf|0*)DLJTcTuN&HaXT`pDk13_@T{znO21LM2b08cRHy<}`kO~%+`(}A
z4rSn8)&3I8-+323ehiF2E9;yT%N{BTFFC+nI2Bp)!aY9vDPz+ea`ZN(JydX@G5i!>
z4shm&P}qw^zRQ=%=*7sf+_+E$zmRFITw6>8qwv3Dmq4|w33BPVbMBw~2y}V5bE2iw
zWiz_{&W5BnJkA!XY|}KZ+fc~HZ)VO?3}%N?j@Ej;j}j3M6n0KeEXk9>QC3cqmD`?!
zfSuTT2$i#%Kd)&yC%1epb)RYA^7dm5J6$|L3{!UMEx)ioy_;w>`9%4r>iQ$EWZ)KStsY!7eGAQbjS2Z0|2F3>1gNiUg}q_}soMC)P(*dS_95;v
zbnmhF{kkV=_0jQZ4zNP7L>Qb2Eb&l05=9Jmi-~A%lIm-6@NTj_CqabRhlr8U{}r)g
z(#e58`gBZh^qP4Hiafc1S}%WkWNr5PMUG13GhJjOt@=2$-}GUWZSNk=O)~@Sn}{Iku)YrT!CXn)o=OyVyFHh2%ms&y5_*czaXI-&lANpJbqSBuTAEv@~&L*0^>BaDaV(2)NLnT-PU{
z^y0;POd)_+s=_p;^tV6U9}*=8s_HENt||JL-lgEX(vi(@+94Y?c<#zGOBep<=ildD
z+MQj-L&{WYMs2mrJh4Axsoe|JQ2k{Q`tS;fk=30N!raefL~D!xqmb#fN{fh*0g-=#
zi~tqt)N7A1uFm-`gBzLj=c{@u2=@A>$r)vr)f&JGa7QJ#xpfi7m`it;c4q(ZQ7ak|
z)+H)~lb(}vmct!#f5S&xu4iYxHtnLz-E2jpmQPgEvFYX2BMwP8(P`d2%6vLEk#dPr
zaPuHBOtNpLJyyAVFdg|M;576$U#LtbSrR^1Q1`e^DNgpk9egVHvrf}@E+)&^KRcs6
zF8J_YE4kQ^`hKUPE?|U=|t9Y&0>!1}j3Ru(M-X?u#sG?D8u;a!~
z3HJ!X?70AcZP~>`Ao)zSBmY*X4a`i3EMZSF`4mD198Kw;8C;QsS
z(?g7}$&4w|LqS1M83L)_28MuoRHMqe*~z6Idxxtmk3zKjlMRdC*#8LMg4RJr%{0m>
zYCQ_bCq%MBE5d~);Y%G8PO{68?cLj1+zR+4tm==EK@sHU=4JMs
zRTlE#n%4m<-koPq#rvO;Z(=XYeJ?`IIY
zsxxCitbURRIF-6Iq2*0K~=-{~gIO{jXmkn+O4=P+GB
zIYIw0zHteGb0zIQM1J&AAr9O>I)1-a4yDx`eWKBIg@gp=j&MOjV{3NWeW!ZMV8E=h
zbP$SXQ(LOE5j6}9C5qb9S9!sQ-TMm;>7k+`#pi#viM+I#4slR6?8@02D|QPywVaE^
zL@vEcCWf=U9#s9AfB?RKCE!#+F?g26p#I?85Q@0%ssEH*v)-M_9JIw;*;8P0{VHcb
z*c168utLhg^($O4uoO9-dfzu{C9hw6*?A6`JkKQ9C}7>60`~)Eh*&aO-r&SnUQbkL
z34~__FTlb96IL2n59lwmiKz%EJw8;q3wmE&(2E+H+6tNH{SfQr9Xmo5l^35AB+D#_
zAyayoRNa#{-lQ*j%MPVGI~LxD?rsF=Kd6Rlqm=6inWZH|7s(I3^WZV_NeTrRzj=vlT{mKZpSrziD1P!f}{3%%;nRot2e
zHiiW{wU7E16bV=BN^XnH^=_``GvO<#$S%o){O#u8>Inf;je;Xi1xc2I2VBVOv4VAR
zvitgSZi(H}tPwZ=y))pFG#bb}<>ii3fjvWS0?Dp~?M^B)Fj*^*<;V4FG8{>w)~*NZ
zOc6J|=Y!(rAjlrKG0_$;DOn~f!kG%I(8;u@n(BN4OU=RHvV0SH49x;VN4c-Jcx2AO
zcAw2OwNT9@ZodC`U+-(SlCk#@lrzZw<(rJ($lxyr7f1
zl-%A*?d4uqyo)AS+jD1Ai!bOvaUk$>OZb3-Hb_))$79I+b3@R^p#cWvm~ru+8xkyo
z&X2lZ_hl&Pe6^x)$(c0)e+WEhQDRo97QQut3J>|0TA{{+YzmCe;z&XIVV3J(sIa?ZSwRW0cPzzy
z6|>5fe=c5wX9FLyW)t3@YH7MOl$AsAeZF<=T~eAMgd6%<%nyxpMK#iZ)2E8Z74M>>hR*ERI3t4Aet^r;w{VR2T5RR?;ru7TL=*fyr&H?Av7f%+WE4
zb7>P#Oe1Kh+a99Z*RXH?4t*bNo}r;)@`{dx1#by3|j|JFrC^!`FMlWs4NzS
zv!osS`=q^+6OOSxCRN!6Z-z0XEU~g!ho3!^K*@`F<6=%u7^#5IzKdTzUrgV1?5080
z99oM^(n-{PiCU}RgX-s+zq=Y%n)6ibAD%8i0S_?y=9=GpJ?_g0=b%#}*-<612eO>=
z5p_m85xH|fn*BrERM+1X;gxe`Ndi*5KS^26Y&4ZEM6EYsFfopaH9H0vL92+dbDM)K
zZ#
z)`(AP=4Q$nGt8ih4^?U4i#BI>y3F&Z~oe%!SR8I>pUJS18&53)DQBr&)j3u
z5J&dFzUhn^I^&k*c!_choM0lk%|#P`@90h*MbD>guxq<3U(Y}izSrvCtjoF*_qQ6H
zZ?F7ug9yXJ^y1P`4Kdk2Obf?Na@z54I41b`m`**p@vKSXsAn$%G6HNRR5>Xy^L;gH
zc@oqg&(JO?uV%XDcR?D-nVfibHSuJltTDU|~EH^9*SXo|bH
zW=4QN$l0!C@Xg%frJvg~nLv4$EwyF8<6Ip)#F-lPcYY`wce69?pdW%`OgYiLWFd^`
z``(NSu?i8Z)rpd!m8w72&A#8Nd=xvh#`>1skA%Ha69-!dKgKDjx{FdUXU(Q=n2&;o
zA^!3*;x{fPIF(np^JDfMcSzUgfB-zPqz1s%6kth>4Cuz#*Kb-DegAPhiF?Wfun9on
zv(fTj`w`fe0vA6Jq{*9_Ry*36)xxH&9VY@RduJR8eSuANGU?!3pWL|OVxufziXNG-
z3UH3_herIh+F+3>%(2|t?{DQ<9u6s7d^f1d09sBXFojG)Kg3O_XB>_z;2L)gy`?29
zl~G75Nkh{*8erO6hz(Ii>%81SGjsBY1gNK2y9b8WY-W8yzOvraTh;?a40M~we^I7*
zrbFfO3#q-ZzI(Nd)K`M8rq$i&pR&Cn+Jw`NG>5(-a;wK4;c$p{2I3qiuQqtS(54S=
zsPn}2L9Q^rGLSsK_@R7m`Eke+mWT(n-6mZNL+tdsg6^6)pq*q&LiG2dhM1|k9U4&
z=Y!*;d8VfUM9r@4_LO}}zb_c@9S2(_cqA`$&4ad=CA0VCh_(s1ahqn8dyNRVS-AEl
z16I%n;<-P)^T%j)axR9JEMH{6_h|1Z*Cj`d85}5Ia)P6n(7>Ma!#l5u9Ws@G!}
z+3+Y|`DvR;kCnzMFXz7DgK{=CNhn8HIV{vMwLD%{WB7TL)X6e)&W`>Ne_Bh0TL@T&
zcvo(Oc?2F9co+D6yg(w=3})VomFjw>n11q@<+D6zV98KAR*yGbu`#c&z4G(C
z{@nAT*u#g{ehCE&9c3PcB&G{
zqMZh*g;mHGl^sZAn>n
zg8Wn&;%K$$53}f}S`_w9&TAC9ft@ezGL3S}N0em;{v7;y(3V*L2kvoKLYR)Aji*c`
zGdpW4wOHiWWn-(K&v67M&7>s~7(3H>ssZn}Wa8mTwt;|z;Jk0gjVSP5nn9u~WdWt8
zlnhpV`<$igF;8w)$(vuz7R}|_rF6<^TYL3r@aQyfrpO1(U=kW#R#v&?M6SCE?h_nd
z>K?9LWY~3xk8LfSsajSLzikQOZ-881PQQ$sA#z^-SV@mtusU)bV{Vvrq|MxG-VNSM
zwIL`UzCK)65N5J~0b#2N)QV-~eQZm#Ge6cI{e`zZ_Sgc`vFl=`IWXYBpBzzFZl!9wgxz(&;joNe
zI@oh`SUOlrNHwf`rqIqI;^J^?=~W{6^*dKRyDJ44MZ=+8eF3_xO)3{z&}x*?mfGsSukGUHDM#k?m0M^8sxJoq(Z6DSo#_%a
zH9Q9LxFyM=VkWfsn;Mh8ayp{pK2Jji5uBDAc1C_;BkT_CU!NCOG}*7Rr(%bm$Yb9t6Yc{nY?3?%1arq9d#JNd4^q|hhr+#y&vPgy(2@0V)~x4
z(MS&4+)vmZNW-9A+mz0PI2Ma~VoKE2qg>)+oW>YgDpQshuz5`dlzmy2BD>KZ>23#oA)
zhF<1%=nGq{{;~KtO<5Af%YPn;3uCb`X;*isd$sg
zDOK@No6nV-&*Sf6CSuPPGdbSix|VY{ek6J$@-qQBV?)*<-;W0Bi&xydME(7+na-*c
zgIU_=>ktn3rcPHzM9pasexx~>TF;h0fAR&V{^DytX?L}ghluj*PL>qC-471ioQMSu
zn9jKBA5o6;q_pS5!VNaSDbox6>K@8KnjW2{B}(N?
z)wL(9+-f|H2j4Gbmv`UKHCzT#q%X9F?M=NeAw+iJTWYeG=K+_~yVsodGmN#_L{yO3
z=;Bhdp(~q%*J$o4?fvi(bpRuga*qQTMpgVc8O(HI&1y%WYxmsM%-0j}#T=6N6utBK
z9|#tGHW%YI*GeqmlSA%}^duYeHXzz0$`XRLhM_jEG{YtcKH5s|M?<1S4j7sqm|f6y
z-5};eGuyw1G`wtScNlWM!N(RO7imWHD?X5Qix-V?Vc@mtr~)r1Wy8*X#V$)E?R`DJ
zEFBB6{}N^0qe)=ZTP^$Cr6*tAz|f8kf59fP^j%XUw33bX*tF
z;5vn7%-L$ToExp#X;n)hT)E$=2xKP^4ozm{`|s~5=JLcsuv4W3EkW3_S7BcJTgDC5
z^XDIXA~J~v{Hg2*lIhK^^l^yAZGU8940mKY2NMzC-?+ep%1$`mSEm$o#9FIyR+r32(-I4f2(b{NtSrcyzT{#hc$$={>&JcAYZXhSsjMK?Piyj*^D>Bf8PcO)
zSo+UhWVF1er!2v4f%-A0uMAe1;n5Y5{a7Qvt!Q;s>0aIi+)jWQ_Nic!+KJHBUE7Uy
z#-fWIk%swJjQd6a6&40HnZRn>Kaiy8ipj)PvU}L%4G%dzQ?;91Wpd?Wv~snlq?E$_
z78FH>Os>XIz_vw$r9j0Q$RZBz~hKf{u9{M&vj1@xt
z>RmaauFsrFUNV-7N|^G}+&rl7YX90_clZ5+BI0jGbjgdbV1f=07B%&&_e6
zlPqm7)VQ%F1~ZV3Anw`fD>u^*=8odq$>uXVKl|@@zif4TZ?*J8mbzJZS^1z{;mggLg(f+K
zD%lf-fecyMr*s|Yxd&XL7`^iY0-k2IA3sAcyY6$GdxU!41%cl^rJ6E47RT71l&vgk
z&cZ$}pwb^3V5u~DFs^m})(6&D#m(YW@h#HTBfqhwqS93vVm
zWFFyD@8^4HSuR-c_`9xKtDtR;1wfCCoqKb7_7V66N9cR{X%xQQn&}Kghc~JByo?};
zZTUpFu=*-PpA+wek=>>@ZCmDmJ(BCDR=q~W;<_?qnfdf*cJ)pe`rvnsbH(65LR6K>
zYtXUt`t|4TB4@w}u6_tXpbOH-qv7~&RZRh8u&qNCm9AyUmbbotrjasJhmU1-*k$F}
zhD=@W(D&^DK0kSw%;!wE62D{FMA`2bwhFw8kUj!Pj*~))8nPp>h&~
z7_J8nqpr`Bhr>Kw_75I)zi5DwZrOXSZj*l6E4>#pR@Xv4x$=>z!UsMdXr5E%9BF;+8M+JTNZ~zX
zD%|Kb*@eM;A$7B(U{6yR7xQ=qPo8{$WzVA=FAlQ<3*lnIB_8B_COwssU75n|!|b*_
zm$n^UR9h%0jA%CnL1!QN)HwS`^AoibW7b%K`XrCxkzX-*fp80q%vGA83|#}jId
zHN2Hkt53P77s$BJdynuJVvlDq#iZ~G_i~`}IG$J^18U=YBsASo=2?5?U~kH%#p!O$
zJ+LG6ztZkeeOBK=8w!(x3~=(FKcetm6%5jyVUECJ=6=bQUK?9fi1|o
zsp!^6*NH1#XO>rT&{nOByS887>`oBY+6hEB;ysWJ`O1}l`+UgMeK!_wv!SfB%<&O7
zs!Z|L?&AygT;doFujIM*n)BIL$y&~dp3T<4!>tKx#{do<4!v=6wW@v%$oVY=QcU>f
z;lm5c45iiESv~k6H}j+2KZhVxeUp`IwgpUjJBN8YAAE?*;9rXG&#UAkP@NDS%FmD~
z_%g;95X^!%fGEzoN0(4wGnylpR8so7{_o6(49aP#U-$V63tOZ
zEunqUr8;sh7hIoR``qz3_5$F0nVT&zCO=QF#hhR&$O__xH?~Fj8^umj(u39I`!(k&
zrSJh3D}F%mgcG}E>ve0H4)e+!Ome_dQrx(-thu7xF0g>#U^v+Y7gQAs+}7|+@-t}~
zReeH{WMf1pg%5&_8`gv==(q*{SO}rvJy^|d{}JS*@WDxS{hLb@QD`x_&A&g_Byn7tN=~*SvStSPIaf&$HCfq;L?%Bdq{gIdF&##+dd1);Ud?)
z|7lh(<9UNph1FfKuLDmprsgfL3d7?kb!9mslh*7CEco44py1X3C@#-XNRo;wKMro#
z(Uwg>bmMvRtgpiI$1pdW*aSN5jcCZ(TcbOrLN7k4?h^!!jO}xWZN@-0mj@Uv|I!O7
z?zMYAwz`gDDIlNH%j;i0FI-CtBQ3~Ms-26D)%%+P4~lJ0;5%L2zbEO$vwapXlbk3-
z-}f-t?zzjF4)p3bc)J=emA9jc7YO90r}++
z7Uc^xL3bOzz08oI%LgxsW_+Ld^uZEgIJNt^T}mtplW(~-K;omroaSM)D12M4W>B)Q
z=XsAyb(WXj6kG0Yd!e3V8+k;aG-o^UCToD;snKg#q7!;^aeHMO|1h!AyreE=
zQ{MvRy8pb;IfOG|VP0%=fV_OslncffvcUtR<&QHgv(%L7g1?7cb}$eBJ3xL+3Do=S
zZQcrqHb{3ixB~t_Q^;aA6-`E4Nbz0}*0-@sp@V)#<=XX3{tocO&VN>WPm`GLPyM!^
zrzq1Vn12C!bgZlBl(}a%EGHxA$w@BNEmk@_*I>^{_YyV11%}EbUzZkT(_(#%9}yM9
z)~*_D#a^4Rq>-qdWR1e2^jzJ;jJC$uz%N)UUarJo!>>5CFsM+NFIaociZzawFmscH
z325LxxyY`>cp_gz<>tP{7ghpz2yTBYljLi686b7rK&E65-X8~nVS(aE1_cSPX8nNR
z_3PJMut?qud~w))^`4axV8p*OB}6TW?1wJbPCI>_IhTt3#rsT*2f2fLcpid8w&nVFT{`ueD-n^V_*
zVItWnFw0a-=6Z0e+;iQ(tOiS`~oa+{pYYu04Kp)q4^ZnmhGs9%;>%ehck
zrj_OJ)+ePx_Sabk*ZqMS5B#|qcwBPu2PSYqr$er%r3hFlnhOk+IlaGDa8T;qxvZlT-^8Lhs(xp_)y_)wFDtaRX(
zxp;7wKrDm{C#k;%*s+UiXpkGEsi{{wlYe<%`f>wC919sRPN*dQRerji`|_!ALa{q}
z8*ujy47*O&G#fbXGv|?p!~uRGHGXk47mnC@6(8??egwo}@^(zM%%dc9p3MzKCs+$I
zc4L(X6)O>;_9-ETzU5BTo3;=-!Y5tN<4Bh?^g;@H?EGIP_8hc!;pMfI)TwT9=2S>y
zmLAIWP%A&!q8r0ABXE|R65DjA4uvg#NM3rG9htdG!Jxu3nCC_VBs8VFvok**{<8mg
zsrf6y&go@H{2R&8@Q#1V>IP}zkC%av9_-UbXaLKlF+-*UC~1NU%s0c=JsupKN;%`$
zVQhD)6kV?>7ylEoC&yeFx`EE8WaKQ)I8$2c^(HxX7i(Yduj-8TJN5aAf)BlR1R))o
z+dEiO{WrC+P_cNC{6tszqbYo71PjB|)D?MBNG^O@J}0q^)$3`v8E)1rFTrdscA~Lc
zT?=utOU+?StMJ|*(WP9v>iUKP{BuEUwe4H-zI((=(HB|4z@ivWD}Oq9
z8&XwAcynwF_EO=fwbVie9ku?UD+rV#t6oj~ikk*4EjBmZw6jYdnZyiJIL7I+ZOum-
z1>IcU626zkjBuhH_WaTusHfcgvnD}lthsjfnHXNj4J*EfgwfK;kFFfdv-CBu?TqHd
z#XlT1x?kHZrFQ8@SmRwrQ<($OG@sBWMCxS;YRr-O0u(wHTz_X
z`Bwm}1nm>uxR(<8HN3;{@jjE&7oSzjnWkk3#c*gzyO$hUZ9!IJtiK!?u%g`W_6Hf>
zk_}zZWVlR-i!{YtryDs63IyVZo9|;aus7k5i2?@MbxLf7`TpAALp^
zPlfr}K4h+tI^>8hw*O3-(094)46m4^?RNy%E{EiwjfMOja1A53(4$1>i3GyS);~0E
z4ja$yY^BMa5W-##H4g1z9@W6l?l2!zV!U-;(OUmrpmMV3U@t8q(hqdhMufSj1s%sZr?>>#YMaA
zG?8mJ|3iG``Yzc8;_sBM)K&Cq(G(tzZ>Hs&{ZjIt;81EoE%M|Avg6AnkDQ=e*eNBL
z^G+`Km;4(#1s+u6){f^!Fb{ym)oR$Dr1Q*Yp?YKZNpBu7+B|f_
z%Q&S;@k~RIXOV^|+bU7h3L)?Sma}PdWvnG=dTWdGnIh>1+sLfTC}oG*fyJ;na`>qO
zt7@(jZ!|<|JKyi^H(uT$
z^QTxcTN~)|_J$riFV+bzjH6XQrbxJ6{jP>4I9fAhrj%j?lD}12=;P%9-QEm$Pmp!Mykpw7K83*c8UrQ~&CL@(%aFgCcnhksl$WCPh
z_17g*tq`wyi;1kW-(6kL^0few;FLS-dco-!Js*z*cbGA_&$r?4tetawa=cfc7zwJq50$+G#3aPD
zd$fFua{B!}(}8g-u~^lv;QMr_(unvTu{7P{Fs2}o$un;grex&$u*Yr>F1lk|o)qc+
z6{ufgYYA20;}TD<3RH)p&!)D>-#&y*mt@(_{(xfJ3wfDBN~jMG`mZDRKSr53Zof;@
z#eXIGcQsrHG=2gwd$*e
zd=0!gBeWp=fH<_iOyWC_5;8fldj}7CtvKLswi_xXdoF|GtJ-NzeC?OX
zbc%@aYGY`u6$6OQpnSJ8tQuuEPquJo%L*3>M*{BV=9Jq$iXp^YxCSH
zr}(t#nnGhYbUfhEls*^nDKlg=>dWR{*g5&=_%{N#DRMcCEH;K!Xi2v3IpFVU{c{Go
z`TC2`u2c4(sSU3wx@*(f#BHO|i=sjfRx`#xD0W(h{FzbTEoayAyJV83p9np+BoiNf
zhN}z#Ne)xPP%PqE=HSIO`rCYk^cEV!q=Rqmy)#0VqWAY5Lv9(i-Gm-~M-GzqWlRkx
zrjYf|N9MhfjOY38GXDoIDWx4{EA0}zn!
zX0>=vON6^FEPQ)H_s4#sx_GF~X`V$P`@n7Zf?l{jYJ(Epd>uY(Y4_O0$R+{}J8O=h
zh>85Zk-k|J3sI9|s0wf@9S1hxul=3Lhx_Jv^S{ETtPK~5dm%TKY1R5Vh5df^d&p83
z4tDf&r8S-7#)Tejr~`d$8X^7D+v=d&Ke7__ULt2FZwSh45yPs%`NeJ*xzp@)sb<8w
zxo^C}z|)YQ_@6yd2jz%n0AZl-AReWNw18CW0fPKVyV?)vauP<9X-fXt`HY=X%CATG
z;pl;YPsIm&OWVI$R;mh2>zes(K$*L|aIGG5Pb#f+SQL%_SwoflM
zP1{WT%cw!QhI`HN1Ux4gp+4Vw2q
znW4UNF|`}Kk=vOPkmlwRg{Qq}_xb-Qdkd(lwl-{3rKC$5L`eyyyF^kYlTH2^vF#};
z!%&AbyW+*xF6*!H`pUvRh{K4C*#2Tg9_wy3D|fNq|20te~tDrf!vhwxkV7`O7Ee0b0WC%7ZLr
zqi~ylmiSZCiG%H<#lwL2I04OOrO%#^*|Pf40|ldP85CM3?2Ro8tEBn(ElbT<>63P!
zf8!=j#WQdsI0vgU2fK|tG=|Pb=7?L|k*c@-)r_82iw0}c6ndgLHPvG6bUWc{*tPt%
z$BmbkB>bd)=h?lhm-{NMI8F~hRmt@G0F&WxwzC6PYItjys4(my
zkOdFlzg+9G_o@frXU0!ok=OcYN;!ItU@P(6R_>37^^#*%t~GUTtnSZbf>ca)gvfvF
z@*$e}>#WkV%Ws!c#vz8=eA*tM7LC(+O;&ty&R5jUGn4+olbA^#0ZWcQMPOy(TQ!r|
zs+2%91P@$^~jmCHarl*S=
zHjfhLzfU`L>8P%qYSC3X@3ZFbh7;jlf*ux1Z-ojXVAR+RoK*sh*%l3w_mdXf5o4&%
zw8K|)A}*o0;D>OqGjeDbVRw^c>$FeVjp22+i7S@WvB8Fa$S%Uw)GTH
z7tYlMf=CCAYlOt_4&LGgKkla35);!2;y)!+0@U!MWK|M8=>Y~LJs>~!YvY3@E;VIr
ztO_8BG@5BnfI$O(T=lp1Q#M6_@q%
z;A3z5c5~VBYhb|_4-U4htr#T0k@&g1o-Xz+$H_C%(=Yhlq2(?9AY~I1F|)lK&pM|E
zh~=N_cScIym7=Ko_i7KWk9L3JU^|*K%a^1VkKDAR`n#WHa++noKj_cuRE6@L-J)IASkL!Ei@*Jl|%gTyh6v1_l_&
zCa|?ke7qd?@_A+C4I3Kdyz|BJ0nc|178!a9Pc;_viMQdw-|lEaI$X={)fb-K51(Ko
z^0SwQhF2;tMqK=F)Nq$_n;Q^*cG?f*o1Jh-cE|M-@J_i?t}GKSH9AiRj^f3*Ol}>&
zw0)S9=h?SMmn9z8N?u-!FWy5&f#O55QQqGmmyhWQoqMo)>7>|~ix=NERJCoGEj;wZ#)h$?n1#+{v(
ziz9x;W*b?jO^_GIQe+#|2eU8m1}CO1^G$SR<$IPl?~9BZydvAnzMH+V+p%I}z2bVV
z@GY%~;u=pqS}O2Q^nRl0iZh=^QMy@4L?gvWp`Qsz;@|6=ZUGtdk6DS(CO(}0m#lMH
zD)G6Yt9xEV56HX!5su#nNSjjpAeu-GRP~v*gwC$|G?nh?Y0sM~P&RG=s2aoBo{@)p
zSEE3$>&qgoVIcqc@Z0rD&gRF-w|`Ob!yDzt)hpKQGX;t%AvearBB`
zp)Of^jqbZCZob`CNfr`6C2uaXsUN}{jIb*oj6zX#)j()MoG?y!ffHlpE
z!fk&Qt@gmvbB^O^RqW`e^+5$gAy{4%mxs<@m_@ms{Lat)e2lYYKnlS+BB#emAS60%a8FWW2WVM^}ZM;V0l
ztnz-2=y<{B4csP&B38^>fMt7CulI}Wv>2OVYI_+-81tJV)d(Tzyas6=Gc}=mQDV})
zu3Pe1&2Hwsk0LaLI^fpwM_XZs2WX|d=-$1}TW9#;eNWby=|^S8qp3+FqvrM8pOqEz
zruwXjQlO`T4u?zQ?N>R!^-5Aw39nIJR%u%uxr2E4{2e6ZjC{79^OW$a!oUxMwY-ry
zEOi##qOg20jkK7pgEE-DMJjgE`Rp2yzV1pnFKZmNi3|h<-a7v+o2qg?#O3jT7rf6
zYy;S(&=}TbPdY(MrEh&-S$O=A?>3~du|odfu;tbO)10g6mQgDpo$e49Ie7GkWwl=9)by
z#BYubDTp(BpiWrbSqBB{Yv~K;*@0j-&QMBsgA~|lYE}b(C+P`Oxd(i9l?8^0{Iz<^
zIBDU5Xf}f5r!-elK(YUDxV%1APMi-?FmCVikO-Wq{d~Yg@+-QZ=lO~$9pAuk@WYYr
zr^TCtcQ9&;Kkk+Nq^TB3G4O|%j|P%Skh^imI0xG+2X}B_6lLQ4zQT}B_LruT&qKYx
z#<4wTmgDq1*2&HI>P3jynTzM%?f%|rK4s?(=@{Ta6v>KP6a^2|=oII)lcFLD46r~K
zudt?iA7-w}W?Gwz{@ICkiCjK=QNCBpvY%w^U|X(@bObjwb?ww7G)sjU
zud|}^<#X~cS3ZMyrV5}r#1Eeyt*Jk(cn)VHBUN9z?!+RnRPs2SXF9sU3Sd6lV9*>n
zhONs$?gO@2vJwTL(0;3CZ4lsPuG=mF-zBbOBDjm%&d^DruL5gS4VDjQcKz-H))c+|
zF(%{h0pvCJSr2`V&R^e6Yj(}Nrj6Yu%pe-5xmSx+5tY>A%8RnJs*fvX`i)7Op29)~
z*R)qrqL()wCWcq+H$@2_Zg%51C@tNye;3hilJ9AOSap%?;*AMPEJHjd9$#csVTJI*
zg-?4m4`BQNcjH$?r_;{%6hITa;r8?lyB~R@PhemTEU1xIFJlvObNgS_7mq4Sy_5XM
zSadPZ--2(t)yYT7Xs*C0IwvhY&<3I4Q`UJgjtYeUczvy0I6mkdWc8w_Ut?G4gQ+(H
z+6NjM2t`(H1n>R^5wfpm5Q`aD|_e%nhh8TS5$pl#I#XZaK~WPRC|?)
zF~gGd!@h~NwgYr!v3T0Jf9W3jJ8B8TyWY)Lh|y4F?7J6Y87u+;DRAdH!;nW)u5&d?xqpe>`wR
z@-)0sQHNGvFj!t=W09#6Jh3E~7*F_{bqD+5UC6C^I|^xB;y@j|VY|AdK81R{5{n9_
z%NSAScQ62a;|AoJKy5mvVeEKlp(Nf-gyt@8?`yML1YA(2j~iP>zK`3RKIzpn9(}ax
zzvZtaJj9HQ_cfmvk)t=bv}__w1ZFNX;R1}lqQTs4?R=yU8S^z-js4y3#)HJI0LKQo
z3lt5sbF*e3yW~~4=Vn>}3Wxio!_YQZ{+hBP7vfP(+jTj<;NRKJ(@uIW=N{F{<`_aV
z-%bVWQ=!QvQM6X%2=d}3zMs;JcX)$O?k$Hd2aW7q3dTyDv{3=R>esM57XaOXjq*)A
z5}42Ng=PRMtE%A&%%qjenY)k(J-&Z*^y}xFzcvOmqEB#Tla7foH1)lO4kS)Xfede?
zz5r{cW&9BNZ`P{LmGC9$RGnAL_{?c$a!)t4qF(;nkqKMM7}eFDk2sC*(Ixt{x)Zjw
zx{IGMp-sNM-z&4;NL#GP?~n;|*6{9aa+ZJPriEk`l&P9baHx{{ixq8H{839_68<2x
zZg*T*9szZfM2NOD5SO86UBB&VtDBA5mVj(7Ye{w+e@p6m3vQ4=A@9exMCH$|*uUn>
zP6hC$3VBE*kNGU|Bd%`jkxzIBzgFEoueZ}Z5p|7=D)?4Y*9r_bl9k{c=F-Rf_|bbO
zkE9$0uhu`qWf$X&^M0;Tz@Yf1i=$CZ9)D;&D+2Nlw=x
zD69@8TYfCBpi!@0UpJuoCzw**J|@a&Xhmrr-Yy=eIgH$|eko7fZY>BSqrWB_Up~mk
z_u2X0_`SElk;E8>oYF&F-e4zX#gNZy#qIjl^rbjzbV4AXowQulIIe=-`Lo
z2l^dPfeEuU@K}$w)VBO2|6n_hF4LOq&m(3EbZu
z0cO-+Q3I;k`G6GpF-TO8M`TW@qvF&HMCEHzs}H-_W6SNm^M(m2?n9K!nNs)gqcLX1(kGh+
zh`Bp6Gqr4S!IW@U?r%ZYeq|;G6;L2T_TTHVA%ufC7w5iZ)$-88hs{8JNG*i{%0K9&
zsfpcBS?D+jRM&c`UHQS|YLcrH0f^eZ%c!4W;8_1(;5anyVpGJ82mD7Uz1tcHTw5O2M;}y(LJZFXWaTMH9tasI}E{B9|{$TcRA`C=rUjV
z&nSWa%s(IR-vplQ~JV
z`rnIa-d0{n5_*D{S&fhXtr5rtK0lE+QnbsQUe`8EE5nN00dc9dn~xm^ekoQ(YlK^y
zBKeQX-AQ3Y&04SBIH47N$#_YgH)c|dDDbHA{vtxtuI3dPEGXEDzVWZ8hLcwx@UWZo
z2gguHrAQ=QSf5OzzA*>B$DbF@OG-DEQdqg*y7EGotMLi*(LWiA{lO%F2+M-`uYnoT
z3*l=>dWQ`{&_~V|OQ_CmOMPl0Vw(dSSO|wZr;H3ua9N7{!CuQPcKmOxLv(!izKIsf
z;qK=$mP2urlU0<{M(dH_ho|IUoQ&&MSChKfct^yVyammfIn<}>sxezdD_=4wqu4Te
zkU#8OooBCM2qk1-V9puYnoguX02TN_*2Cej5Czx-NK>2(H#Hs1jO@@mfRU@_yxbRP
zeQcjNTW00FoQ-?KPoaFb-$5xh83-i=4`06SqEd2#$Xd#%5J$h2@W|_B-8_@
z3A}NwrR_hnUL-_3p1*P;b!u^f<8#<+<{_&2A#c0F*4do3mURYmAPm$>HXnK^1hGbbuZfn~L`oENM
zh4!AkCnBO+g3RrC7MpGMkA6J&7IU7Gtc@cu`f^_W%6%UwELS3Se9cN(5umDGRT+3W
zoe;oXmU|(<$*bR25e}&~f(SKD=prq22KYONg^60-Qs5Q^tQoQhDPKjD&jh-U}1uYte*0g7OWsg)zjweWEWTsV=muNgWc8rj;)udpd#
zn>+N61IJ)twBxc@4}M0*1tw=y-=wef6X>!VUo+8r4MqXSp=1>VSWEBXj!!G&TMoD$
zaBj&L95|b#iK{)oR+)F59orgZ%E$l**XpCH8LuGC#d=JEVNOL!26U6
z)D{`^WiK0n-3-CObcAArhHs~vLd*gWWWHcXl*~oT-8}VCnkAtkFrNBtnskc_B>g@b
zG5Q7$L4bj<+0)nUSg?Q#GcfAe!Nnh6>b*j%5u2D-uSA0*I&hMD?>y0V2@7TdE}u!E
zp2>u=L5kTjpJk92j!Ew1I7h_1
zKCm*&63%x(r@tpObC<8OPz$tg#eU|aj0}E_7g|%O8mwJuX(9LFjO+MV-ow1z5^!_b2fmm$&gyIzvJPBCs+a;pI(N7cz;u*Y-?bne81+0;&$`oFsv7
z@hpC{e)du}DM|dK{i-qR-8~>d!rjPi77~06vwQIVI$jz>hR7WC*8f~tY2ZF??iAYw
zV737c$zND)qGgHY`N=VZQt=M`9qJ`cJEbPamxhWvY`XP4c#y
zH{RJdPE!#|va@1*px;&}?Lv@CX13Z_A&5}kYBJh(`i2d1*lJfv8xYv}31}&EGJX4DbV}
zt$1&F;SUi8V<^Zz#tCtSe!y?u*Z?i`Rc-IqxW~X#DDDE?8aMNE{yPrhTb`F`qW6?q
zXC5+D;=%L;r^P*P6FtnKmJylW`h;5GMb2QvCd70a>d58
zr3%wNL#3)CpQ0s>wvsZqs`)YBS#Qk-q)f&K?^c~4=Cj-)@+)t5N2NgTb_{aOQ`
zjP!RV6qhp+({&8PiuE&%9djXYlG3;i8#1^1K$wn<
ziw3qXe~SC#2tJw!pekR}Fc<_dA`GNVVkp|%>cdQ26^6F%B9iSkn^d!ieX>a)seR;M
zOp^Q^4?G`K2TBE$Uf^JHP?QwQ%FIUS=Sor)9cK_xn<>>J)o54jTh?o%nt9O`w5kNQ
zSZLwzQXUBY@dvx^^SAN_%kvDPF3gi$X~~#?%mBd?ys|FN{T4ii7LUeoF?j?}@#;SN
zdUqZ%xHj(V_^Dw2yOWC&qNSc0%>=kz8i#w$LjaRu3oA!u)`r7UwqC=iANsp{P>0ij
z|L*xs%=R_eUh$6}iO|J}xA4j*dz++Y_Yb?H^Z>p5=TrXXfc%alzthJUD#aA}==25)Sc<}n=WtDY5PP{OK#k)}l$XVO#?S0!LDE+rr
z9$b-z`@nP+geT}UEhe@C3)v0zgqjN2EW+bUNnGqkt?11p%_Ny^qT-*H7h1<9zUTIA
zICPY;_pY#>xnQg%X4kG!fIt2|UHcM?T^Ssff5a_Gm-O82-Xbe3?=*TTx+lINB#x2)
zvzVg_uhY2@n+mo$^!SejZ4VyUX*18hpg8>pS>0htb$U=Nb0|yhm8HylH~Q0fd=~+l
zHLQ=nO4qR?pe3;A2$iy<8d~0GiYc`Hl+mpV?-Bmu9V|KW|*|=5>y2NXK_H_8D|7`F>209O1L{kms6Df*T
z-v1*v_Uo=1Wx7=d{%te&{Z)?Jmu)bH7)r-YI0gv2NWau*y*0B9M?ArdK4+&E6Fxv*cHq_SUM!Yw`*|+sUfNv
z3%vKjT7SKOkKsRGQe&Zc(;m=VajktRTo6eVPCPxm2`3mo%?kW$5H5VdvNhbh*(^5m
zUppl)J6PSltxB*UEsZXZfuJ3Q7zRO%_DRjXf<)bR2TwzE1(v6*o=|;
zrXJW=0H8&7`8sAym~ZR@(ie~9c-5rw*x}XRZV%@Pzi^a&IDd0co&6m6V12w}@gk{8
z!o$Itmvkzg4n;+O$Js3hk#IDTr$%7X^8v}lS`Z|4O-S=uF)}_lr8JK9hnNXraq4Tf
zL~*Sh62z9QJI+nx^~=y`GJkm6Gb#Gxe_*Yb!>e4k3v?DqXoIh^;JdVi;RVtZpn#n&
ze^LJd-DV7A)(;#cDU;RMaBu%x*=7I?hgm2v?;0cr#m_9~k?mJlHR}3y{hlgFQS~9O^zw-j${%>JX41JFcFEA55ED9l
zK_hMzi;lBpR=A3p2j#w7OP7^?uU>}f)liVxOCi{?RlNbi$*^=i$Wi0N2;!A2c!2PN
z*ON<3!GsN)&?J5?ba6D(=fxrvYa{RX4FqPBgp|I1eShP?36PyWN1>pg2;h-ZoW2}N
zN_ia#v0nV0zMuh1AyqDaiTmrhcQO_A5l{q$O{^SoZh9jSlW7{g3%S$i9%D2$N`N+k
zf~bUdZ3m;qQaP*>q@~xJ1BMGfn1=*(lsXUhyKDr`?;OUYraPqLr~WF2&ZfUt-=7BB
z>KobacRCbJhtxeYN1j#o7*iLPE8iKhG$gmW|KLb7znST6;w(jQ}Y*>x@
z23aFx_n+2%E7ALA>YO!`FEa(5
zSdQ>uy~>y`dLuLz+&vxd-^7||ilZ^t$%6+Yi~tFA*5kh`Ik#t)Lf;$#)(nO~Bl3Up
z2^5LEm-NL}Gl7JZDfz}jhL0H3Wq#nHK&7Ls!IS)xe!=BBKccen7JonB@c^&~Iz7#b
zX-QXkjt1oF#;er;dlG`-xP6Szz&DJ?@FaSQ|K(sNEaJffp@3FSA0^Z*Y@?~z8&~wU
zPg^3$XQ3zYyyCZi4Puri(ZUWRd{{?yD7lCY#mV#dXx^X|ZUl{3yAA!-cnU%0eN4gq
zS{q@^Uo({VO-ByCi8hThh&gY}o&{p3CBYuk2lpzv>$=}G#AhWCkC}d8fSg$A8f-^*
z)**aj&uIGM%JekJ11^vS2c<0W`>pd6Od9Ye0frLjnMC_Dp2cQh1~~b5oEf4$C@VjD
zKyRcIZO?2K{*)k?U|YN!$wVe>qI=u{f}EiRk&Ld=h0T|Gl7DkQhMB;BKH}IM#yYks2am_pKo709uS*&
z-!HsfX@@FF{^c*(3IP1DdPdTjTf0*r0oE83k``hR&?j7?i+GX3sjyb
zSaVRvN3&bgxe^SiwYMP&tfrYMiEyol6s<6yYi~e83CHEB^QZ*>E0#BM+A)>-5zJH@
zt-QWh_M_ipZ1TGMRhGSULqflT>Q`Z|(!dFEl%l%n9%NXY4=b{-sr1?_I$P3&a%$)PK*>0Jt$UOq4SlvocA=q;$i{{7XibUa|gdbyv@*
zD<#0Rnt@djC6`>cbdjl@+FkMMwT*Rl)nCaZaH;ApJYrgOQj9dnwzj%~t%|jjy;D}3
zaonQV;eK!EFDq&=5rH+4u|d%)0fK^G(VDue5-%t~Ih2QPmJUA%m|}(V_~U0X9G%neLGpQ-fM5XP
z;aFJ<315H-;cZ<1^g4?Pq`;p;2lMt=AQpm*etEP>swb&hUu*(c-{&Vh!l1jbdDb&i
z#e%Cw!~TGG_~hdBAf=HfJV7{bM=4Q&CpMT4u%bMM#>bdcgurN552JV775}ihdK(=%
z%#IhfdO+!)KAktFe^EP>s>gMi-NUnJjLHqp+j%uW%-)
zDbo~Na~0%(__NIT!0D-1K#c3ubneZ0e1k|3x^eVn9;l2GdM5yH#PLRJvCcsa6nJkG
z)~b)YD6p;bO+REQ<#%6b>D1jH@Z>NjT`coF4papPl~2|*SOV3uIS14S&OK(1u^;lgO<~0$5
z!pu;YuRKFdg+IBlfDgZ+uQN_k`$kHXFSGK`?y`S>?4KHw$tcv!!SeQ8eKF%ND=ft@R=Q8umFFv6w_a6yA}i2A&V%
z%Ua7FkJe!FVOaUgR*pfy=Uhp4f0Gn7dh5>>7M*(&=<1geu>FOtZvGhhd=mVsT8K8Lu=>8WP4WfD`BG9id0I|pjfy2p_#gZy?cPUN{9Dy=2*Wl*u%4{~Q51B1T`Fg`23Y!bZun7V(l<%@fz_Ttr-VMabp
zGxs<@kt%mydrBxkrAo+fq=xP0;;!U@#0_}%s~IgxxYs5%aTv7XFdNTEWX{~2ilg3R
zKcFPABojV?(f|_*cS<@($w-^<E%TRof=gK&cAz0LRJYX=VTCY)
z5hNa^=$gG6$9W8F=i^BGGRzZOqbxChy)rrkHl2wJ+@^cTQ4)!+sB#nEKJF^w0oU4$
zAS*e=suOx-a54PRIru_XI)RDiKzHDz0;PyU++TGGW9V9a+Vb)LNKwX&BeqH~OPX1=
z)r
z4HIk^HON{jhC6U?=44hcK=vS~uwi~3?5b*8vBpr9H&6j=#;ALKp6#KiE)F88SAKr-os6E#S)@9s*)rUwU)Sd!DFF=R06f
z6Ii#L?dm<4%BeawCi+5%BIpU&QgLrK{2j1^OVi$VgPeu+*J;-zt;b4yYSI|+W)30R
zpX3*xO$`@EJ(ipItv4=K&HEZK#Ls=!FJ55UY+PC3<$`ZHc&esT!8`BRT31tIv0y%f
z+i|x>=-`4LY;XE6ctv_55-vQ2x&coB1{26qT)zoR=;-m{;>u6tx7j5)Q+3K&SeId^
z3IydCK#SouK3_guj*SJNNp?KU;vk1YlP8_Q5nTzUp>eP5pRi*BNNB812oAx43KLi?hJUgx5J`1;hy67sKcBN};R{
z;-&nv?ms7ITO^{tSeQed1_pFrP%@fZ4xz6^jMY42qa@5WiDLd1Q-ZDxA+(UjC5fyl
zk7zT_%lK6hw}(uvMvlJ5J1<0Up!ZQnIk)Tq0z;
z0$6e!Hl^`+*7O}$kIXyZa=_tuw(Uqf%J80)HWJW-Q19VdSJ%(S&UJeG2M0wGwp|A>
z=1UWHm`Ic)0zT`_s)2Th*UCU}DPB>gaMXB*G7^e1*4Tsrm{KWJ@rzB7IV!gLe0ZbA
zAIEwqs9KZb#^XsbUMA~p$5bVahE3F^S%vcXiKgriRXku*24e~hmz>Q2_BG2tFCISlx2GFS4#>)sQ_TLpZjgE{kd?;LPx(UvHTDsQiEmfi@}8Ecs@ggs
z0t|Cw!1_#0-BXniDaq$?5d0Rce{4cA^=kD$Y(71t$;}=;+#|ND<-iK_P2V`rW}qEE
zeDM&_-5;h&WV-!fIXV|Y_6sd8sYpYi8hW4!e3{3$`l7ShTJcy#yUiH&4MuXNezEc=
zm#)Vy%6>soc=Ly19S1T1!pM{DTaHZ|xop+^s*TvLquv!n`l-eVgLJSNFOP(rEr}Lo)&xcXx&j@Mm`&t1$&@?-!;Ugg;w8V#_UWc9@5WVB(bb`6x^AocmIr~v3jh>nC{NTGAca_aM$t}E@F3%yY%3+oUQf^0n0@zHZ
zl{}xMClANrKddJ2ms#P*jVI5&vGP0v9vONOF-S*b*{RaBR;R*oYq~k~fs*_;ldmqY
zSuEsaa>QRY=$`kbk+pZHnKZunV-o@_(Vgjwuo+m{nQAWWj3>+K+;;l77OJAeK>TJU
zflV5BQB8_yGI1{&%%1prK<9Oxua(CSu-w~Q+^6_gnPeO4m=qF0fndYuzz%Y@r{P+t
zK>9&8QC5qkgGn-skxxsiB}$lkEhH<0xYb!cUA2Di5eHE#9Cvr+u)_sbm6`M_=I%JsH1$yr?`-3^-4~ID!GOFD*h`>HFrhr{L
z!x>hE-U_v!edSO$G}|gGi;eJ$<(=uhQ_ecxhcNPBVe?^VET2btlR|y+K5!6upsj7a
z6q_uN*6+9627(!-{(rKu;AbgB1yq#$XVmMx?fS49pNtH|CbW;weA8gJ*4k~D-ew-H8Smj1p5Aog0hP+UmBQ~wq=TL;cNG=WostYVd3@onh
z+FSwIa9-ieE~TW$-m)r
zBhd}RDwtp@+oPZgobF;RQCIrQ>MK|WiY`Bu{CaI{i)@>(*6HAo9D*{Cc`jwgN^
z*BCRxMOLl`qLgGYlrcuDTX3_aPC@^`2CcWZAUE7(^ijv9+laF$l=(D93C5~`kt3kG
zMVS;H{ucM0{~6MA8}fU+qMV@0)+N4B$6gY&^afXCJs^=aUdg)h=5;iz)SANLDziHh
zT0Sx>Qvui%ktGv{BD#J2wwoQPjS6E5qXe6p0;C>}mbXppaQ@dr>QpBTO~9gNAge>M
zO5$@TRF@p=^{~MH)pUq79%3-zBbbf|rBk+-7?(@1LaOTX(Sl)kEw^&EZ2>uDr1g+`
zbf#BkWj~u-yGqI0@BxEXn2H(Z!=uFU)*@J6d?&W}P1GyuxjpTAFyruutkikIf?Meu
zoIeyUH}_#M0MFF|F9%caMhVsM`3FCS`89`J3Nz)3{wTH9tGN;>o=dOveA*T+XrG9r
z|CoZUWq{(CwvreU?*pVKDpogw`6*mK{(mlH6)Ph!aGqZ~K7na2jf6lD_e&xAPa@i!BgJ?fcdu4Wl3r->VzJ3w2RehJKv}
zftwV&>IidQAj&hqk*a@#nFQ8H*Eu|_RQf-_Q<|YL%_JdBL>ttZMQ>7^z{4TsEFywb
z>al-T5g=rNJ{|S3z~G&J(t}kxW=c7Ii4y7o~*4f!%s%5AD)>%Y+Ei0JD
zQsrO|WtmIXZe0R$*}r@7zen*l?lzAdH@JYEM;AC8C>&DVJ;lKEz6KXQ@G8L!R301a
zghR*2o6o#Ha`=8@<3mM%g<2_CUngw#9Sn7f-2W7K!^ywfP{*hnB%*G*`%$_~>wLDW
znxO5N!FvFL0y#6q(bSGFl75B;Bhf%k;4cU_8|PuPeCukyqW|)TqFvv8!|DVuB^ZBr
zLiKt~Ev^yfhY?mcotHSl*>qB*i4^Qk3pMVdNjkI1C6mbqXcL1xBy>RkA;$|mNH
zf3CafR;ya2gEj68Zsf}2`g?*&``vJRV7^V?E!cgqhlSkRYV~xpfBy>?jkNePNwJ}T
zs_d6P>UNBL)vaOksh3h%W9yZR_ZC9iD3|llKs4l|yPAlaEw27g&B%>r;J5v|Z>Zxs
z|MBBCc<$;cj2;4`Wz@B97e0iw4aV%UqU-)Pa%NHtyodK?J&PX>DR}4-O>wCH#}DWB
zAYSLT=VK9mv)iRE{@Gac;DFIRH7;YxD@-Y4I4d&Fn5Xw!iNeT7|fq|DUWcxbQ>o;`-cV(-)+;88Vm}G)rJvm
zev$pVI2dZ3=wL`=cDmG!Dvq$X-bb+MdPc4HF5`jgoBO1E_5{x8^Q%s;(QpDPzWaO#;RIz~-dy9d*Jy|5bN$X}pCseX2*Qnq#%4wNB)v
z7V)wU8SwvIcjL%@jQh1`f-FxJ^3CTlV%UsWuI~Yv;IGeL)ovu0&d}20GymAT7n?Uf
zdoeq3@vU`esv+s8uj3i-{`DEKFkbuUO75@!{4S}Mue0yD?#`Y)Y-$+QQ&o$jvHe?@
z?%0Xku7nrIr{oB|51qJ;A9ERZyFmNcvb0fI-b%xPNiYcNLWOD~3Pa{p2
z-7^Td#pN>IYIFs891k+3xl4w|XRmaU`Sa?IXJkBmg
z7E0i~ZK`&KB4YzjViG!~32$hpVB4xPyEqLFD9tKNrS>Rtg3~N8g4jj9c1dh(}Wc3y0`<7;3H`@rn&2
zU*taDKh>^Ab1i+0JwK$deJDY;KF)knf4J;#*2XDIXmO;cL9||T(jxnS2ExK3q!2Ou
zosa)y)(-Y`xR4Hg_10(A6(#M_pX*D%5M9m7{4)0ZZd3?LMoOSfP
zVZcfxYuF-SCncht?WN9civa8iOyw8BfTagC^j;b|8&&y^6kxj7e}Ds_pDv*|3F(3(
zXIl?9YLAt}E=g-^?cAT`!~E0$Q_U9zv9sWyO_R&&VZHsrM3Ru~$pc!9T*_88I;Ojx
z>vhDo*-=6s=O`=Qq|=o_q#tIT2*?G|Jdg86B*|&cbYL%_nRyQFhvV7i$s8Y}Ij2=}
zw{QKX9j2C7?vxAeya+Yd{R*<*ziA>zfUQtE3g$d+LGI5L(~n7*KrXB-+nWf>tOv9d
zKpQs`FHjnp(O|#IQOds1!~XB<9Zp3myWge$I=#IbdTtpDJDpp?wppCl6))>f_^r5U<@bhF5~F?
z#|m}1q>_rl3CW@Dq_J>iQ*NL!F
z@@uS&ZxE_!GuICdj~FNZoT~|+%!T{PhZEx_l_64cut#_Wrz2z
z%^gdY6?n+06@2VZ%{+aXT1KI%PWcK*m
zSA$l)T>-Ro4FI|g{!*4-?DEPLcTRB|n_9f&=kI!iNz1M%haXG-$s2+a$Q*~6jq8lM
zfQ{#$Wdk
zEzYj~wiK^S0dsacp2_>#_9{HYUg%xHTtJIDo`4V`ig3pizbQ5zO-;o17m5`ekqk~0
z7&T_lAg$V|DL+KI{;9~M|M}@@J4Jd!2O@qe*vK89vL1!r=Qe6u2$PJZZ#NLnL;OE}
zQkv!YxL!lUN52BBC#CUf4}(5Edebx)M#@w4!Cje)#KJdHmYk&w1yuRj9e>ExpYqfT
zgBe=t>%l@+g!ext>uboe*tO_U(s=eNJWn`heEjt0A*kdbQa{^__|WAaYLHf!$v3sM
z5ZfH-*TqbW^UWDHZ~BUp!rt1$n&eFIyHBqIG7t5OPdE}x9){q$Ivw%fQeQ?Vic4K2
zXGZXzs;a$%pe%xaN^$oj*7A`L38{QoBY7YuZZKzqbUq6XxCE8Eh`cYjVoD~Ct?gpR
zV;rH&dS-r#`o#I9fZurZBrM02laLOpvO@xG^YwF;vvQ;GKFdeo>V>@uDWvR*lJLUX
z1L(fi-ukOH@@8Ctw{E@adM+xga0FHdtN^KG{}kEwau}0BzeVcj(pOJHKMAVxoo%Bp
z*%vL}tb#|~ur1}OV^jX;WskmIl2rfCJC=KraH_Gu^s1MckD`45JvQj^+96TFu@~gU
z>Y9-W!p$0e@XM?s1_XHeZ$B(ORwMbp-4VMY?8AVAcKv58{X>K9-xjIOyBlaD}K+)>sj`>&psY8*Bet#
z!jn+KuGG){L!x++hp8+ogTkS)8ha0O2Sv`>R}(oKSd^DwJs*)(XG(6
z6^-2)SPr}|fJnIG3~cNFuWzgAw|0GtB&bgK9{N9*Svjz^Vlmj1Yg`CmSI11iAA*i>
z{@nF*$)Cy=XE9+-quq{`*B5%p@ZSsch>}__dny_7UuAkRG0YU?YgR@=Ba!y~cXyIl
z>H1i6f>~HFp+ieZVk+;`3WVjSLQGU=|NEL!Zq^L}-msE45&ToIZ^Gvgy{SZ}#sx`a
zQ~v$p(UScD?5{tDn(~@PUq>!}mkFCKnJ4|V?CV1w@2RnzyO!`GDHVKF5&!zA(qU6x
zKQ=tvKaZcO@x5Zy^=E{xbsGHCDLNi*OE9yk
z!&<0#u#YI}|61v8F*?QAmR=zrVGp=M^3Ufvg2Rl{<~S<}&6|=s;Bq1HkwSR}Hs!;<
zJJNU^;N^>A?Qu-Ky8Hhy_SIoguU)$;0@8{!0-|&e-5>(eg0wW_(2aBn2oghg3kU+z
z-61eYhje!hAvrYX2kyP!cYk|-=bXQ|F2R{6R@`f?d##6uH=F#E$Zvt9noR%GY!N#Z
zU8=q7OdMh3c@uf>wIF?;mwR_WOt{IvSuFaJ3-y1PD|VLTTIN(Hl{Pl+H<7Calff&&
zJR~K!xLE&wNB?^7utB6X@%F9}Oz?ARVm@2{^)aXTM~sw%cm8DyZ=S*0P-&sOH@Yh3
z{#&{MtI1wz%}ZVw<_|1bMZ+#P3u+h64|c(aYyjVDU)
z`cq%Jdmgww*A;t1@~xk?-_B#tz-Lgh8jV}><}y%&lbLDp+%AQWSSjfN?fd_@
zQ>1fjLU48uw_HfH5iEmiu|1TP^nY7H?n+ard!_Or*-!cCJVh})CT&rbLe&@0c#vY-
z+!SOOSy>$#1v(^~nxRwvr!~qnUn4g>`#$2I8!_}m&|W8+L3K1BEQC#yb>N}r%~Wq*X&P5F>_%SrC*<#k{MRM#YS}etnvjToPv!7xFb4zPkpk!7YjX9hMX26|8tA41^2%2
zIxLa44g{d6SqVKQ;kK~)$Mcxc_VlqFS^6HuTj^JYOlo#6~4OQ0P>?8lDT?@jM
zZ!!49h8zJa=W9eOEj|E(IcZJH9omVBea6kLmd{r@K&QNQ`970Qtu{b#rx~qiP~}GV
zrGETn#n5;epyO!L^#AS3eOQh16Q08Q$QYuU;gFUOHyeANON9D*^SSZh=UI+k
zGt!lyBMRn6ezJnO!r;q9hJVFGywwP>QpK6_&3DNqHi);iHyE`kNXY=E?-p?13d(n^
z&|Kh_L=Ck)oW0kFc9B6Q8M|MO^{*?K7qe!!C1Ue6FA^C7aTNYxuc$0^5#A=_%bKk}
z0%#mPqUjh^^3DFY&$np{5CokUT5(qbtynjPkBaCooAo^s87@8*s)P0Xd1Cd|y!EqJ
zp~;IksPY6&8trfAvN(P@L+-^oE2KP{R_dPL;ke9TI@=gg(!@I84=582D~WaaLa;)^
zWRP3}hl@p0l|!Q7YPqU4$&p8i``Eqb*f-Ylp&k%z0AgU0_wnO~@@k+}gB}kQYLaQy
z09(AoIuH5Bw`SOWbIo|)9+?68YQ%2cIgoq#rcFiq#;e{Hu5ZwJ*PW`W@=Z&VWrNG}
z%4YD3{AD=sdfh)z50Q|2hO@`8cxzh#_ZcQJ^DGfxXFytb^xym?-E6#&#;}#j%jKSw
zmmVzALD5W9H|9V-7Lf6PdStt=0l9XEvkHTaT8v7KX2cO7aK1oed_0lT~d%??*S`&8fqTcn!N_cn%_Gq#P3dQjdSyFWrKcJCxQ;2z4RTc~nL>w47l|_B
zZ?1=~GDT+_v?R`>ipTI39e1ioxLy>RBA}8;dR}A+n!IoF5(vZ^ZyggDCjBOG6KC34
zk7*qAvR*j1iimfCD^p(L-y8)R(3ikm>ER4xW6Ow8BjXR2I2a`=@(z~*?E8O|5-%jx
zOR|qQSFs^~eY`9rfOJ4<6amRwKR>@`xegdPb*Pj|Sn0HjeV}pT2*Hg1``B);Qx4Tb
z?mu7+WeX6G0$K*Z8(f(f21e|(CQBmVar5!2wSX~KY|ejf*T_1VDXuSXUqvE<8eSyp
zws0L|t{Pq@2J0oIkq@y+WQZaR;hDU%hj0vRi8>1a{KX^cZhWT>)bOROt1<_P{sr5`
ziU`(j%NF3tASdR3##KL(c$#>f)*=k_#h>p|@Kc)&=Y#7}#Gd^PnEXPColGn?`I3LF
z;=9SdAz)N8Z~eiYK^3lo%X(zRO2hPoew0khusmJV1BeBwgyn!#BFr1EB_50&B4J^X
zZ!%h#eq-zfgg+2-VZ9Y*b`5crs4uh1=uc+t4E%5WD@DSos&At|ClyI+Eo{3~*F=gU
z$!WL3Jz^x)-b
z1ANgnGh~^Fz&nvav_H3Wchd;;-b}=$M~16A_!%`u&5|$Qm))WVe@ASl11c?^wGpCH
zW_LW)cl%9=|E7x=Gb&2s_P|q>buXDj*witTM)jW5*Nm7TeZ~T|Umk33S-t@L&0RoE
za0)GO%edumqvAqA$LjyUTOY--*6Uoo6uSS0fAqGl-Zc;jIORBBAIgMnN5w)34yxoi
zHqYuA`!3Zj>?okbI7z-ebHjPxk*d5q|{p@%1M40380e2>L-F$$-<*RdOug^ZyZbFSg##
z46%7^0R`N_1L?Ux{lY_BuFt!hmwe2BQ_A0-@{hDzpyQwJ>;L)%b=9Miqzg3TL}-A=
ziER86cl6%u@W^sw^I-QSmkJ3gVAu`E8G;nuu0{
z;5b(_aAx4G2Rhjz_x<*;{p9>f&mVNM{mIq)S%R!n*lAo{_wN3S)CNCK+s32rB2Z0J
z%1|uv5zd_|k1c7scYXt6;)#IK;Tzn_rAFO`Z4l#=^1HAr^glon%I(ja)d<&K)SMf1
zeja=rVuy@*f0$moyjm$%m(Q`&Whd2ixQ8y-sBiX4q5jZ})%IfFBa;a)-`T54khSR8
zWrhyp{?fPlH2(4o&ZV{fs?H(ngbs+yslJwE$jQz_DfuD#q@<
z)&JW8J&?zjhCvhB3d3+i_&;O^Nt6&5g<&SQ21>u=M#rTYKF5OAtatK?|+!rApXRps6Ql&q%CGIpy(hQYgk
zvp?kSnU%Q!#QF&hZmh5(#>vgj)Tb5Wi9nTlpohNAFgm@fY
zJ}&g6zVUNILR(bm1NPUkVAe)?34z|)uLI3*{SMR
zjly2pz!O+A3KPehWE3Q8&mZ=A9SfAaYqgqyq0)-POxax7Ofxo}Mk!r?Z`fUdi(c||
z^VA@erkzj9rmK!QumE#|?a6dKI@MwuXEn(tLF9
zA4u%|C$jz3e*RUx%bohN1HsnibNAMa-RfZDx=76*!ytM2M}lnZ
zfF-Uva;mrLi&AtY#>i(x4Ikv($VQvK%K33EdU+44ZI_CtIzA;hJB@)8S)*Y8HO?F
z85)5ZqvLr{laa=(__FueCtK&FFyT&v@$r@n*(!y_^;2I-O)9>t&PT)@;XEjS5SQ8<
zX-|yq%LmU)_07tKPr2f3nhu9?E9eNYNY?YIaGJc;Yux?(wjj^2xwvsrWAT&ZrBpF|
zUCrf+riaKl`jMCvr+0|}jH$51J?G=@$J;pT3yDdd$~XFJ@}p6Ked`|Wl77WskUY7B
zIytM3*24+ev0x7hy$B9Y2DJjpD#oaLmMc9mT0jxA+=2Bb}LNYVN4>wVskWZ%3$EBZqF|h#1P}Y^SBj{>TF_#hLtZG(h`y+
z{-i(1dpo{8v!jT^@=69#1H%l*!DR`qS}SncE<
z?sn(07=1HZcQNwX?pV4eNHux4ci3rVE-$4}=&W;_Yg6#K@zQ)la-&U!^J3@sAu6${
zJQkxKJcc)NqaA#&Sjc;RxYQabBU}KSNCdc5SunHsTuZ}sftTiUV8SMlRQ6#Vg|Xst
z!Bu0j(T|aUIuU_i5I$$l9~OP%)}nus+hCN($JdjSgFZ?!yfx`Tw~4kPBsSilxc9UD
z9^U({#t71L6bww#@+#Bax0y_l79!=EFr~&fe3?udx}*a-m0Zq;qKHc0ufpL|sdO66
zITXyzbiNyplLil7i8>mBIev^Ct-N*$xoqv6UMXAIODZ>ccYFPVUK$if34y@rRFh`@-oEgXwPNJ;o(zxq6yQr4OB&UUA3Nf>yp(K5yd8z82D`6g}rU1nH&{;i{$|!w7^}
zKBgH+mS~bJHydjp`mVqI*L4!?rsfK#MShXXiUd4wH2n4k1&++j+ZKZx!F8nPj6<2Z
zKEwl
zb(70evhQ#Z{t5}v*hFuf{d5PKz#f!(Sr;tSQQ3_^topugPYrVnh|_f$^q4s$p6)hz
zo_qtiz7XhclYJFt1jXXSWNQKc(rGl|vzPI{GXn)8gOAUgIEqg;$@!=(8ymmr`s`x~
zE75dQaDJ1+jDVyj-Rbrvc%N65G45!5w#xWbjYoehA53_#4WZ{rHA^z3uJY~8=+Ze#
z-vMc>>km7RG%3aFjm`awnVRw`y605d11h!&4D<5|aJyAhBZ+wffl3$PNr!^zXH^ax
zgJULyhoszUvEWMND;N~(B4mOs58FsWKQON{MK{*y6T5yTIX^QTc%zHYt(~+>g)h;0
zjIK3OpHA7uu=qaV6*;?6sS@G5GhN!RzI&%m+WlAiyX|l%Vh0cy8RDp%^^$Nc4j!kw
z4Iz^EE;jY@nQl75(1Egl#(Z=xhfl=ICVW`?S*j$mwDIj?_pJYnN(&REMQhLV2CO^E
zXe*n%4x3z&UT)o591gQ~nv%-YY(SlGvf7!C5D`clWT#8L?N_uhRS
z3@Gmqzs5esE*3NfKBvvy)k2$=7RAA$h|?{;vCrohb+$+3l6B59xX+7&1{XEC^7_<40N;DcG{guEl8sCDbLcoppEJ
za=XF%nM~2{Zet10p1wM^AfKA5uoE_)tlqZ-r7!zg@
zPN=tIs#ss)_*cTftSu$N8aYMaWv${ZqWw<&I({!U
zv+!R!X&Z}J5GhR3>q;e*=nXKB>K&s1ebW8M&NTY$S}af-FxP?CoJ3|Lj_zI+jUixP^>o9J
z9`B}dce&pMKRBQEd@p}R#+==CDRLii7G>Y~zHd&L+W70!RVM-kj;?L}iK5Nds!jJ8KutA?=3cPBBR+BiX{oaH)V
zx42c}fMPzIw4ACFLF=Tj7x&6o@K~?$mpq@=@^Hk62B0-}_w=~y~#BT9*6YIfAGCQy3>kp>h*G_N&jnS8a8Ytbu
zt=|dRRBfJk2#7Y~l}|0#aPRNNZYOsWuV;TW^fRw13bhqlnbU~G^a7i*HLw&XiKF+#
zyJR7rI+5c`B<#n$^Tcbw5&&oOHc1(}FgIY+fkmdveVCw0ho#J$(cPGK*@$Fgk?{3XR)A$j?86>s}|ig%*~tgS#c&LRo$mm(+{
z6%Gk9JbG!d6kYp97tuH+*`WOuSex$5*^Hbtn?jLclrgC9tXFWXnH|Td-a|26fufKy0T}(vU3e+
z7{z>jrb0*IwooNlP41HB=-stq5mMP_m;&+kUhQQ9LtIn!(^`Z}`;zv%-b9J_>(dG(
zOs*bc571~;&3Wx(fOnEl6-{da55XZXqR}|NLBdkV(Nz&75b8kg*jHZtvM`>nB1otUT+(xMs5rL97y0O7SCPW*PBuC
zR`T9PRoDSdBC&ZY7Gk2z_p0mx{qRyH-|gIzLi;YRb#g}s
zXoS1X$5O=0OW_LZ=i>A$_{tt@$|Td(oSraOsOeghS1nyw*je0bYg^jr>ls3dPRHv5
zdwsN3flB*OTN|q=b{QL8MPQ&?ovPLO&OzqBGcSd!hhNoLQS;S#Wp7*&lI0b=NFB;A
zoxs3L7?1psTY+4c`s%9HB@>&nMNGLpIQO39YrDd#5b^bsF<`7NJ)MR5Y+geNg(!AR
z@{_Lv$AxR9^Fqcs{Es%5I6jltSo*s6z&h7#L`U-b4YXcdZ
z;rI70EVwsW2Q>~)?ri~s;db12beX@SlsM1ghsM^aoQ>s=aAgMi-@j}jG+!bNOgzeS
z%>t@4&tylLN*nf7y90J!))Af4jsaBy7^U(VNeMkV{<#Bz@zUr~JGA0)$R+-5)l3TK
zkYcpMBlHgW+tv>^L2Gh)##oi_{k3saoQjhC=*duGOlPT3_VY-Ct~<@G4j%rU(Gz`p
z1fG|lK5m!^7)k1D-$#OMhsKbfyT9Kno_e5JZq(=|5F7KxzZ;6IEOe|{Y!>R4EiRM5
z5MbF`xk3&>dc|vu)e=zJKT6CoQPXx`E;_8pb9olqJ`=2sia008$<64A=b;JV?7EkQ
zfcKTKV^TJ34P73Lj&rE>q5Ew3TUHlAIu|eUvP^
zNN=zE>F;8Jh*gGkCvMnHE$>~n@ATTg!+vy8(3~HKQ`yH6dRL7(m2Q8vb47`wj7OM%
zUi(a!N40)Mr6m$F?mt#}1IgX|QhQj1ryIt3xtrylFxeXwgJ#D7X-IkIR?tFUiMc&_u64Zi>{VYfx#R~Cz=f20
z(1xvi57ldA-Ct#WIwfEaPoMVpDl_V48H`(;JYFE?gClhaJ0Ys
zl~+ELjD^8BE_|?AX0IFS^7qR6^rR-|2#@&f*E-EFud`oi!H?Uz5s!AiCaQjTUhu|#F5UHoG!3`f
zSaZ^cW_`arX@fQ2H_~E(NUQW*5x_Ai=o~hv!a@(
z?r5zntG$7xWd}>SoerX;tLE|4~+AM
zb5%8kNqy*jP!E-7w^$jX8R@%!wGs(6{fMjqLx_(zMhY4@WoSa+wELQ11}eK(nrzwV
zvBTdFD!-bm$8<iM*+KR3Ahka2%|L%EH
zH1b$nkKgL9>h2p2q!OUy6nq@+}&-!T0L>O#NTSp@n`1OuNWRHzmB5Tz2
zF%9ZwR9vi=$WKZ1dvYpY$tTjsU5d?=D9>>%jW{7a;#rM1o(enYn&jO_0aCqLBLs$v&^=fjx0o2(S%MXv
zAPa;sj({sQ*UUowmf88h0UB@X>vj-8j1nU3PbEs
zy!0ncJknZ{wO%R%mN`1}_>RQ_8%|`za=;ydv
z<(^Z6D#ee%Y3k%kEx(aQ9Ix=1+wBA<6j5(G8)TuS${+fB*sP=)TIE
z3_elZbU@u|igiY;+>-bx7DsX>qd3
zQC{B@M@No_-5QYY)h8Vr90J9M>MgX%-GM0JybqvOH)o~>KS(J<~>Onr3yT;>LrafdA*3k*qL
zp)u5)v1&git!l@*k~G%n+)}f1%9=0nLFwA<48rzb^QT=!RdN?DBERO0<<#`wKW1YH
zeHnEQy?+%n$mD{P^$Ypk`1biG)l{Nlr
zw#DZA7J+J&L0Rnnlf`(tp9r-3<(Yp}=(5NOGB(OWuG6mmvddxJ!9^9fe5Fi;BMIcr
zO>yFPUWPnw`qVCPb(@rU3jelvF4aH(g2(9d`|YbpHxy*tf^Ykp!6|x$5k=y2V}KqH
z#_heyLEVQt7Djr3YZx!E^riGo*{yRZmgzXedo@HO9WIIHmt(-Cf?0rRsU4WAjN27z
zR0cv2G%xiW?b)1f@xpU8J(i!d(RDdC!%}&_(_#42?>16Ty$B_!*aounJBTi;d$|XB
zu?QJ->uhu*9s{k=WIiZDFMT#`ZL*wglIml)V&?uUz8hK1tMgkwl@VA<$EWoEEEn^|
zWcEv_z}P1;KtAPg-3syB^K)N9PJ_3TYN`r!Hnml=q+7p2&+c^Fr3(@%Q>*uF=^jMT
z+276nI9aJ5YmcVdGcW-6O-V{#!U9qe?7Jxur7W@7Kf8VIaySlP_fVcYE`Mto(q{9y
zx|lJo*+%H4h4*WMMn`%d-g${u=D(CsA(Qcveo
zS87vjaDqwXs~&vI#g$>1KG$89Yk@v)U`nP_M(&PSux2{azJlEY2Q(l-#u$EcRqa^EI!suFc}Y6%CI#S{0qONy^>dVjq`0iPuHB_0hMPALl2>
zIx|#pye89msY=-oxMAgY_U*>)(@zXfY1Rmt@3h{TnoWgYWK1`AL@LZGW_M*bn1`@`
zPGX4X^KBZeIz(NcRW!QagSl08@S~_ZVB&OnR#OwOS3yC_uUPeJ4I(b48p{(x*{kjW
z^G=$E)kdv=_qMM%3Ggi;r4^nS8y|L0(1~|
zIeNB4Yi5R(_`vSOXz^Sboqe&eI{^uFk%f}!(OO7fi9;MA
zFtL5A$-{e^06LKloJe4X=ZBB?k8pO$K-CVmaZIQp9&SS>QQ=<{#|m0qZlyqqD_cee
z_}kos8|tp-yn*9`{fzPMVkV+k-k0Cq8km^95pVt=X2_>$1qe}Wvo+Q~!etof09pxZ
zw&b)KQR+_<13Di*zbU={iMF~_0-LI2^8wP(uvcXvG<|n`N0Lkeh{7FzeIP9&mi}o_
zxW2;AP}LFX&_^sJbrRb2Z6x1t_(-A{m|IMWwt2PQ*NyuC(j`EFmp>ZW!idY#(QT)f
z-F5YG1}1!mPh63lUKw(p-rMJx>i#|Fo9K6!VYFeD1R#3J$FaZ1r+H|X;=-7Wf@;L5
zbKXlGR?5xF8xw>#+U4n=vM?e0yYkt;bLxlQxsr>CW!@yVyi3GQ
z_evMLqCi4tii_ic=vX8(A!8%7n#E|^kuadDWY;Q9#gB`
zwLfNjzU;cXeAeG!?{R#gb*xPnKj>@u>i8k-7JZF^P3w1JUbapq(K0RPm+;eUPUw5PLX;kd~e2`h&_*
zYFdMoc502y@z({m5C%I5P&CsZH$Ift<%f-n)c8yMQ7#_tK4q-_@Th$7txR
zXb#p~t|#`4cysT0S(uOIhD^Uo1Eni+h`v{rAb!Qhap=J^BeJ_A8^Nw>O$RK+<;~m``UxC^w%Q=rdvhL`-Zy(dUV3I&f|2?
zZxy!|p8BE0EhnavME#PKlPPD8)}K
zWW9V|-q!#>Yk-!z3qMNMtO1~al@yWPc2BjmjoXVSKZ;91AL$MvbS)>)QYc_Mu28P?
z-u+ZziqCY{&pxF|R2WgJJ4*zF=QLcnxpSulKSjL(oH;Cmjy#529ovq9-1%}Pgfyi)#=!rRaNRu)2K{@VwRu$a?->Y84u^4A
zZIW*4l7W+|Jr&VtU7eKa-&)6Ofw}y+#10{~{HZ?f2qtye99wPOEs7k+UOR3uf(Bnwi9y=+gL&Bb5{YEcxX<
zpYaaMC;KgOJ4k2bX~a?3$>N#k(gHrE^dlgK*sqD@uArsEiOC%*NjXRuy-3IeeDbNN
zA~}olO3iBj56f?H^^jrI>kAMF=-T`6mK%#t`;eV%*|RgP-^J6oNvJ1ttHt=$GA}Wo
z;nnWzxVE~V$&v-B#u6#&dfkQIbF(6=5o?k>s>AH&^J}~P#OIIqtLJt7u44G?vv;2;
zWp5C0sz!>g;7Xgz8d45k)W>MG^-!C)=WTyl9@2MBDSz-6+bfA(!`*t}Af1#l4C5^B
zuQs?pX=SDioMgF$Q2x4
zW)bT~3}Q;lBIi9K8=BG);mbyk?E02~|KpqY^3ixGm{OB}-}SS_WPRt3hyH`%JY{98
zjwZ9!?=eNV5^L%LHF{xIdG*3(AErYmKpOm8WxLh^ZFOH)SR-vcfAK4kO9STabM6Gc
ze5xhWsD&QoT++hQrvQtIvYN3U*f16EQ9w)Ih{xC-hpTv6>s0N<
zb5;@duI-$*V+|I$wA_2c`z9U7toHqzHJ5>FLt17VEL6o+07pS4hVB_WS*TLssvwC$
z!%8keK;ygI9L2>I{ITJW4~0W_&Vl4Rdl%Xs>W*rm`9|^cuG^x$wEACsyCKegvG=^#PJSj2rour*6}Bvar2v*c;&obChu9RK0_VN+s68hd?HeJwH3T
zUJrae-L&88do(>7Cs#p1K00+!LDivhcM97ovioJOV@&7gVp1OTcuIT*fjIdQ1TkBF
z(SSk;@QO4770FU$Ld_aJ%A$)?vsMctR_bM&oP^A{~dLt*lOKHdkv
zA6vtQZ7mFGV1RP0jelz*0BOE{`YH}Q>+nv9$=gp8KaWWTNIH~%j}#@M&=sud%oN5g
z7n$nev**l;!cIH+(e=qZSSdZ(-i7U9POi_v7rR%(IcmCn_Xgn~bdu&`
zjL@Gq8UR&E}$XT>?|)nx2Pq(fGK
zKLkTn=MKE#VXvUBl0Y28^Bbj;&M4(oL|g`)GqJ2KWHe}2EmLR!Vzp)T#EX;+YK-%n
zUoP-I4?VnRX|p4T&)J|fmckvWys?dFnS`m#JvxAe2o*!UI#pWAS2>uY)^5TbXj?J)zB>KZ-Iot;ZWAty?pA?1@RzP#90hS^3jbd;KZt7M5<(f`~gZfcY>&GPhKr?A=l-mt+E2J;e_%-{Zm8`sfSeuGeS3dW26&2n$oq
z%kS!!8jJ>QS*z(aV`kHr(FP^q2y<=Xib>J6j0?UNHpWI7ix<+)GjDl!M5PH}YMjX<
zcVg!cb2*;!5zI;U$IO_hZo>Ev8I+OboHMJYQ-Nx%sk^>o&&p3N@$=D;tc`~j8E5)(
z_@9kpo5weRNUa8Myba_bz95Dyer%yRQo(d}TvsNU)Yxo+TVX+>+sdf(w$tA4AOJEv
zTnhfIxx_DQ?5TeWV!F=Sd`91(i|X#~T*0YhQ#eaB`qKS)L)TPeforXA<-)eJ77{gc
z1lXk;pxw}LQzdQ=MP6KJc)mE4+q+nyKGnU=i(-Vc(LqZ^Zy~*DyBqYo3NwWN7d^Rt
zJ;N_v(A;Ma5*prt>>A%kKh0yy=sXg&vGJ?&IDJO%>8u?%96Q^J(aJ
zH--VKfk^XWcTaa4g`kB_ME#QaW&b2L{b?!zgQPlj_iEzn+n5oAOX2?MT+tX
z7_HIR=rADkvxC&x!+GZV@}~q?PvFvx&mJ{H*rVy)=LO~;2$;SBDl^xBKkRi-{(AVy?|U)I}_
zO{>~;s*Tke^={dNYIax{UfErt80He#V@0KE1E
zM@%m&5tlWKlP+H;J_yoQ!`O}csNyDu5NIFk;t&Cd)e!t51pJxa6j1Op+#c#=e-)@Z
zMw+DlItuiDb6}e8=V^B)$B>DSrZ1Q|S!fcz4|WdWCDd4yXKjVIx$$lnyeP$5R+=a_
z%(Kuck_D0qVKZ(0hf$QsLZ$~|hbre{4&2unZ)xpW%KXs0}p9}y%+LA?7D
z3Yi5Rpx=Eriu#pklivUyo|_T+B8%E&g1w>6h2b7-tL53te2#upxi}}D*PzM48%FT6
zmf{j$$Xt)!)3oFepJYmnQuEQp4S*2X_sNZ{u9D{%gSMNSC6-3!Yn(urUi`B#?ES&@
zBcMf#*&DD`b8#v$4q_KWGd0#kb(S$>Ta`YQQRPqOe%!k(bSw&tY
zuY>j8{I!_6Su(t3c79kvZLK+=@1_0TYkFtK*2Ij+8LzBbTbw{%82I^w-pV3lM#
z@Y~1gm^&C3hD;FEkjcii!(c)2n4k>hUB|_Nf&xj>Srfvst^nWg=+#*S4}jkqXrntU
zN(*Q7B2U#0FTZ!jckbwY2^@!(480qK0~O-8_tMHFf(cdAJcu%1i6yYV`|*nqu6Jtg
zeEEWavQ0#T9b*g!cj$RbeFG+kItfn>b+-p~Bo5CQt3_Pdwk!aCt}d&-N%8?r^E>j@
z{`tF9UNE8VC2Rs}Gh@m`PBR0+0QsPLmjhD0M&P8Dd*kNTfu0ZTxx%qfcuGdJ;giA%
zhE91=xd5JlukT;J0GX{m)fDzPN|My9sEwIP`>Au*@HBMxKt!M&`*`rCi<8KFw1_6|
za;VB$sIH5QB9ND`B+RIMp2LUBU-jj~GJ7r~&A$Y{3r~DVC+_HS3G(9V2A#OT$Z;2x5ERG!?P}
zwYa?{9$J8()t=TQz-$kDZ!sqKt~*u&_Fd&QZ-LHPTh{GQm!3AhRNU}%vVE9
zYVyt)Poe$Tk%E%rNY%;f?4ATqKHH6)J>;w`j1l+?h5t9-7r$OrcQ>_E$;;x-)P3_%eJ!&Z|8MpvIFha|?25RcK(~>Fd$_
z1f;$}(Fdpa%dUGdijCU`A@6kYJ<@D^l4&$cfAl}@Y!+rEcDNDL)Q@gaBVpGeZZYSD
z_>iEA6XKuek6+J$$YHo*Z+NN;Z9SIwopg5bvdmNbOa{uYSkK}F#Uhc;q5#FcNMOK9
z{l?gR2&uYv_Z%R?{%$5f2XZtmNm?tmUFwYH(a7JI{g!?=oJTg^RI^;~1c6*+Op5%7
zMDpVH6oVh)5=pIxt~9eLugv%PEe>8fXDWOV4JB-|T^q8>goY2_+mWv3so7CdD##=-
z9IWSpA!&+9ZK8~E6k$Xtu_Q`ra7GxN2uqwU&0`mVUzxB462de|vf%_rYqNwIxq1=RQ1
zLm=sAu>q0xz69D6_B66(g83yipZ-a?XCbmT?p*9~nI{SU`sG+FV8_-H`bq1iDVM6H
z;Q@kbtbu-0b$n4TfgN(TVz#IbdwH|r`(tJ192CorcaJb_u9k4
zMPG;vVIljmtHSyzZl<{`yx8{VdN+}n84P6yU>iwh!!ilM_TpPoOFI3$<-VkD-mBV^
z_I=(85*3avyqlKPTQ_#o0FMx3nSdbTv41$!TEkK}$e>Voca
zEp5y&Al~1cF+i?uS}@<=3*;y?A3Ks)lBN%Ccfc6T^N
z+xH!(-TGY*%BFenF%?@0~SYoI}Cuz!yCj6nN&fy3(7w8GA3;9tYr|?c6ZIw}Q8NIrCYN>x`&F>kn|0h9vu&(D9r^UA&^icR
ze1+-CjMDWGZsd+eMfGsN3ot3(#0&s~TaLgXX_S3Z`LeeG~#l?fPYk1a!gw
z)$99vIh4fg?@lJTjzb9`mDTX(FmYE$PIAZpEJYjfY&z;qOrK_eXTv8V91}FkTnz1w
z>QtREE(zpJ8iH#uCBPQ5a(_fcML*#5-}6^YZySL(NTCHFl+JL<*6SMB^k8L#RZ`;CkH0j}NTJGz8v`bcns{
zk3EWGG_E4SX$0&Gkk)p?+Tp84RPVgVRl{Hw4_wS@JCbbzk&ohvWsquDReRc!)fE~C
z$rPSx{vaha&JWiYO&k1Umd?rZzmI6Z8pgyQ8z%v8nT+vc?1_8VFLslnLQ(Z^M4zr%
zC|mSOuuHL}fmRj6JXWXVAr_nmKTYR4Wp5z%A#TdNYr8`*e9VFDYc1D<+?>aahn>WX
z8rKP(aOtO?o7VrF{Q{8K05PUqKmi-aylm%sNzFyXpqSrofT5Hp{%Eg`RhXUpX?I^Qu@PK
z+HgL#w-wg(K$>#mJvYsx=+`;0X
zx-}M{H?w-u?;-G#(r*veRFcck(D2IWl96QC{CigOgFr(Yk466Wqs>|?bCWR+38BJp
zse>YH_gn_$H&6I4z4zK99wMIw{&xbXu3GJPgRiukem)e$0VDk_t+5IrU2q%Vj8gsh
z)PTDbWT}oDkG=RVgn~%q{JIGOftsqW@Y{o9@K7B&T!bhGQ3_>&T%1C|-E#_?8M85v
zgr5wAxlk(r=p(;m2g1cA3@XYy9^yQBfAq^o2Y~ik(0(_Re_>{m>`Ue=J8PN38YAN8
z!e}ComG!2K_%-UVON8^|MwCRGh1z1H$q})fTrVZmrGvi_022x_*T>ufs$EXCmReXS
zsY>Vh+l~U@xMN?r^qW>|b?F(B#Zpu8vDdH^IW6Am0e+jOQ7-aO-U6m^!{2CCc|iDT
zce`8|0~`WO{h{Rc93eX0$s-k~>r_DSYV*SnH|7!CR5?j$`Z`Ce>w;z`Wj=eUQsx;8Tl
zXRQta@IeP1miIbe@$l&#Do!$yjS2z`z^Fi?q`}I)hH4|qkUA(R>wJ|cTdaEA&diVQ
zO-3;=!Hd8$`T64RHv1$x;Z%RoBSuFi?%TmjfGY#*L;XO&GI?M6V|qD;#Qe-~)w+oD
z%K-{@ylxgLd-G60q)U9=kaviyovL>ztK+^1jFj^3+SJIz4+XW22d@@93j7M3vlkj=
z`rR?YLJn(sM_?n_Cng^Ve
ze(bv<$HomK;$!|++D`TfE?|nN=3e|%6iSLS2psGeYa8okA+Z@&Z3Oo8%b|)yO(cJ?
z*=kURNrYjBbf&RHoWe|7xOZmzk92EXvBGDM9i*u@g{NwLb`8H|Et3ourxbZS;qvYq
zr<(50lxDtgHQO?uTBz5a_xO7YKa;`QT$9n#z?%w{B&M|OMbz`5EoaO1Z-zhjR$w6V
zxW{@skI~Y|@FarpW7l4a2m|{OdxJyt)6gOqR7kQ51AL}kh&PBpAxuo6-vfK>^hYFh
z84>&EZ`E!tVSC{rfT5j4NxQ5@o!9-mgHh;q|3C!wGdjUG^O=TRdAz~{X@Y9cGv4H}
z$AyeRGV+`Hdx5P+n6V66GEjH>_;GuSy6WrmDOj9JBzFrmW(?&$A+>Cr4Z=_HO|3RP
zXt6ha5eP8=FDkRBV+_seijMX;%&p}T3cX=%JI#<(d~=H?yKpY5%Qp*QAcp{y6sI`b
zQG%OGIctu`2dhJI*kVUultggD9$CJl=yp_soe?=RwW6m4JtWlRGhsaB^?>b`CY|RX
zPdhs4QBS)r{Czu$coIr@_+Rqg_LQB>8l2-MJ~zf5%uwan8x^n)l6M;mvab^6Zfv_5
z76;JzrP*lO$ML`_P*spoMVJBD(9qK+#1aI{s{fYJjvg$+XR%i3K7nhfpBC5FCtucn
zX@1_;bmiLa%=QY9h}sro9^uwK&Cve$?v+y_aGl@hDXIjlVHnKd+kSw()_Y|CX-!@|
zlG%;>RQ8&NnIw>9hF|*sEKc6k;h)h2Q2hj~SsM+PN#!TK=`_?hw&>T7E3C)XNgPhn
z={D3Aov|VBAGg?U-MX@j=ca0EZXr7HK_wZNUB0}%8E8~lQ*W4j=`}Fo7ctbRtv;V#
z6ZY6xdj8#C&v(9t1WWokk*-A=U0jPNh_7frs?~j2tiE7|c^cU7PD-4|mPpJ_>gn33
zRUFyocEUXPc+#AsiQVgULOvw{m8@j1DSK=zGymxipX2G(RcAHbK>i9`ct_0Ndd_~P
zH;*6rw$IG(fcW7!WAYh0J%evYBt((}wTez<1Rh;9_wn`bO_i0LiYiqBJLfUlt^PQ(
l_k146L8E8@LLeyMzr8}i=GKktKie_@fv2mV%Q~loCIEN&Oql=x

literal 60826
zcmdqJX*iT^{69>JB$1LNsVrqJB0EV4iDbqYTaAPfvW$JHq(Ugmh-}%-LL*}tTMJ2J
zXNbYv$Tngy#xl0&;=b#?f5-ECUOcb<$MN?UZmFi$*G?N9b!a+$
z=CBFJ8NONnfjeTKcr0Grx#%L%;KOe5^5B`!Yl@)~4ZM1K2BJ4r^t}z`tl|&G-n*yg
zpdpu_$CrMlYEZCEc;cDr81ze;aogSdZz?@DQ7iTSGqbgRv#4TfadBVms|W2Sskec?^L`u)K-;rE;;E028LA~tCu<}`*o|FF#VD0lE#W{9|$
zt~zlJdOTJw@TZ7Vi>d=B4gUL?M<>D|ZfU_IGtplhV%1Mn?dWy)$IO)%9g`$<$|^M(
zecP!nXdlh}_t2vgk0EY1s?_fPn$pf#{MSzsd1?r10zu($_X&>tZg7e89%tpHjaEuJG$%E{D#A
z&P4}Qsm(ogsBcw2^?NMqz-jPXgW{W7vro5=`)&NF|I3!=_gIH1FS<3s;}_&ed1h!=
zy~w3HH{&@|%J*uK-%n&+1)h+!YNgp3^OrHg9XXo
zV=U*7G{C)yq{BG|8)sK8JEKReF_)4}1QoDP9OJmCx(6>rFMoO?qL~4K)kSvt&|Tk~
zptBv@4O8yhex|@2C~JD8YL$phuf&ICMY_!Q@)Zq>=QaZ=*+GII5;vmo7}-0uh_?H~F&mQI74
z4T|5aJwGh^oOXy=ZiZo(09T`H1~H3Xr_Ef+#Rtl;oDLzamhYuIeqWTG!&d-(Bb*J1cp&f{-{(v6Om%dh=-M8UbgqSe$s7>{)xD-=<
z*V;_RD8Y!;S!8f-nTn+K#=G&1HlnCGb>l4+^)JWz4!3%HEUk{)9AaO%TA2v3o!Ojy
z5Of&*n}!#lQ6dR>S2jMd8?|&y+7g4(nySmPlo|NTR655I6M3q=)zNin5H*E+BfJ#V
zuIy#?irC_OO0(jNm4W5MYY?pjqF$BEcSqBQ*D4P*-!^Pc&Ox-iEN`^8i-(YWR`kgv
zVXQ~}2m4tadt9K?(%_{|UthiLK5r}bm{M?lcg+~($R#&P9K0)lP*M8=^qZ^(sRi$m
z0(GA9Sm({RQnihx2kr3PZ=G%~)j&&7`|=}iRG>p`Bw0Ak@M`H(vK}DCS-sA&;;Dtp
z9)z~3HS6pqdhOc5+PeOLG%;}BxnIeVJ-)PspMPDChGYtN*5xH#?r`PnntKF-7fGqs
zNZ$`Ug0{6oUL*6eH}2^#7r_1Y_(u?NcX$7LE-D1Ko_Du$^f!|MT5e#B0^N*&E`Xc%89)P>Hx5R*#`x}Az^ahLVV$b7fikQ`NR**CUwi|6Fzc3wUej6k
z5aTDKsrho6ovz;Iv5Y6qsr;N|WpdE4>}}p;?67CWtR801KVmoyHssDj75dCe;p+wk
z#QYwwG@?kyOo&M5f#Roba2}>_YjUo}l#H%|SBTl5`DH`Q*9EV#mz4}`>w6xTCeI+n
z81|BZ=>~WM^QvM|BT7O3{@N_-9|O!1Xpky;XThHoMXLIAIHl127j}5Y5C-Zhkv=2b
zS!S!_i<9a}w^M>Bvm4yYh37$C+r)4KCqCGhaO5?@O}}g1FjBDt>)-L?rAR@@=*KlS
zccG}S@K+CmdH-Wy=DI~vQisv;VSJCP)7Sa}y2Xp_R!-;a0Bl4IN9DSn@Ya~G
z_uM-SIFIkUTU#)EjR`OFNH`LkBIYvi7uY=-?02f+H`rbgKMj73Qc6U9Za}fS4ZP)Z
zeNB*=B3}iW&tFkY$Nx~AE>d8f$(auO(C!{}UE
z(T@{9ZvvBu1hrPn4jg)W-}*cADYrTP+!Q}g~o~>kcnP8CUFcHYmeX
z4Xa7$wO4;elzz}Sf)aW%3e9uPUVAw=g}X*uc2@T_Aa_DxA-*k&nPRx7Wx4b5i4HYV
z(6*MBVbMyRV@@@*a*bjhq5l}-qltaED2qSg;E}?P@PET1OV$lu^z}ckyAuzj%>RHK
z%lEziM_$c!gb=q5i&{7Hw!iO1hUuYxJJoN9`TzVkF;_HsF45=U!kU_Ki*nwl3F~-c
zbr09y&p+DgP9i=C;+MH=3}p@V`Hk{P4S^!?xDO(4^l_uhYpLrQY<$k=efVq~o=7H??~v)<;AI^4ltA
zo^zeJUnfLp-(Rie1N(9L{_4nIFYf3S|KTFBnPBtzwdk|j%^0N*4vi;WYECj+OXusf
z*UkK=4NTYi!d7SIR_5h@lg;w2E!*bvEz#!@7s6J|pE}U*o5~$oQ~5J|&%sn~B*!m!
zZ`Jk7^PYdcK5t?vcX!>e>FM+BW$zbyUgtO7j=KfR{2A}EN-$oHKo7@Rh}HIowAyGL
z`!h7{gRsBMV5GmjpnpEzj26zNe$Jz{_QL(ef0ME6XEtoxC34T+a<8Amn0Z9n5Z3Pf
zc|R9G-#`A&vSV|6f4qX_Nlk0X
z_WDzr1q_cDNXba`MyqFdxuH|C9&TlFniXv+a%f2H`BeA36@QbKvb+ZB2@k71|4PX0
zY5h$9(;H&pr@^EHJ#Gw_?1!)EHb6GeY-R|mNGd>z-a;QMcI)((0B3sU3-O;kjP_9J
zX73ENZI=8bZ8gJ_K{|n@2>VN+A^2mcBejmR^w@~%7GGMxY{lM%PmfOg30~nGuq24D
zd!0(nd+$<;cs<1fciIjkx0pW@m0>@wF&Rxt=~S#}z%(@!;-N}7wR3khrE4e2;iJV2
zzI1r4TL0Ud?e$bQ%VRjH6saNtDQFnlX!ldogLoqYTnoh(L&|Cme>?ysNpTRo;ZLZ;3?~r55v{IC7@H^P|z(
zF6H|Sz8}CKCK%RV2k0}k(@El=UV}^I{&>)%$9r%_&$1vxN0*Xfj#;}aHBc{gdUIsE
z-I4_xwi-b(sHKnZ{(7bd~Lz-6>6ky#VZW
zPYz^=Z^@_y@#*m0Kx4(BSm%uCPK{Leg6-i$QUd79Lqr|g9lJnVwtI#)r=noFk)TL(
z1cP#WRHa|xSU?<^sM7ndXjlQ!P^~c3Dz;9#b^4?dZ;y2+Jt`MPeHTlokaf1<80z-(
zG{!Gt-nl8^7Na;P{qDR-(%k7#GtB9`)xLqm2N%X5qJKb$eLs*`;UQS|S;=;3Hzgat
zw;%r0XOA>qfXu(OwF*2J@VyBpb{x_=@f$H%ns*Sx{l5^p0|tLW=}w&e52%?*40RX8
zQnoiLCeIxG&ts>hM`&90tSQ(3&B9n5dAG`)1QlMNU)k(`{#me~evG54qES&x@Xy+k
zPq+J&gszN@;%J6FERWXMn6XP_y6R{`df6ZoDVtf}O|E%-vYobH!DI9I86YHTJ*ktf3#w7kr
z*m{*&813*E>#gHUMkGe?(Laxub|Z%!>P~t>^u3=0
z=jliCXCLNA63sG8&<(-1y1{j~YKC@&!TxNSPkUg~$3Q@V@%6j&IvDH{Kv*5*U5d@F
z?rTQtcvKKn+1{JZ?E|gz2AWn05QM`YK2TGz@wvRmwlin}MAKw?$*oK%q?aiFv+kpT
zPX1hrSb7Kp=
zKdDcvm7#UYR^2!OTQ8U$I(abWEhphq>Fe(Of6sfxyNlmK0xUa2y{C;j0~R;r30yBo
z^?|ciUSh61T4BD+vh*SCX@EO6<=<*V5f(zglerhO_Sazl~E;?=2
zqlE4@bkc3|=1tLmC~h?b>cWqO#-2e&ir8F|kPfag#hPQi(;g?~f+zQ%GwjLjErjPy
zlpjwFPKShtT*ZKWA1s9q3g%Tm)c&x*4YbS_>x@2;u*13SW$1`o;gS~>nTm{mCp#{=z^VO-JPn7LmE
zy1dw(t$B}f^#_(zMEwqekIv{?npK^C=&G8}J*udhoRQ_X*E{kE$ua4nbisPf&#nz;
zJ6YYFjCM~uS_uRZ(WWOjc?;dE+o{2!aHHhd(|DLr4r53VD_w+mkfzZiZ+&bj>MxT{
zMepx}eQh?qduwfp%6i*08E?Vc*&zWM1DX7v4!a~vfSdHzv&)=R>@Lq19&GyhCb9I8
z-{x3a{g_^7(D&g?_~8NY*Y%H?VUGcENv^++$jGY9fV-y9t%=m|PTwS^);vYXTLII(
z+%9W!Q9U&*fqp6_?P8dL;IXK;UsNx63t{SBFna-NI~JF14&jX
zX?IgyI&mf^SZ*}Q-<)7BJ_J3y_LJGqpNLdT*I_y@2DM*%ERzBpkkHtP6pQ^s2+ftqzqV@R=1FuIBer`S-y(008e!z(kE}1!!(&m?p
z>^r=<*;Vd+`?rsq09s9fq#r-ZwXZ%JCzg33%~x;c2ha*L=lYP5McY3KeMZenUFujI
zKEON&b_$y5=d~yxm))EAlm%I>IWZd^6kK*8)b*<6x7w3OiCLOD_Wd>5<0^9dqxP*l
z{_7iy>ALZQ=kjtB9xH(@3WIJ~Cmf+yRpNQh%FVQUCVWxRe6iE$PlreRRL&!x%{tbF
z4T3w347lsq!0aIrrM1e3{7b}>&b;rd2%x>*?38EhE3~KKPvQn9YMTaW$iDD8WxG-L
z!3Xqm)fZMx8E-b-dHzHI-p(C&A3By1RMXdE>swJVC^@Wnsn*4}0i!$QW4n-tyzkDX
zC`%`0K_2{?ZNmLHx#VVBFl+8NVJ^Eh`s!ye(JF&rS&etbYgob!VO0u#*a}T3xS~Rs
zxn5;XZ+kQQW?Hxjq~n?FBWt>c{4;qg9Xz^PGq-8tCKx*NGw>MtdCs8VQ7)I+KH_j4
z^9E;>;|P@YhDxiHosu3NAO`c8@I>VW;}=}tGifomI@c+i)n6m;hiO*?(auDEM+_4r
zlGl`#2gjK37Qg82l^~5TPTgUdT5~n!N_W)@f4ggQ>C0)tUMt_A~Hy?#IEspDxp7AZ;gHU7Tt64arM
z8vy04_;xKz9EN(+r$EllZ0S&#S$E`+@psTRv$$aQJ$~|{M
zitNmh{QjvMAHqS8UCaCaEA6~}Fmti1A$O;G?S|6tZWbTaIC}E6Me&j(sN$i;
z!)rdE51>r3XsADG{MT0E*!+zS%i^l5v*QQ)Xy3nN@O2Yp!)yn8zgV$rc~!esV9$&fJP(O8$Zi)xu^FmPpSI-
zoC66W?=HeUxZ{$bVMcO>-`4QgLe^${FAYORm^J|_1r23}Fj5JBRr$5SV~>kh2So0b
z(5L5uG^0r-ju?t<6DrF`k~O(iXB-ZzdBy;mLH3F#x3f#W%)J^6r`DR+3Gk%le{QzSJ;!HNs+^pdlvkZ
zFY3g>;^jnI)MH-shxG-!L&gvK)I0`U1Yhm?w1)@&qy`NkCs;0U7U=ML3=c!}{uhC^cP{g5jY%q%Y)b=$34>W%$O;vh(x
zeoH@zx8H(-Y=V^mv_e_p&ILyXx~G
z={J-iJ3khgmHdw_2Z<@^^L9K>9v?=N3aw8*m#!Q7w011<4bLCZ0+0ZRHsQ(W<2y$0
z)ShuXsSCHP3Lm^DDS2nKgbzo^5^4GQbo$UtH`l;Jka=F5U8>5#ttnx5owDcemid?J^
z+K)pa^T1q;D@k?R6M^L6X^bvKGU4{bpYE=rs;v%V-(%@DBa)O)<1_LBlf`e)I75j%
zZm~<3&X=GGaa0H)yw4{|zQkI)I|)2sC!{iI_Db%HzG^ptY|o9O8UcCWul5ONtH29B
zYV8!kdje(dwtb2?g6f!jkunZdkBtm=8>@UtYc*;_{ouFg-7_G(_a;rZq9=kp5NQ3(
zu}aoPAfSZ%DTMn8tY535fzb1ramDA?Dbv+KTJ)MwH4R(#_UykY7ZCaDPFIRwpHujC
zHelj_XxLMP-^0Q(IcD*EQQ23Nw2zqA2cNfniW2u29@Q&MeWw(^e3_wB>tj3e=b+^r=#dCW&%<)Wh>B3
z7&kC3>*Qt@*u&Htroh}>HlPt(txOR`ZySJGPb`)-3&S3zxg%2djcia5D;oV_vsnmdi{H!_V
zce3$@hoI+KxUShC6F(FLv{dDP$>FeZ9F6fex9!J-$$>}FZo{Du;+84PI<(ieI+WMb
z?BP^z`AXjwnQA56T|ME4Wzl6%!g+uHHP{+C1rpvBEHfPe529Uik$tAPole6LE
z)P;u~e(%%ZkszGblysJxx^G~KA-EC0_W@T_HB2OG3km%i3#2?i4SdQYWNtr=Bdxwj
zx)rFYFSDHi>lr-E6}w_C#!A_b5(PKba?bP%jo)c;RS#c6rf&s}#W+)x1IQU*feI)L
zVfA^-WJ#-Fy|%q=`3-GfkXv0vtS?PPJfyrgfabD&Y0Im{*M01NFo)(Z1lyIcPmdaw
zBFrPl3mXTwp00_PtA&etJ@nA7u)?;9#U0w07lA65BxY&DTgwX?yhfo1z_&36I9u7o
zmknjFcZ;Rjk<%2mC$cKZ{(hgmEaXNXepXo43j?+zfQG{Zb|VaXr>|Q~fAW`3+)06>
z(KGN@JtunOwtA(CI#TbZNE_EEAKJShn;rwm2!A=|2+~%*Da0UhlX7H9)}w_~B)9qF~PJzbOfA8r&SDU$e+>|SWX4XZ6h;ikItQf7(~2Y|iEmEU^85ZDPK1+&Z>U;G_;Z=O;mR5*yJVZT$pPlqp7weIA66}F4AfucPhv^
zWGMjhN%D99kma->DOWhz6Y9!Ic>87Ngv8%JtuGO*VO0%2?p9BoR37~PmZhVm5^*KL
z$hq)srFD+C)^qMZBdLNU76u2Z%iC7RBL>9X^7Bw-dAjbu6Lv_Oii5uJ^`A&QCC2&Z
ztt^+0!X-GCaN#_%$YZ=z{JPwcKVvK`s!(s2cE_X7|8#)=Gxq=cW7etTNyb5Pw!r>q
z-dojK+X4Gl!YaCTbs+v#wLDac6k#kivVFU1mr#^H2#y
zL%YUjq;ZXs*R6h&r|G1o#N5ivh>cyVqnlj9T9ti#c_BY_!sgIdTb{D=LtJDE0``OP
z`orf&t_ugZe=$v;S5TG$fEmNz2qD9yYzRN&gXL7Vbw_?#IXyjc?xk@&mKjPptd#%u
zTM&$}{^@}#E%#6(E_3M+$yTt7;B5o{MYID|a
z)*5^fawo`LuwlIIt$x!J@iV?qN#dkS3aU8AItOVIF{VThr}5C3-xufCutJ}ex5z7>
zE0(v!4sO@m140)(t6I68_pqGlX4
zVsLfrv#DL}>ENI0JkRR;SGYpcj_fM!OuB85Juw=Le}E8oH8v)0zaU(@Tzv;L(^Kp2
z+SA74_msjMKs}_))n79L)WxQ++??S*CB25ketCwkne~5H+gbHmL5)SS(3d*aX&X8J
z2IuC1mL~aCZ0fC6)Nk`^f8^X%^cSPv>ORWhIuE9z{rh6)&tSC=IeeUJV;!CoJsWzL
zWz9LyFRK03Gi?
zW5Unq@Y?6<>PqxD+y7(A`9_4(gZgvn7tc^Mk5*mTf99uwbsc|(-`q=WwI>Kui?b|Q
z)3YQLQS%c>5r5Z&5q332a6a2;>*qMMXz9LmmgXvoO>ClUy(hWbt@&4
zs8ieDt`@`|e*5sQ^vv(iksn&VQ@k?sqE}XTevg;?+#VIm=R*1y;k8?tuh{@iG1V(c
z^CQ^pW6dNtZkvRYsc({e{cQaPwwG7xN1w~@*vI}e{6DM7TW3#tFC9-nlb?6&`?<#z
z&-e{|MB_Yur7iGTpg`enMTuvo#zZChhJIT|fOD9$l
zqYFpqUWkTohue7`bA5|NB9Ys9v$dP~?V_xJ3N19HWXHadnmRo@_WM9qw#jqVDI%Z#
ze%->;OgaI5%j!{}BW%YTa%MMdRvc|M0B0$3A%Y5ISlFPSUg?X5Ohk8uEmHSwtcvfx
zn9D9}iIusMe#kiwS*BhV^1&%xXC(}vTB*H!d(3)!`k=EChbD*a;mt>ZAdgX=boJ;|
z)Za_?yq`dEJ0}_YrP~S&qGwZmK0kf9ol!sfB$M~*w?{wc$l#42A3KZi`bcNB@bI1g?-Pj(3aGyBp|OY-0o15p(rJAg#cu*@iShj
ztYfA*M5_q=CLFqvNr7Xrr!FyPMQY2EL!sl#D_~$ufZM&R>GlYMz$ojz;3POr7s&F{}#i&N2RVb*OB#n(+}}1
zLezI0ek(ySl&9-+AtZ)7J_7^3GK5Dci+#`A^=jxhA{o=&U&TbUZog=Yrg!?AnYJ`<
zKT>laB$v?ERJCD$c$j#APrbnHyKa&>xd-6-`q210kKkrtwJYN~nm9?y&}9A$YLRWe
zMex#>Bj@U)U!6&gv-OdL@#BmDwe+~6N#gk8Jr^H9j6-|IL#nsqx%_uHPu_`2J&$Hi
z_-iIdPH7Z!SR{|i0=7Pa7qJ{~%G^sT4pX`Q?N#(}^$Spg6rf*o(<+A{H#U;mIZ8Bk
ztfk1NW`_lG%QUlt+!^30Xv9N(94wr7+ce0J6uNO{XR8Po1=+DOR00sOxC~-Xx_BYH
zxJ$TtU4<(`T?7T@fHCUj9cxuT=WZ~qqxou^6~FNn*ofTG-(fT`d|h~=D?)&*_fr;6
zIDcFowi?!_X16(GVpF-Z_>31zr|QC;9xkCfX8k$JKYTV;-DMkw=WhI!oxUScCu*YKro7sPwrew=?kL!LG(^(g
z%=;>Zt?qDv4{e}U-7Xl2faqC;Gy`V<0O{q1erI)lAM2@9DF?}+Zvjz!?8)v-29xNi
zRD?L3hy4gb{D5`<;|VXIhTppI(DIp+QP*xSVLF#%u@~U|+QAc{az6k|?Fq>UT=E6P
zpfmgFPWEfPFHISt$N%%Dr+ekJn!2_}VQ2`cH>{_0rEcw{z^@(oX;p_V+p3?ddpr=X
zQ&PhG?5eGg;p@7m1ip|WpL5!@0&8cxG>~cU%?(R>rPj{TM*SA%bl4niWy;`wc
zOTA+gIvBw@RtXWw1w6eunD**KXl7>10p?0ygDtGekmO
zfOgyv@a5gp7Db^;WKA^#OK%pm3v>dAdp3olfP#`*IBzEu%pheX182Vm(E03jF@T2y_MqV3
z>9I0(atPEo^Tb`&dph2@(hRUTz-e?P)I9Vi8{Bs$GG1ceNo)c0Nj1Y1Z?`xdSo8_D
zwysM;8ST+n>~DW&5O>nbf3`UTF#j_vwCz<+l3Ym<5mcVfgbf!D717LO1&
zegW$4?DxL?d^VnW74tbOew!6Rv;__mKUI7O0lBAYYlARU2GoNMmc+Xwk@#QJb89}W
z4bNoWXbJ8>t~eb5{W>a$%q<8Vdc{q3NY0A1W}oFUj)IH|B3D
z?zJP($)Y<>4ZIB;e%YBDuK5DwNYUkqxG)&(U5Ox}HtGX4%w_=l-IePy@s(Gd6s9)Q5GTf
z4>N#Tc5Mj|@s%CJf+4QIASw4@x!TnjJqfU|f+{5nMG8C~5HOv}?Nr0|(1?tN|b$*cAs33+=@b+?(T{Xt=q#H2ZDW&wQ7r
zx1(h~;vBvnwcEaC037B3qzjPoFF`E3f0N9WiU@!(ekia??Yq^l{YvuMuMJX|0j9SKq8ae{=|=PYfyi?c9Hmij^PSq#
zoq~0i|AiarPoI3w<1u_fogz@@@7=g~gU++eIfteMm;Kzz
zRGu6gNznFxcb}Z)P>67`F1@jxl98lGeuL0zp#BA%XP~!9pGczumTl?pMhoY8W?wZL
z73>D84c+*GJ7}i|7{UJ#$w#xpXucPhv^QRB2`YzP)!9F^`SA$1H27T2*wda(k=}t5
zTB|)P9JUzu{sn00fV_c-a4{srdUaf##uK(duh-e(HDtC;{mbhw&jmOaj>M_UQQ}EY
zQRBtZCI5?xFIqI9#9)#O=hm1585N7|)ApRT$-^5>&v?2y>#8z_{=_e|;G(U)GpdFL0zn+5cEkaJZyQ;!S<;vK+_sGn0
z+4lNn@{`l;fe#Xp1&%HuFGvqMvn;y3wNb(E)atOZH6bIPbzY-(b-!!ne@q<*)y1Lu
zY}Z!OMe5$zH&My;y#}9Ut;)|*@WZ*Up@9U)z3~mGYrh09-5%Wszwztv7fHLmgPDaX<@H(P#;Js<}9u1l{m
z33HUr?`NFrhZHykTB>DyGY_K|0>)$2KLZ$lN^1vA$$c0>#dm;5{>vHg35dkJXr-g*
zc<*yH^xW)YZ#|X3;=KcuOZd~XK#6{DEoR?>q+qfbSX|i6&c0UypItWHKFx%LsvqT6
zbSyQ6y*~j1Vbx8pyAQ1qKg+9z%{A^DDctPYg4Z(!6Ibf$uPYkuASvnD`9eV21x}pNQN^Q_TWLLkzSPQk(BqUjH~Yt{1z=E^%kGw*-n@HeAOz!YN`m
zm9V+*zw=JnW9?ymNL!Q8umy?irS(Psvoig}5yl6oh(Rv2)@3ngA8jU0kVli@Ew_3U#<;Szpm$5&YzGDzfG
zeR1!Htx^o4xZWMu&Q(#j_!FD$VR>Wiu?!n>QehFAj|C(+hP2j;EY2?29?_A4$iZx!Fa!CK2EB*5p-
zg2%kaY62owdOAf7o&|{nU#tPb$e6ZwlkjsO{bFrIG45ZFc7HOxUYo|s{y)J3hHv92
zF-mRUo7wyYLzE9FIQFi0Kt3Ac<4yTu$`6f&mT6e~s>1MT%&hVfm!=B-A|Kk5comcH6gc-hG1jz6vf!sRimIBl_x%c1Y^E24J`iUQtv&{%
zN8wSRA^+~}&C1D3jC+5bP5d9BGxY|B`uY7y9BOVG&JDMn#HY#7tz&K{T{KGvAzUoe
z&G0{D43OZnU=pc55kg`CfvbB6V?56w_}=%P*c(I0ukqv;q=86dyg6xMjqX}3naJww
z<|29hXwrcW`Z6RQsCBM8M3Ks9fl0}@Pkcj*>i@d^PV7Db!JvX_eimLUQ2*=o_#8*Z
zH=;h8l}c21wMs##V=`QAVs4{_pwc+hk1W#@gQ%VvYF81m%rKA5BB&e;V~n&~-?r9n
ztc`_WLxb-!m+*bZGH$!}=1%V;ye07jn%t
zJn>(MG0O#MZa1Qkhb@DIck+qYs;omUDS1jj=|0t%v4NNYXb@E9n3QzC0a
z%?BDw0stKXlJ3vtvQIicZ%xb4UK!o+4s5MIuf%E1g+q;r_RHdC`kE2ey@aNdIOyh&
zk09z|NmF0g##qG4!}c`Qkb5&+%9NLY%@{VKh91ye9cDK2)kc?vu~QN`8FanEQ!~{A
z?pL8aJfwqhN8X?~is_HtUqP*eHGAoEKJiFseV}gPxu^NJ%WOzueE}LbzYhd&nP?5|
z$9r7?S8rU>lqSaG2lUe&uz4lfn;lo8QKCSq{cmakKolPgB%n_JbK;=Gd$7Vz$c8(=LFX9^vslt`-BBnU|_Th8317?t)|?l1Qm#@xoT
zs}SJ5*<*Lc5BZ!a+U(wfYd;8bJp-I2so|@PABI-MCT*R%42hC11a@HC4NSE)!-B;i
zO0P((<>gOUUYQM*2O?CwR_8YyHmhmxp6{sd9VE%DjCN;5KkZ&#h?DU(YKk=Z8CYyhIy`0v2*AY>s4J{cuPO7(JpD*p=901Fj5+BAzH!PZo>_7P5Y_UTOMj{}s
zxo#-K^G3_B7{>d-i{c%F#1w{*D#vVpO`q*xZ$u?QlwMb#cI3B
z8nag7!C3Klp-AU?1|JO1yyZqZeSh!6$X<%a;PE=ICgF%lq`m*hBcq)vo=qCeNcUh9
zlHz;K3{46yquDe3AC4E0`1}0Ir4QJSz$ba7wR7kRl)$B5ZFDX+>47pe9+yD-7gRtJ
zLIV=kv5_D>1yZ@rJz)4%+EX6TGX!e^IoIV6>PboohVD3E&o
zo3Wk-yPgGu`fdn7LjCG7^hUf4DI!%a)#r6#^ruS4nX651ozvyLxad}MTUPuj{KuZg
z^xiQ$jUxVNbT6Snw^dIj3sd(@bz;c1cIZ>c-
zbz<`5xXVhwWQ6wWs6e#cIw@p@yV49OVie|Kpi*eiZm2AcohzD%j=q*_
zw_@!@4KTbhv=N<9+Usx?Yd40J9-)@sRKlU$ZlZb6tkNN$iiC=n(~`P6P3kHcP+Ba8
z&8NRrcgP~?0f;6rLyFH+{-<{Or#jf_Oz@%+a^M*yAWE}Wd_^@IASf$A7b=Hn#*Kl2
zQ}&3W72}W2Yw;=LW!WGxsUbH*sXoyFS8*;3KN{L*lt_@Z`7mc%6gUT-Ph$Sw-n
zioA4D?0>SpyNWIZGmIEd8fiWv@iQENqN)Z|ZVm|rb~UrSYE%X_agY33wmL)?KSheM
z9|a?tOf*t$@PYYKjtS*9uBuQYjMP9VK7*tIt;p|V4!K~I+^W_SEF3`V5^LyQl$2)H
zTIs=K&;BRu?39I6US9Nt;Xqe^3dk}7eW6P1^5jiT1>RK63Is_Ca0-*tU=t`RFE8@u
ziV`AS*-B8kWN$vH73>NkeUC-wU>Dh-b?ms($J}EL1>`*-wyV(AJ{cIP_uatciEl>R
zE3R1dug4jFGqr@yD^Q8+-R!tBXsM@C|E5muKS=*O^V|VM;U_RqxP{{^ld6xkT+v+O
z1&l(17aeskmz>%ya?MET#%6%x`FD2RES7;7)^~$*t6NvX=Uk!BpJE%Z_D`;u(`ySd
ztrS@-fMfj4k~$b9n%P%QjDaRYYx^r%k76U-2NudU%XF$YJ{`lx0v7(;3wMg{-+IWn
z>|(A5BwQsxq3Ci5xDOzCYpPs|Vg13#2!+qjxIJSQWQWyo3nZD7yrYwse_9vAp?D3v
zV|BQ(%ZZtrCCHLgaQKyUpo9xyM}0pF-W?dxz(l6eTc=@fFVk<=o`5Qe&xwPBPK9}MIcUM>$5
zZr~1vU?H4o=8UqT;e+_WzuO{z*X;P4ji}A*nn3yeaHQYq`Ho|o=1+z`==YhU4^5^E
zY=w^L|E*YlL;Zv&b7k@A?&%iM(EChcPeeg8NEte()E8D1*8-Acu`Un-cG9d%?GHvI^vgOuOdrM5DI8l=zAqMkpU8+E|Cqr+@g#@z@=zw#lmd{Pvue*hw
zFp8T;xh6`PhWth?G|X4CcNAT>Ik$$lYyaMnT*T;ZRc($w?lPE8ZnSwuZ{B8$!;-iI{u{NbzG9!}t1$
z8)oq;Gu-mC3Cmb845YkWhADf@v)eCV-3@%CGv~oGK>G*i-R$NOBaa@qMXCfE
zQhwHWo`Fe~q9VIPQqgz1QA#D>@%I3TDo>Iy6L#11tuP4VNxJZmI9!-$f*j`GUHTCO
zYm9?yU-ohG%<8jkOCKmps6fh_F<$-MvHiQj09=VY4xH9e0Zl@mv|~+A_?f(OJtlPC
ztlOAi^lIQvIA4_eG>hN7cC)VSdLgoG0zZis2ZQM3@=p}yBlW4NNuAxnhQ~vEj%PheC$Snv^mCkw7D9r#}R^
zty%+c?tO(rQnUmaMcwh*-6j^$n*$nbe13#sPtk>fNq)S(tdf5caJNLKUJlRsO~|9R
zdVcUTI(a;k&T%&QSBhH%B?d_ErP%Ix^$G9oApCSy-*Df$Tw5LLnuI!r^33C7-ac@J
zK3zEtG2XKtE(D!{B<;Vl)7{z!P=VlWgk!l{f%}yIwyt0Z=SWgnA*1kVAz4Yw1Vb2S
z-RQH4gm+!OdCZ841k#OaYqG;FqLq+8(XOKRU3`Ir0_f03`}~IY69L;Pm!g(e060qt
zYy}lTlvL5jK6ug#84tFg>mvob4G~tH+C>=XoJob92@*E#d5)oiLpeIhJ}5qds3PAo
z#zAksTdNciG$h-UM34@n0j>V&4W`P0#ZNQd4#yBO&_M)SQyIH~1mH?C{v;k;=xdT!
zx(9suw0pIf7m*+B`C23CU{VL7gknL%TU^j01%Z@2w8z?edqvV@$
zff5jg@&|&-jzr+32GoHVax;a1pE{IDc+@}|=rnAJ$|E-q%@RhVK#2ACsVY%hnLd4H
z+E)i%5U}3ssh&A76r=Fw*K*;3`{^5FQRS{`_1~)Wh!sy33}H&xj+!k}-0=$k>bb73
zF_3AG52QU^aT3z2ZF={B@|Eh9t
z&gPX)TRjtx9CfOFg(GGz4JyEIU0$xMZ71fC0AFuNFB`krWd+9!L=GJ2cBS}iJa~)H
zu#v~Q`9>GJzD00YclUcrO+M#_;XT<))B>)SB=!Le#qa2F2Nb?LaRV2`G9Vz##1zmt
z!$v{y#mnKcVA3}UmlM^+o)re%R-^g0r4RJ#8&FAFFI+oDi|uCsx7bxpYXj^r%J>wbG2Yk?V1dKakqwbh}|UW#+KHGJR&DHS-YHJ|u{ZeZRM
z+3Dt4)Q86s=&3$Uo%)zE5!Tzo>swmgR&J+PI3m(5#;9YE*FNex(tMu+<%+L8A`J+h
z$Dw*_w-m4$uQvCa%aY2j(mfZC1K7H2oWfC^s-~JYKHZ?n-ax?^!JQ=U9>ChY%%sa7
zT#;K*pvJ&sOm5q7CMxA`1-4Guqah
z>0mhp1^2y#8X(7kO&6D79FtloFG@Mf_Ex^><*?uP#3N3M1c*{mK|(A6hgQ5|lb&jB
zt2!FGw;{$|a3%aRHG%4$-8jdYxWItVrr=ZDV01TJPhc6$*Q8)3P^Ok2id{5kZ0-gRrYM-?e3eoZ
zdP9qel>|=gB5dEWOF%1-Zfy6b2l@KEO9o)1!2R$|g70nJlZNK5vgn!1el}dL53?r`
ztvRzGhZBA_F*1{!uIW;^n&lZD0rrEJJ24KZu{%V|s`5Z7ww;^5q)$$?-T$bC?X9Dq
z>_LOrQ=a}Ckz?Au-+;RItlD8h_ysG0LkP!;=z6c4buJODW1(jEgawB}RT8bO3z0yd
z1yE3Se~9qkD(YH=fpDiz#YlkN_TIPcpl-9Np3h02*-bEj<9_*i;yoMSJOHbs8s3G?
z=2O}|!&kx97^tAK>*}cfRjYWVVn(t0JkG>*%;Vl+^yS{?tsa`f2;Fw0A61=9AB`^e
zd%Hm*p7onRU7gCwOTJ6>eP+dn2oS_R^vz*4Rx4T1$~{*BV>~aKFyk_$*p=<}Qd-=M
z24nQkmgKsBAideycLO4};&TXTpZ#Ftq?rJ^H~U*MCmUi82nh{Rg20*L-gxGrm}qDs
z>X^%5uvAR8i;vr1zE*wSo_&(#8I|;ir`gbORK>e3QmLC2v!X}KImB?Ll@IWhi-cQ+
zGuOgeA}g8b6G6J%eu|m4eMz?!^obpHQd?T6aZDW@q2Y7Lh$*yNJ;m#Mez3x?JX0FhaWajlVg<3Ey8l6KXIDJ`@S9UZ;<~rgsw8c~J
zboTpEwy;!6Dvr!a_B;74bhP-gEY16dR0?oiKMP)dn$lx{3!_{GmFDEGIr*;XRu{Th
zZqCM8)=S!_=`q>3r&zp7Ky!)*WrZB&^SLqzb3mGP6?30NP`i*x3B{7&M3?bEvyZld
znDF)ol)AgzuLwuUYH`v-c-vA(H@)_UE%w}A$P8&YT9P-rkv-tYh<%?uADrdSm_Ep*m6%5K93wlNnw130len(^Q4f#zxvT|^-YpGb-<|jXzqq{X~
zv*ot`V4=lY6-$BLBziVr$xPmw5j;erXkU;TH(%+>f{buiaJ7sIp`P$a$`If8JVNnFMwx^AdF_yA
z1dH=#+!ikBOa-hiYAu+Bd!0Q?b*{=^=NvRGpoV)7MI8*azl<9`*v)%h
zQ=qcA`-8%=ogZm!Q6$eX{26{WR`K-91_O;zy>VaxyH1Nsj8$d~U+^-o?@sBw(JA_Z
zKCD{koPJ6cP|+P11G0NH;u;Omc~D~IZUb9{NYk9ePq;4RHSVK`U;XoQ^A@&tyouep
zsxb&#WrA&4l>kR}=`jQOj|HDckue!WJ55f<9tF(hv@8t4q{DllMq)mP3&T;8PY8v++9*ir9$wy{_Ed~xE>$X5~Y}bg1
zA>F0jz;;8)95{3`66+q++P0L;=gxmLn(yl{Gvuln6bR(4H8{s8Y3@~{-+x6^3thoS
z>YeqZ9QJ$bpCj_BpM`_i=YfI>EuW*rw7&4SQ19vL{#YwJ?0Hu(oA1w)-CvJvxvqY2}R{cZ#VY@vAco
zZHI}0BAV3%pJMm3DBZ+G)qwD0n+9|9UEqH;+V>@zEoRq-DBh1LwHJ+Mxr9IG!THpX
zz2h4Seh$7z&sc-W0-x|J%0nAj*fJjsCv(YM$D8}X-TgMx?nMOIpX-(%t^QqVguFRUdl#L(=^
zw1u)XOc-n=0*Wb;<^ql+Vk(McLhJ$Lyp`R{Tz+(nah8Fmw1-!Jrr0!j+&hf-{Re=WS4BLmf_H{5uQ+AS)Pl}k3i#2aoDbv>4G
zBq>LJ7L`4qk53qbn;H9i;nbSG!=X2mhW2WR=xj`P?B6%1yO^9ny1t7+eL*{?MoJ8p
zMPxyN?elFZtG3ebiyI1j731j3gu{GG)Pc=H&=_+Wk5KT47TTYCB5k1-%g_>RK6;Os
z-77H+&hXSBT9Ub2S)aYYQhCgKW@nND=`vws_Llu^WwD0rl%omeGhJ_VyOlT7<+q3<
zz6HDR=U=@?enGE-EU=t~#XxK!kS^&f*@ri&Da@<{1@E^SF$W28md
zaZ6^{MCtSl92pZI9o(R|Cz0XktzUbmuKli6lQL*48GHI;yvI*6sh`e{F_bCqK8F`6
zUsY6w#fHwuDOG-GwLZ-(T;kQ8G`-&RYTITQ8mlI<%Lh99wKN@d=9>fcW6Mc5#OU%Jw^7Ld9VkNR_Vn|~BMwNStm(LGOLpL&{ZegCk#{flk
zT@q9IwIzt@x?R;eyL<`&1_Lz$;SCxM<$6-8B8D(C(;l6ME2KCB4JNhDbe6O?@||SLDT_f%Qw+y@Y#0sov8)o)@zbMSX+|Ja0WoFK_P07%=OTD&c?a
zC8v5`b1aEbZ>XVx5TDVn`B9>7xomx_cstdi;P3cISK1dmyVE_=L2?ugiz~6y917R|D6^4gksiTfGk2ziUpC^1^uwMypgw)ZKG8*
zBup+b@(*q$%k{X=#L<4#^91jN=KosYZc#Bo&
zjI|&q%Y?u4rx~^3HUbstsghO1Gq2uk=9ac&_c=bLtfFWMGgYts{XQ$|d|{o+98Xm(
za+l<42{2{Ed{PnpDP|Ge@9k)7U4z5PljZyJgOQ1)x%37B!=nxQWHhZ7yBFJdaB9`L
z(nG(q$B0Iakg%p-HE;t!cOxp8JZs12<36xBC+t6d_%Jy7
z0Xa0{QoJvw|EU%cMOx2R*bGv#0)xuxpl=QVG*8>%KUO0l$?1e4gL*~&4
z)ZOMl)v>V4Vo<<{$^%dgWZ`p=PhKa9W3r`m4IB;{@)=cmB@;lLx;N``2@mMY(QICS`F6X#GCcP
zrq4%o;*E;$#A=axG|89X+ioP~>^S#i)
z@uU7?fn;#<(7ej#N^lL<6;$kZJSTAFX<6nUZ9BhkCR&R`cB-6f$(V!6pWaCtxSMdg_%otBxm-F=sz
z&}Z6m=T0JWa8-O#ZRUn{z{^s$0?B#l=)piTlqS9a)hNqi`vmDYFC|LYyYXT(3
zPNhxP^Wo-H-LA;wwa0gx3?Fp(|H_`PzX{`X(&cb+$(?qZ<&h10oqwx`m&}gZt5t)p
z2!wk(3o5(bD_%)*L&+*HTQ+65rOvC&m){4SdkkN~XsL@-;KG5R1OTtoikGzAD{9|6hJAmH&WYi`4Syqw5^+^(?_dN2
zCKPE{k0f1#^<(;WFe);mG%EYul=us$lNywZi7K;Wg3DL$&a_%g=&ls{U@RjZk%R;&
zhoh{*rd3JQ6V
zOkhW~&>OH_XCj9P&hA5uX7s>Jl8oTYhGw}U&jtM$-~P+9r@);{x|uxdPdkz-Q7(FX
zEk!oGAh4rgsjs#t$-=`N22wTR8f0p&QrQ$NG1C<2q-6w_CW45SG>O<+&+-emP%?AP
zt3r`8mS;Ay;!4RYF3eCzBrKKFBlctH`t2jjPXmMz2atGarS+da7nw*Z+6mUx9qFsP
z@JAWGgE8uJi$GU7K34hN=Jr)yel9b_ub5jw0GPpYJrbRPJpgnZp>RogZ6qdll3d2N
zLqg8oiALf|bMykjZCmP{H~nY#7;;ZUEj|#L`qF;#H%GT)HrA^6om_|!=0I!Ylz?KT
zl*K$}Hc}M@ch`^lI}Z2U4s4GOMP)l}xy)2?`+iHDd(Rakl_IGNF_=@2~vIWL)3VwiV34N?MNdeZ1MJ
z*^FKlSHADMo}C@42M7m1fhY*H{a*cp8CCTjI`F%FOT<7E(_pCCebLbOf~xMMmCbXA
zH?5AZc51vrd)`ctoUNSA`<0}r5@#_4SQP%a=5B-2aM1p!Qbv#N656-)^o<_q8k05-
z&Mcb&w7jqIb#NISfT0nJ1{xj@nV2B;hH;UEs^MaG;2-vcz(c>_sj+;6j|`HP>}w4q
zN{}+37cT2mgyTmIOe{R~0a?38+Yr}6u%vY)ZUq{R=Yv}8RULe($gYifJ>LV^kgA~D
z?o8&&^F`;$+M-doxq`K!m;HxnIv2{Q8!A<@uyBjb(Cuu`TS;i7l+TUG*L4-r$9q8v
zUd)?*>4rp#xm_r{pKI{3wuy?F85<5Hgh7XU^0erq-_a5TkeBNC2!aah)V(86Z(`09M<00V_&0BD+85%}&#PKYva;Ga*Bx;s7~cr$-AU
zs@w_PnS#%QqZKs!5BpY8lHUKeLvCJ*Ndedar9L7bzrsG1MquO(r0$(x(KoGt*}L$H
zA?Tmp9W6VU7sA0u)^j)NL}N=-Pk=0qU))Nr@mY6zaiB?MY2_hAj@%O?4Ah#u&!rTA
z>hE_nyuNptC4Cjv^Q=h5^caM;Z_j_M3=o9cs_&uT?X^W2?VcC4J+OWjF&N6gbc!XY
zF&e+KvKi#^|E@twy2(3^j5z=G{LPLf^wuJ>8m|LXuLKoG=9kd~YD0)O+%gtDp
z(K#O~gU}wp)`s~1cpoB`Qn`IK2{0TtjiWMDadiCKohif>+T=JHi7@uhbyyjtv{B1~?zyBIX=S}uA@_bu>W
zs~XG2B$Es4NQ)gVUGparyZ8U>I>(@!e>%TUAT%7)(Pn{gv!ihv$Wbb)~-IP9E|avI^r!9QoO&
z<6ouKO4+TaHcTIx2TY@G+sBYqG(n0&`zR>MXKb^lSE8WOUHw(LXS&>)gPKGLA8#Y`
z{?%9WZWwOf^!1{Cp6=u&ja!O_eW%IMT}GtempB3t-0&y*{r7gC%h`wZAL@2~aWHE2A
zzvl-*jfz1hgW!WV44QPcPwuj9ODtZz?t*ALtZ0FSXDT~O$^xxZgei+R_ueHym*}9&$l=g|3?Zwt%k%^}tzJ1FKGpnf~AM1P`
zB)!p#=Z@6v@Zl&(=$^1I2?B5zU;C(pLZOXw^COx1{^gJ{bFg
zQmM0p(u?D-zi5C)%J+BrAKD7#`_$X_N#>Z0w$j!F*q2Q{Hl8l-x2YeHvABo%Ci2A5
zSR*~c)WyMUgCrp8Fj}ae6HF`J|8jdn6k`Dyi3L&w79)ZfjTD7~dF!^$9&?jdqGGyn
zw@xAGH}Vdr8Gw-B+y@j)nj?kMC(Sw?VYYS>P&M{QfxhP^Gc<0RwG!PJDp`}i0f?(4FQ}(95LDyY4
z6P)IOHsh6_LYQ_bAl9wxwPtRI8mi4ielOs-2C}bOc%;T#aEO8;7calojP}hK+W+&r
zd|=5lvZV#{9=tsXyyXL^lS!o(+ggoqhuQtoaIf*gVG;}!J|Z!PK|2J?gP?Z3r;2t=
z*_k~*CIwI_m$aGBAn$gxdy7hKI`$
zS_(bZTbg>v;RUI1!#*?}VCXARb{rHP-e0&ldG9cTlc+w5MmiJdYt^gfr_jlEO`Yx;
zCLvvWv!3CR+Be@}(;i)WgADF|YJ{oHE?x7_u(9%E6L-u#Ma2B*xnxN2AU}|^eZ8O1
z;kIV@u6wCv(E6`iq$QHmdIF+e_p^Ry>aW(Qzv~J7M2a9Q3%|8Lx0LGi{Pvz8s7%&4
z`SQ=E9Em{HTkvcKb66vRqW|dr>%lWl(k@vDz%eL=1dd%a(Beh78MxMOcN?c$1;b4c
z5jdw)5hNDT+k>l%Tg9IUrySvj-$e4_xc(v+S2ckU_I828AKYYgsBCwF12w+!90h-;
z-9hNs7236?mt!bGJ+*?bwbm;T{L5I|KJRPccX@LW3TU)imLZ|yw$u^<5>p081_0ypaKoeQ%yN2p?_==W2wdRc2;vPBWz#6%8-DCU@MVs|ii+>!wR_D+yUS&G5?@yPjb8kb
zbf)#!Q=yGB7F*0VXT33S4BR~jKJz=#a^uA<_zfz)1d+39(&hsO3x)=^cY%f&pngz)
z4%oHz^f4qBa5V!s;f^s2@Rk4i0prk=DKy=k
zPr!kb|KI8FA@*G>eVDuCR98Lra+BU%mzf$;%iTZ7Cn#IdHg&}7BAXoIn^RrJqv49pOMK7%gnH$mS36vsx_a%
zEE!Yyw@if*Jb`4}g@INJuaL+4LShr>sr2wXzaX-}T4KqAz6Wkg-*;K}B+BFq1DQYz
zz*r^5Zv#2)N5M+@FKnd5!~8RrMSeFKF2#&9J9NfyYg@s&^Y5*qs0;1kMu(u)_@An>
zhsevC;`zhITsB9o2@%K2D#Sb{-B=zU_~Epp)pkT=uNfthZBP=e0u-DEzG=Qr}aBSJee3`hTduF4kYl%$VwRT
zzSSgPDSjbJMsCl37CFV4O`}K|ti}9VPi__7E5VqWyNE7x?PRU}dy7KBb~V5?$kNft
zEg`w|U{9v6d$DEiv>NWc^^ZR7Y3Wbp5A7Q97#7+>w@z8`HCAm6+?{kK97i0NB(Bk5
z74GwbY{GjEu>R&{zCN3v^8Kgmo~@#Aen06+9CE7cehmAgk?CWR)wx0m&v}pO}rk@seF$A_S)}lHGJ6Zqo{A4Jklvtx-QXMe!xoMA?04TN-?orM%Ail$Y;{byl`ezb&Fko<&i14Cg9Q&W8W>X34S{E
zI%=2Sq%UiH{BV4=3xwIb5^fC6w8c@J2Fo{(jaOz=eOQ<3%yo7SV+NM>*hqW7_fi#w
z%u#lK;~KRtz`tQ_JTn3Rv{kuBt9TKWr^ZwQ?ofDi^cPUoa9DM7+bOSG*!t=
zMw8aMF0`0u(6ePLK-@hB-MgUo>|xfSW9L8MnePwAzDz!oG76~RBWu?U+vMq?ioT8C
z(ZjK{yTldL4!%8bF`c@{-mR0TFcsfny^D_hWfBk4s#`&D@dXLwWeEy!rdcP%n
z{5iWr^}x6Ql!_{P)7HjAv=ck~Gk(RqHUl{3Z2$64R$2nVPcT{0{k+BI
zsB+jI#@g+B^nvS^OC;_Foax31w5f4>W%BBvcj~i3rY#ylUVA=)*IA6E9>5w?`gm_<
zPh$Q7mL)IrGmM!9rcEK=p}}EUu`0w;^?AYboF(_i%0{
z-9NDrD?UGeY6-~Y;EVUE^wtNIuJ)h!b<6KPG#iUv`&I?&p%EZ8NH%XwQ8274Cs;GP
zyQ34=n@g%&nSFMt*!%7R&pZ7>1-k)H+NBuzyZVoXk_4=vNqv8Ag%gvx8Jl1Fric|QM%DQd9bXRti
zC%wX-b*yyrOO&cSINSVW_s&b+oj^26Fp%KdVG@vP8v-4N!0l7zPfc`!E
zQa$4g>
zYgRSKfIyB@$*QX7ueS2s@%t6k5#x26%VDxrpgDHSBm4p&h0yIYfeA(|CWJX;ew_j0
z;T3=u6l1?hZR?40PZ1Lz|3#sC?d6n;7J|Gxn+0SPkDtz0PDSs{Qd}&GH0yUZqbcW)
z)Opr$GmK*QC4*YDkt=OHTB4=Mq~Oe~cwhX!kcs%%rSgw1yB~GAe*fj2k%#RlFJ2$M
znYZFMm1)u(c=mme6jdIjgdj*p$c!0&oSSCqh}29gAogofXt?BDXw>?
z+y!uf^PKsr62`-n78W3AG2if2PqMO&_d%HF+Vhqg;M7n>5$FhSs_7{?y=hCESJ%ile!zPJOCXKJ|S7<@;IJ!=XO-?
z%)08j(8OZyd{DSR?{y_W1`h#}Q=@^8xk->y!>(n|4Uz4C{a$Can2g(f2^D{Ty4D)>
z@W|UORQR^}b&^cvW!9sOpqKLcEUfltxaX!!aLdpM8a+z~{1>0aU-VTX?%lD>>%>0O
z66D|66q|2Z)Rr}&94c?+eV<*z8dE=R*Xsyq557IACR3T&8fQ7zdtcsVZ;kk+ns4;q
zqMh#zWn|V1rjif7f8p()a^cS+Wg9tSOdC9jOdQpb;~_2O
z^X4X9pVw*2n}a}GgAV9G0zExkv34_mDx*KRw6JPv>A3zNsl$iX#u{{dN6#;WkWu64
zuXHP@!X41Utp03X5MO>j@%7aePh{5i8&xDB*Wm>S#Een>u6W
z%;n=)Wi>8fO>-O;@dFF5o=}TD6)<$*(eJaFUpz^_r~cm1RC;fzLkB(la40H{Rl~_UqSK{oeG(pS@e+XZL``I&@*JcU~(~C%L)Ff8|WB
zQHAToA?jj=cOXyKXaub&Vbx8V#+z{4n;UXxfFz8eU#DY*tRCl-uOq14Z+#^{>=N#H
zS#}R!;$8jzBKOd;%7(t|LS947-@w4mj&SP|WG7Qpl_sCcMtj%|S0-QdD+u$rEd7@)
zw(Q{&`j?>3vKs2?wpVL)rM;c^5tGv+x5b61Cx#{poduNp3yP2FM8LV*(Jr}a4-414
zE9_g($W$&#p!Nax9(UI1=Rr3>R;)O2svZyC$41{s5>7S3@FyD
znyNN5e{Qij>Ns0kw^Vf~6;Wd)OLqzDWxZ^8GDC3w@XODq>7m=^mmf6;p|OvB5zF-w
z*#(g@KGWdpEtcIven0Um~}P1sba#ehMlpJOs~%?
z!b9;x8>8l2{Y-4eD)jZ^o$E6*WZ9}!=b_KupI=W~SC6U+%Rx$a(SP&1NbaeRd_tSG
zxa2_+wu4`#AnMyCu*bJ4?XQz9R1?AT7CxJDXVtdFP^%AkM10wOITi~*vuykQXCKM7
zEGe%;Q46Hxfy@BPIX;$_#l~x9Xvrq}(;|7iKixv@ejE(f><3&4P~^K5bN?4{C${Im
zQDEEq8PYP(jY-uj>P(j$ZZ|~ERd^-Bmj^YJfYrTv6Ujs(`L^%?^fXB+O^v&B8bwaG
z2^V)8UXDpSXTrNZ>9MyDFZt)n{n*r{7y(23dE2srGH2HExO$$Q6^QWELD(@$?|X^<
z{I?)Wsb<`%>kRfet0Du8tj@d>Mx^$yYR*rvFg4a^F<(!+nSu3QdY4!^^VdPHui%hO
z;3dI@mo5cPzSwxxNxl5_acy%13<^D?jP^acA@zns6NkuYek~zQL$hHUnCk_=L*TgP
zM@Eh+WHZG?a*=NjKQM&f0fCP|d{s&IuS=S??w2sRknykK
zU(5PA@JZ6-T)+M27huvrrvu3c&;I_*J_MWi9>IDs=3n1@#&h2~wD^p3NIxN%|^k?uHw-n!0mCQUQTW^VB_@N6wAt9z+!U6F%-BJ-X^V7((cu`^R6)!Pq
zes|7)MQ{XMSjt9Pf6^q{H~-VZC;ye?K1JG=X{l|7nBgv_H;c_lDk=*=kW>HH>Q94R
zMN{gB!A~;&w7>s<7aSyw{(OA;MI&H#c_R5O5dVe-^zV;icG+~tu`J8TUsqih_#Yo>
z98pi0EK;(qT-k7Bjd{Dr+;o{Y-7UC
zLpM03ObXBFi-n%;Po=+I{Vg;PGtTz>+MV5YkRXwY;eJ97tRRMjQD$P0A?m
zTyZ;Y)Aju1&l9eb^2^lpH#%Ew@tyVFAqGs3PT!}y+r$kiDxjl=X6GPwbb?AF3jqh*^Rk-7`?#U
zevQNukkUEqv($cgWLHFDA{j2wyr<}}yfRLr+2%lD{pRr4jgK`QrL=78*5)AV9%ny?
z%C*UWyLCq)^vb}z#cakMpGcQ4Vh?{cqP+2$+U&eFD_^tcZza_>t4cQK5tf!P%%pU3
zbAiYatxSTzD_pa4jrcV!Q_OkR0fmmmpWVAkkniGjc;&zPEcq+zDkXdZT7aMay7?e~
zeKMAZx;0??Q0eSNc2`&f3bPpK)~wH0WfLaQYe--KG5P$^qC58I9qFn~ROeglXNN)B
zQJ23IhRhTanqo~I6c8l&DlZy$&Az`CRO4l85B1-w&6l%k{liVDn~PG#4crf)%#!MnU|YI
zCR%JRRj~=3p4zy_kWOtL$nRxfO}O2vS*u2C`<|Fu`JF@@=N-X@^e%K2ynqHGnZ4E;
zB72Vb^HzIfdH$qLP3B%b(k6ejsV@%^S(mfPT;*2MyG)tLs@+}`TE=kRPvUCEJ2#Ut
z^hZ6CUwQxWBX0t!QL9(VgXGWaVow;x4+p{nu?A{{7#%F~p{guxrbqWWA?60QJN5mn
zC@@lKJ$hAJsnN=ICmARqWff1@;cdTcS2exdL>8itTpr(zGl>c#+(`zQ(Hvd})wNaDAfZVy>T{1H&Le}T0H?M=uhHb(49yX@
z@DaG?`BNeApvd*gqMF6|{`^nx=#QgELs$Ek`QG$UrIwnOCO6ls>oz9aUane{RrvQC
zZf%^&7{SK&J{Ydm-WjJM0Xsnnvv3sl6M2PoiN@XL#QjeMsf95ggDlRq(;^jS5|eNk
z&iRG>C>_h^jA2z5z3+FZ9wTb5+dHSc!g*1!wOyyNF@&e$$=b^C`3ubfqP79FN4>JM$tV-DIU*VSl4YdDNca
z)TUe=trD>77V?GupIk95Pm9=ln9{NSMAE}*@sY+=<6k}{%MtVJJ#3>bs~Y9+KZ9_n
zKMJc~sYoy;sspn=auTt%Y;L(ZY|^r@C*+8TfmxXE{hWA}w?*!UkVOjQaw4_iUbFbiCp(nh^#f^lBp!ECBv@9-5w+8#XI@GOR2lr45we?(j&11Q}|V!
zHtX;U1MLV?7888f=9*R*dXXkJ>1{8x)JRi@~MGU}H`?OP|@ZhS3Q%WdT}}PZU>o88YHXc_@AD%HW)|WLcvYw+?YCc
z5QiC9ls6_wBP$Vtzn!ykt%xVysGca(5;c=htTjUjg)_N=T@XzT^bI{evReX
zEUerZLD#8Sw|4cN3&h=PB!5W5S`Y~3o`QO?Pp+h+D3brMITRf=ZJs&6V5XMdoz9*=
zLtz=iB^CN&hSf1xr}FjG{sSeA+eoSSd_g+aKsz5=hpTv%ifO@l8)K!J<_96<>Y{WV
ztf(>Jg%o_SgTpdlS?i^#RFOgGJ5xvOHViJ&N-f-u#4~WdWLoAp-`0IY>=+v4nfRQ?
z#J9n3{y}Zo0JM_Ps{)`Ujk^H&Z^=Ovd?R&Fb`)0QHEui-%N5;qBiJx_=CD>XE4(_7c5!lVz?lik2uW(7J*{KjS
z5W6_k$Np~KkgoWiZ9c6DKH=_DODViwcM@@x3n$^6GOIzJ3c`6blCvPslI%9V@~we<
z`X)K+3)vLd6_epM|5Cg64@6Ye`d%|zb=W4NI>yjlK#ucN8J?G>;~QEu$ge3jEQGx?
z(9UCc`_X1XOKd`|p)O0#=G~*|=%jJz3AOkyZqkYp2v=C69_(*d&=rznl8T;aPO^PS
zpQtCcXsJV$OmfY@q8OZ@4hK$sM|xt4L$|?A=dXclS_vj=hZD}hDzHkoBdm#7-hAyK
zi;grj|2Wzp9sEt9m=MnGS$p^^;l3I@Nh;PfdN0572tT!}Zk`dysqaXw(UmrkEAtJc
zJ^~F`?1-=jVpn9
z=UTRYX-w822z6?}(FmUPJm?xtmF0xI@%*X!_15{}5e;&HdBsVtg|IS)G}&=#fjA-Q
zw;g!#(dutsdfufAGY{N^UN9y;8OrbLZ
zSn+1y_>D(MOf(&H=vKm+3Vfkp0`a>WcaCzr%)*}UT(J3uNr)DVrm9Rt+&UNF4u
z&EV3Pm5EzhZyg>swGrL+>3&
zM=};_b&Pz;vSg-YT`M3MG4WBtP^9v>fGY^tK(?S{+IexJ$}P6lx@{AbME(i-50ij6
ztsAnx+qxwtJt*A$D4=D0L?l6v>8<{5V(HAPP@0zMJ_*B4VYpcd(v1Ai2an49^|QG{
z&b+7~u%`uTQUES}B%zFO9@My_ty~gCvw5HYTSj6lt6`~Lq1cY2^RC-!b{eQzkQh8%
z$SCO;ajkV;F5SR%-$}#HQ{et+=i;u#pF<+AJP;3+q~OE{lT+V!Rj|bYC7pL=CV$9*>ur^+4koiVoF0UnRzDH
zx2Z!S#Hy1~MDf*(gluXijq2wQwE1^80>h(-SKvZ%x;#I4Dg~QYW+b=|L<5IznV`LHfNA2B}
z@6y%_cv-hRuLf{L@QGI*&^#EXePWFb2h9U=Kn%Huf?fcXss#?2{r1lMH$&kyoC}bw
zp|1l62Br}t|KZH_XCR7)B)t$8YozQ~(8|BsiJ;bgnz_O$&@ad{Uwa8=0NSl2fRwkp
zuJ%A9#&bB|xf^!y&o2o`K#YMS`EKxG7`|f|*GxVg$W2%3m&=6(u+CmHJ-$0gYylK%
zpl8SHQW*jWWZV8((IL>S5)3EaSI_B*qx_nmyngi~f9}=){h1K5jH)?mZ8`gllt~gw
zoi*p&==FzfjT?60>h;Ct
zxjrAe2YU~pIN5I~1&RHqRsvZ+W1F9<_Z}6RJNLA{OYYlm1EEpjsU1m$5y!y7urRz$#9g1SK6W2BB9
z`)lF%|7J&5Ulv`WZ{1Zf&LA09G4*HK-d01QnFyIejfwdporE{QX$0C%`)^)ES=_aKuWitnt&
zyBaJy6MN`mquL~RiQ$gAZetSIiao?edS0TCJN)aHlI-1~)3WysRCAfvujUT@AY)An
zoHCYGPCTRL^Dme$ecSM&?I~OQd9QRSyLqE@_?7v@Yp%?DLxz?TJ98DTp)9<|OngZ#
zOprNj&W)Y=w)DkAWgA$h(0y4J&mOH-a^lui$1nuC%_dGN+EPl?*fUb6j32eoAz~pTMXI?e*R|p@xPhf
zg7oG4+hh3=wc1Shb2b=--VQv7{4?)Hy&Z49lEEnVoUj;PIV
z#n*r4Aq_n}l3cCOmZ>}C7}F|n2O-IS&sqoDkhBi?N^?wr^f>_gfsnZZH$^@l1cz}3
zH9p~H;BU%UipB72<3NpDz0|IleIJs^gS@f&T%lLN;5h!c&O;~?TiszC@L0QpY??>1
z*BVL-UkW0vK!(Ke>9U9(Ek)(zkDF9*P$Z<1+7TeiR&*Tvc?t9uzOs{M}Q=ZoWG4_$9Y+ydVU^3_%qH
z!lfR~a)11w0pJBp;0m+b@&^9}tcB?N0U1Q*@R{S(i)2&ADr(|`5t+#pljo=_Gm&Xa>I9hA5B8vW`fPke&BH2eRJq5h1)%i+0f73g
zMYD>BrPF12jC*kWTur_NpEnZ}A?e0XmoIC-}mt_b=gA*6v@Bhx`(}=N+wRzMH5{ex2*DY`+&5DgkVD?o{4K?}04Iz}OL62}xfD~7Np(^HA98#v*)D;UL&|LkyS=-Pf030u$
z8NmmK5BPg~SD3NATPjzHZ?@lo@hEVdm1FImT+?WMd~m3Hs8hkN!wi4@o<}!%SbQ?V
zJ{0e^`JK>9e7WPm(X#DNijKXG02$S{&y83D8o)Jv1snSzDDFbRa~(IT&4!lM3ZEZ9
z!4#+_tX8kta}Q)FSTB8JcP4;c*BKa=Er+)9auiwa6KIJ97VI;cO*OMXry7y%u?<;yprp)jypV~409bADI3S5A*rnHM*6H<-LFp!?
z5;<_aL)Y;!?tT({aFJ_yRva_mqY~ID;X*mG*Eb7D=Jj)DUY(A<
z2KTKUY}0ZSMvynGYd>FRp?t`I;{hmW>8i^I6vGZ|({YA^W?WkQr_8oim)i@*7w}TC
zslP6}G_29dxWLK!d#DT4?OcQQo%8-N@p9~zBfRFwq|MRMoSd;nEl$>|O7Y37yV3X<
ze?MG9vV?wgG8!C7jg|OBE2WHc0I9lg;2vJa&6eD43iIvHh>sag(go>}GXml|v}-fX
z8Zh(N`xWM9AY%8ON%-i`MfM!n_Cq$OYNMaI5tRiuZV*oFX2;!CQS!V;`=Yg{G_6H<
zJ9Z&+e6ViP>rA)F#PdjEKV?|-9HRUP0#}hhM&(g&JC_`5RTCiSWs8#@38Kn|Ep#sj
zI6A47SEmk#R}e+rq_U^Fy1idvdqheH>nt0?ik6x3ol~!rm!t?ILL8iAy=>u#_7k6Y
ztp(KG%BAy0{szkrv^%y{;MLUXPI!WRGQpXnqX?Vq{s=+#hPlZ>2*TNLKlp{Lw*Fzh
zMT65PGxi2O3lwr3hX4?GirMR-VzacX!!t`5uP~j8Riao87^?o2;X0be#}7C*N&LW>m`3t)sG{LZGk(+1-?2OT-l#e
zUO42gUN~V8dO4K*+Xk;wb@z%65!-QT$xU2!djY6TAE%Fa*-)~>1Q3p(UI_|wry?_z
zak|T4gZeYl&8rv5#a%Xw#&n)*!YJ4wxj{uyYDE^Z@qF&??Vu+o0JIfobvf`zRvdVs
zd2c^6iqn{v3`m=Y=4-C%(%B;6D;HGRK~4nU6Xl%RcTWH2JwWX%Mzg(eUfRoh`re}a
zWxC>Cdbk16SlfX3SGEPaak`8HSa4*!+{1d6V!6plgZJHjPV1vb*ue_j^01s4kN4z8
zCj%bJu&cVOi+1e>Sw`BFZs05OUNfR>ZZ2oon>>zTKO0*U&$GW(zbJfcp5M5U!6p8&
zY$h+AVAq&8uo0g;2*g>-j3
zu$eRoP|!2+X>XgIq8zk9`xS=Qm$MI=PC;=mh_PT9?{o#~nE%;#pBx;e8<{D|3pvN<
zMp8!_70LivQ;tuU9u5?1)dc|}v)a1{Q_u4GqOpxgGUkPcY}KeJLSDJFv1<|gw~t~a
zr;mO;4gD*H@|2>i(G3l!KBFerbc8ZZ8$H(}RBJ$j(^K2+#YuNmx$pU~<7zs?6VkH>
z0tByU>1w-x9Xo_bluGy3Bk=-Y0UwO#pHo5y^Eh{Dp7TqPeU0Gm9^Atn|
zokt%7Vp_Q=B`cjR5$nId7`7LkI&osuC>+j_T&^JroUs}|{sA=o2HudjAmvSkt1Z;U
zda$W{s<@-OdWG-PS|OWm(^e4AjJXuo3b}FtoSRzbVCW%EgTeL+1WMkH$&crMqoi8;
zELO7M?HdN&a;Z-jf9k)Oy8==yaG2O@22;q%SiASyk$0e|N4w&XWErsOo~B<;sq!Rn
z%_hi+v$L-5KH_-++P!)fgd#W|VKHd7Du*p@1;Lp);9oqZ@3Vv(0vO@X9jHQFvHjj4
zW_?X)$!ya7KdvKk);V$fr|mNn>8x%L$r*q<_IEvx<*;_oEaMrzNzJdGVc?F~$L1mk
z={fVFd~Jpqaz#q8mj1Sa+I!EAb?hnRo(A@>uS5}?HZ-Pq9&20gu8AqInk|Q?@zcLk
zlW=sp&D6Iy8dd|*Y!AdgP+Od41JO|CW7H*HrJFjtx&z~kA=5(S!f?Xu2J8|q49%Z@
zDmt|Kn>N4Vq4xwpL)!J~J0ItkfrN%Ub
z+D_o`v?!Zc4RZMzM#A(TsUjs`Mu<4W#*e9{tepGE^WzC1aQrGI`-RJRt8Y)+u
z>qMD*<(8gPSGoS0m2r!tz6MfSb_G)?(@T);a_Ji!MVP;Nlv?C0qTJIFNMeQHIu2lX
zzyJi+2Y7y(Px7a`-g-yd(A=;35u{A^funEWH3!MUHuU=ARg86~!!-#K6lz1Uc?@_7
zmk{gN)h^_`<1Z&;IGLKc$lY4+C7a>t;p7pm6NLuZBgg({f$=BKCYF7FrP{;0drIS5
z4r&^2$9+jjOVs890&M>xt+yWOVGVb67}mPXNW%SW$@iq?-V%zILiFrT?o+(j9=+%F
z5c5WKXROmLY>h&3`HY?wJ|EXiZh1?FWIIFo@mU^k9gAY?OdKu)YdJ!JfOztpC0bXa)
zel`CIazV1`y{}7sA;{gcG}9PwTBNHkX{DVcBUyDD>eoU$VF+J(D)}AxBq!sp?uR$<
za2y6GI65Hj@N(+}J;w9lC
zBss{Us)jm3Jtp>U>sFyg?a%p2FrxCF>{h4sFI@~ScQ;a~YWpBF*ZBmx156P*!3RtSRK-3gbl@tS`{Ar>IF>J621D=?ytk013_Qh^M^!XBhYs2~TI
zV5E(DI$`LGW43fd>QC$ggo}(0C9p$X4^D1J-sb-gr7N(sdY@*tDXgvD+mh5(xi~y9
znz!EARPbQ}IX7~Q3n|f=4TP$u5TO+vA1M0wZ!4_@lh3`5)v9d{ZoDqp_ei-0E)n7z
zU-0D3@dyv7fJ2ET&w&q{jNwf&UFI<`SHyb
z8S=Bkgzw#}+|ic34q#^eQF*<)-%d}t>cs7H9}OS&=cPak*aJte#ZZy-!=0->u^+|A
zihEjtxxQln_hUWxj$RDs1!~q}hhY)nkITVlTtNZu8Kry}Ver`FCV8g;Uh>f*o5uz~
z6O71sreJjpo8Nvwqvm{X)`{VtnuWg@?1E5WHRpN`-~}q5Ztui=Nk4Pz{w90j9$t6J
zGshWGs~B+7nUX!Dj<=kK;6a@z!YxdVPQ~1tJNCi%a7i2CMW-JB+ycYdCe<6sp)u8=HM7P?!rO)ER
z>FK0I5cuT&2d@f&zs?SlO5C>MK-WqY`SJ1GN*BrXn)VVL)*9|JWXe`mIahb5LC0Vs
zPZjCTnm_CtN~ktig$%m~8431ptcr9x@KwHU6^q%u5_#+`TrCQY4*CXrin98PiLFG;
zuwfOalf2z_{f0%yMfn&m3IX7M9+KfauDe8jsPv7^Kp>`*TM_P%(Ar82{aYN|{P=5b
zsKVBvHwHCrnSr!j2XNN9{RaC<+M7ft#?W6|aj*ly6
z&E=~N3Xw9aZ-lt!WfPj-JUmL9ZcC`ugGafaya`k9HH%r)K8-MI)=L2o7u4l0lXJ1h
zo?QcEHC4
zK{9&QP#iB^P@FgJW5_hK0bG_2QxG7j|F0DWFgv-JM?r{6t>GkqtwH!{u^Bm7*{EGCu`ZHYhRB#y#^-Ypzv5lRTACySl|$%=>-!p~S6(F0?SX`Qao
zVOnep&COPU;+dq5QM=&|ba@u1%3#2aTj_I5b@px<#<>**H;Wdm_K+Q-FvX(Ft}jq1
z6Os$b|5P<+`MfkItTd#lNDypWr0Lkq!uXo|j4r4RD+)0M1K|K#EbWwsp?M>^$PIP6
zpvZ^g)dk`fezx-l*kVjVpn#$Lw`!Bmjn&H?YL`U`!q-Sm*_?nW?Q~6iO
zOLZ{y6`Y@A=vMBN38ahgM~5@&?POFIK)~N2_?`Klj3Cn031wV#0Pn`mWidx^IP>2<
zgq+QU!1<41I;|%?`hE+41;1b*wN&0!9z{tKCvpI?4)Xqq)27fes_1+p3CZ;pw*p&}
zV3L5OgoRK!IOUgsLzrFbkCv+KiIE}WrGXrX#&$QEHVOrMRT;
z(^;WDhSX2?mWlD*jAWHKDBY-lgO-)USG#7NdX{0&sw>Qh54T{eVvgIfJ=a*sS9cQf
zUOeNS{4fBEjxYa7I!$Xzc#nvAZDY15N_f*jR@L?wky5ll!
zcN&mFkAfIxhIR^`j72@7QvkV;*E$q^H|Q)66;d_Bj^t#u+{`nU@FwI=O4qk-mH66_oS9wZ$i2N<
z)-c?67dnl6->ldyL#+Q}aZ-6_{+>{+daD#cp%5%nsu7)60o$W4uss(O|MKi>r(=$v
zh2`3NxuA3Ap!8d@-l*;VPQpt5H+l5M$e_G@yGvzXyJ6dz4T8v9zmpiP-lIc1RuYc$
z^u1QL16w~{yb3fERF&RlrqMC}SIEh%^7_3oM+ukeMalGO{#`JyE!32qwi25k)7c=3
zi$1Kscr=5Zete}!kc!DN%D;jEBgJ*AvaD>*i{l%UdHp8?wPwq4sm4p%$n)7}f}$CX
z-rID2-IEGt9w{Fe9J*`LSTbR~&^y$9QAX;8npc&p;YAfKHki*ABkb&(F9M
z1?D>kr$uEh)RhH6NvTlPUK7JVz2P&U-e(@U#HX^ALL|canSaE7i7d4A6$=M+V#|r_rqm#kc`#Jz
zvx861-3MXPagT6F+un+S)5g40k%Dti|ACFVd=Eg^Z-%J!ZrLOR$&WP|1?96@zX8=h
zfefdthG;lj&hhF*XH!579ETUz`8oO_~E+uK?$+hvu=
z!h-0B8i0CuwUUBe3)N1p_B==Fu^aczZT)%c(F;mFxb@y65J>GkoV4Mx|9nWupgko~
zJf~^b8S^c{61UUT*XHc2nEgffP>SBOR;^@&Grszs8rN&MpW>-Iw`bzf=7`g@3#-AO~R@6N0jUx7vTZ&nVzvKvLQw$hZY%dQ)rLs=9lKeJ-{>ecHQOdz%vQ+a_S
zBSiOF6?mqz+0pwFB=(?fLxUy^Gj56wOXmmRO~U8(^f~Ut;c9|1Qf*x%1RBhEPA0g!
zzBa{JC)PHyjza*HvsrFq*bdC$OlchyQ8+3sR<`j|4lg@NMv53hOLqzFJy(ip{@rHD
zov%QRwr}?Mz1RZ2;=H!LRLrens;jt!i#X)Mb>7Mr6!Ry~A03xmP23MZum}67*PWy7
zUgLah;~>x<6hiuUD^y&1bE;WI
zNDFVZKKIh?!du`5D*v%oA;ZVeas5!-qVx#Vk2(Ie??K*`4OC*_|4bwZcZr82N3*s@
zxq1l?)zpYF-_&HR^w@2k2gJV=cX@H#xqAMrWIFb9qD!?sQ$M<8et6|TL
zoftI(>-Jan-(%N2u#^w=^SLySdJuU#GHog-b$3F^+iS2T^yxx1dmS@PH9J6|H%Go<
zKt$ukncV;3&xE1juC{s+*9Rr7Rs|nD^|7lLWDNF8bQSlqMi06yUs-krMd$p!*X&?Y
z^`?k4L~xzrg-7xu*GLJS5Bh7a2JwB^ILcr{qW(Xf3eFG`sKN95ea47dE46Vy1=dYM
zq3$Y#h&S`dq0C2g5n$d^FaGYi=7G~oQz^+$cZ(-
z8K0W*S(1we+X(rpy&c~)k+GcqQDTrwatujhIhi9Q=#`zo_bGuHyK))JK!Vz-epY4f
zVe86U&=WUe+@@4fl59ZU;r0!Q77}!pyaK=XNtDgV#)w2iTH()Z!e|&w4p375-FWc9
zruZCoHTD1=7#=^~m
zgtphL4od7TP!ykT&Uwijt6vuFQwX{n)=8Tv9i94Y`x8C!0T#%0h7yau*fmXX`
z1Jb1tqcQiA+ye$B)SrYqN=TkW*ZNl4>CVcTm@F1=$_7mBJ4REyNZBooDS9WL4*qHy
zLf(Q&llCAs!CRK8)+>JI~+C=>q}WWk|O
zu?SxrrZJD7_yVr>7QWsuU7}_&B1GYa&1MfO(neVpcNNTO84pE_-B(A6c`Gg5Sx^Uv
z{osRpLGD#n<5E)r514!FA8a%+Hy~d%&VM81udth#L3BvZl^|DWu}ebh+#DMGLs7})
zXE68hW8QUrSg=C~z*b4Sz1~5jiQg%ct!sF_dEUxMK{@hqPUNdRx2%;i{TlXu#m)8}
zuf#Wd0vP=Cd4P;LxxG-#<6BFP{rz=uCK_8`|_?^>r
z3_3UPY3a8()4}fk$a`U&uK(Z-0Ew&dL?a?(CKN94^F2EqG2eefMH68}iv=eryM-3l
zZlof0cTQC@EdH|6DHfYWRoU45V*AoN@ahS*!mIX+oc=|>^A_o}vbGpR$(zSz(hDA{
zmDoj=2h)#==_LG6t9K6}Gl6er?$+7_zJU|{nGYY+gd~%)tP<`H_U~~^2oG;;-iUmJ
zc)qT)+A+o-M2ZP{D7H(uYi&fjhl#hFbbZ#pSatUoz{t9yuK#n<;bm~>r>hp=q(h?t
zRI|*5008&%o1)9LzJ^B#=|(dE{+Ef9x}JMf&X8|%-n%g5h7GGy)NHZcC_hz5`Qd}!
z`imBNJ5$jO*H&uA`Qkp>k`nk;u+h9I*mclyU(973MSr}O;H=JNTjPRY(NWf?+@>VHn#FVdiv|n
zWxD6#hVFnx{uHptX>j@v6)H3WF-6{^J0-H~e&}z^{gzMv$yzyDP2)j0KV7GO;Y4bq
zO(debhaL9%WWaFt*S9AlO8YtQo}k6)-``eNYv`7SBZm*n_eCvaE3^>(N+ea6Q?`+a
z%t<|e&eiN*I@?}+nxT^{-nw%58l-8HJL&b_D!P1-wC=y9OI>a
z%EwN!9idrXqm8o4#{!gk8GV4J=Gw0H}Et|E~sN>EY|rgO4}1
z!{a;(B&&T5rXh*1^F4;!*A!uIAN_+DArl%f3<%HwDHeFl0mWat(*n8LhQ4W6OoyJ!
z2)l_s+vR2-9BjuF0-h*_4{axD1YDyQo($P03B6>oeayB-!M?QOcFOAJ@#4$v#=?2Y
z_mUh}8&n4`8%hHRFFwZ*rDBop^Xqi2qFd?c=>D2#7Us*6cwU^Fx
zU7=t)EgjQv9+WD~jUKGK-}RS|y*TTg+$5O{G&py9?1;n)w_@nNg}_ALe|vQR;>2qP
z9Z`SzKMEIMn?5KD#oR!)PIjJGi|n8pc?+*zYO$3R|JnB)&oo81D$_Ti7JAlkp$~IX
zu0~Zv3=09*ow$_qQs+u@Yu`CnLdovCr|8=yf6&`LPQHjAGprJ%t&RTUR=#3_X3$EX
zm~VLt!8JVqE}+M1vi$-_atuH_Wc2)C8a%~9v-}H64A`Lg%wkYqa4E|{KO}gnSx7H#
zW`QI6Vo!lK1PExrZwq+aGw7B&Mg?H<-p#n>#0{`WIKxeaOX?T^M}3pS>-l4KE-`d8U@2$38#?@={_LoKIo4s?FvbQt2rrLHO1d!&v7C}^ls196xj9M
zC{BwKknNQjYbx4&VK1)2UzUbgQTMKbGJhF$8^5w+=WJ$nD22ZHbyIvZ_2aHjEC@|@
zrUcQ#qLI-_(}h#Ex*?-@A&YPK^10L+q}I;wc!T5GS#cOj$o_L=+D`}jo-3uSY^HcA
z0EX)dUg#2pp{o;GDr#*-O!2faqYI+i$gmp=Cz>Ub?LYC7GVyvjrXZma*2^O^I9DqY
zhRL}Hw-mr2z^O;X>@L{kb8t|x2?#L}4B10ka}%)!ziX{q?9(l=dO}DQ&Kl%0xrKrAZ7F{qu5$q$lI7nMVi2DLK;Y!-R?fe26fD2&|vNB
zZ&&u*LU88g(PNUBY*NO-B@vz7^B4Me!b)?8ZJ%^yT-%PO@te=Uea^B-+8
zusiaN7Da{yAZo|kz7^6|q|U>DbIlTBy^Q1E2Ys#seG!yYIXj;JMB%fh7CQNjmw*iL
zw_&CYT;2I+?4!@u!d->S1rj8WH;OFBxfm0${G->8WODM8|}p%>^CxYtIdnGTv^M;Z3f-U)2mgg6PNe`)tF;wvo{hx
zdB6C`GQlA^c3&`Lze9JA7Q4bo=H`p^_>6V}`0+$uHT>ijrtI?&1aKf`$YdTVq$QsJP$s+5LA^jF$Z
zORyVpY)n+SiXm6*kyLH6torl`>nWKYD)uT9Hew;Q9fkQfP3#b4kPz_A(5`cx)_l6*
zKwJ$)R6Hy*Z54!Zl!9zK7^WPiBuI8~8o1iME?qyp{gj7i1qMrRg+G3RRj`VTdeYp`cewGX
zon)F2db23{aQ~8J6*Nu0f8MmKUZer}pb-<0k}x#8oWD45U;Dbt!|{u(r8(hJt7|)s
z0I?)~4oH70fWr*<@MRkI*N0^dSJVU#}2k0Eld7|n@N{L
zp{e`_bRq|oH_lzNu+H&Rp<~oHX+{XC2GFWEAot|If>s2T`8!EPRLjN9>Knp5wCbDS
zyuFXM39MHJ7i}0((wkO_u@#!%$td`|Zbywz2v;3+K5#p!Hn13p9ZI6R?;ADIdeYLD
zt%w$@c1aIeXg;O%
zh3#sF<>0HA@tr66DWh*3hhqB>hyp+~<)JvVsWt2F0b_xqRG(SqTUKK}--VJZ
z_&@4Qj7p3?Q*?ti#4ED73@PhB8MDhZ0s(j};>yi2TZD#c7^*`)IxY;;E$>#h+axL_
zU67ApU-iwi4_L(MWRw$Z{sxp1gIQ+;+x>B^>at3AL+
zPU8|zDb32ZSw4QscAUkbl>HkQQ?=7KaZAtztiJ!TT*LX!M7;5Vu5PJ~i#@M|;c?J}
z1tkNJ+5qlll&JoqG6Odset`0N1Jbwma{55t3#CEkAUOZEA!SMP5j}B-37rC6Ca<8Z
z?uMa07|G8WZK;t5wb-LwzNA-GUOKs}DQe53(mMNowz5sI0!k-0qk6ZQn`#viU!71n
z7!htdE7~3nRC{q3C7*XyeJHXv;FN=J8pv2WvBByYvG!umT5c=xZ#oaP=J&s{yKL^4
zykhnyLCj5xiN!HP)%aXbQ;i~fR_#5HYo-wDgg1?S9^Sk=_AtzJ=E>w%E$fbXAF)K}T>+@G7~eT)
zYm<+|VtaJB#@gzgS{7d}o=Zm5hjx^%xnL7b9lNR<&6m$bthEPCTtV#DSRGP9vw@@0
zcMFB?TmQ0_{vdAz@)(vtM^kV}mb2vu|Kf84Hxgy&S!%g^3w3UD0bL4ck-ZZ)X8**2
zWzVe7HUo#=B@6IM{IE>t-4#Qu-Y4mnrZ^V>dczS%Q>_e+A3g|RfRn#}WMv|dlVzu4
z@$*#DwcxYj@ABr)%UZ;OgUZr0n5^t=0s${j*{5pMZr)&u`!a$=QK|>@@Q+&$oNdc@
zrgB&>SM-0Aoe$*n@#VAp<*y?_7`629)y#K(v7oe?j?C8**hux?ul@;8*zF^QRBGEp
zRAua5&xT)Oc!k4o$!X$y9WI@MxmA!3RpHkEobJ{cF5oyzHNS4+%@0cw&5X=pjQY)1((KGykpo+STZLM=A?7kVi#}j_5
zf%q7zonnxpo#nkNuC!dzT!|RJG+F@F;vAnDx!pb8mz@OCf3Ns@-!FN#S%~C^;Y>YJ
zwWABcyN1h*SlPQI+o7Tk0D6_hV=9`v>tSMY@QERM7MWOJzkB-aXcOQoy9m~+y@EoR
z(4IL(6hlIGEF&lPiyPE(_0Q#nNjHXAst^USH_G)XWn!~}ydRJ#a%qk&S(Z*;D*X3>
ze1tww0ubfsv6$U*mtPcu&g%nb`YlWGl}U>ndg%CIIFUa;h7<}{V{m+%l^DFU*QCPi
z^YE_;GLRHp4k48|kQEhVE>3@+GvB=!`o~R34
zuP#>4+8(9PmlbpD{jxJ7kyW#>U2SL2P33U*{oq2daW3*#v*DWjlGlVNqiWjMC!gRX
z*nt66%-$#o-N@;fo%dzO^~x=7dsAppYqB6{PKN;9g#vFf2FM4j0Jf{A;yLT}T@=>}
zdvi1`06+i+6?v(vR7&Z}O(n|=)w@4in`Cn{KY60>XAkE}1oH%6Bu%NbJwGQrMt9BL
zEX8hc`+nBw?XS;|i}J6)E6CxTQ4oKS#XZ|$zN3o+&z&jPKBsETVJYiCNB!C*
z!dR9vhpLf>N#;hLP{^pqxfVEB!<{s4lR;ENp*E!}Ymq`|F09!dk(Y8!Q+O86B1EA=?V&=iHW3oIgg(-(vsGhO|^
zwuz?rlT@)GUx-x?a~Z~}TJ8BWJ?R12DorqNHRFR}Pabzkzm(r4=5sui)ndezJ~=j$
zuB+K6uPD052mKdN>`-gev%8xeZBDV>_ofp0%kIP4mv@O#RL!`;;l>$u>=ym;kROn1ua>n5SEO-CXQK;yHpy??ZV<#QGE
zALQtLKne6*!KjCO+#k$V7sBJ-qj}jn(VC^AWJ;aKq2GQ#kyoI^Tn=CZqx0ZsEUjrw
ztJs~|#E4eIGHNpy>5q%{yM;e6^wC6s%C&vAtvjn>Pt`w}0Ge1Mxz
zR*VWD!*fW?X@0L_*VhH!OOC7CKdNywx=~(aPGheM-vj)wIxk3cG0v+c5^kw;;$Ph(
zIbxGLN$DI9Mk4T`%{W@Pr@guhuRb)R1bcny$`dS{*aVVH$#3_ql#LxK3x`XT2jeh!
zOlQEK)vE=e;bpS9qSO}3w!Y^q4$trI%ARvF;>@vJN^$R85z2%X)e&L+_4JT}5Zj#d
z|KhZL`r6kXkaV;I-ySR!guVfF1IC?4oYStDf&BkMwr6q7*J-2r&Rm}gBNR2WpKuMo
zOs6@dJUY^(qV$%~P$INS_DvGxQypTh|xcxyhkv6YY;8Cth
z%qBQY;--O~Jo2R0>@8q{&JFY-WS<%VF}m-Uro;aT!BLV1C|vAGK?O>>|kW|>JqRaj#sGhwAde}Z6~?qpz(GX#`)N@K+8)OjFO=cvKh9je2P#W
zyZWldli4Qe*&(D&JDlHL^o}XS=z?<+c1S;uj&8>Rt``*)xj6eW`lL}L5d&0!64|K3
zA+%{mv2W7yG0dZsyb~bK0A+Ki?dSAb-QlABbr>kkga9}*K3pR(2NI)`v3&JfYVVWB
zJ(N5+cucRVqjrt&yT4!}t4n%DlA8g`n&F=|IMEbJgq_bpq%S3cM7s};zxD!*3aP1d
z3?p1p`%;Sr!b^LT3!F2$P%*EvLzu)&R@D|)3$fLIU3_a=wZ2@ML7NcLz-kKlu$`AX
zY8Q?vffz1t+upAn*8@#6OT6YLgxZ-uyp7~Wn(I*NG2RJV7Qq4_~+|?HL
zV3|nK9OO6e4VhOHbAIpr;i!ssz;F|bfcSffye|$Sd4!Sx?aO|sbla_ZS_kmBg;s>W3wV-RnNKgBUyrIQ@`M*iE&IkygrW1-zw0--`d3`57fedJp-ia~xUg{|at}8;i
zlbpw?4}E<*JdhW5x89AeHhC=;A}8iPw%gP`f>Q2NACI{f_76u;7B}DeAo#?g+klq&
ztP^!O@ddx)%)WwuE75p6nqET|TIkPUD8o0y?|)@`#4p$CDoqKb+H#
z$ej;o`T1rJ;nrq_|c)*O>wq+s*2d=AQ7-+LAX&($Hp1<3E}La;0?(@bziw
zZ*K1GWS)+HW%EGVKa7x=Gp`Kwn~txw3z>fssJSW%q(Bc`RXWUz%7OWY>w*%)F9O|`;RLPjrD2|7Qbl)K?ylgwdVDJ+snMC2eFdPoo2+Eh+vextD=4PBclG}
z`+E(i)(f2Z$Q*|3NN?|r?br-%Juz?^(EY)?L0DIGC=CG-UZHx?`EWP(hArPex*FhR
zqYpIE04oTBLgH53_1qhw`A-&KyGSbrh&+%+EuMaxljnX=?#jh+o^++f#}8-?v>6>5
zWr)2Z)cgH>M8vs%t)?&N7dzg?q`b=urQ=%5o!cCqW@_B?@cvKvwq>5k6fC-`VJyl
zHWcSH@c%3Am%pKuC69Fe?augD+?&COZIAmtxg?s}s?a$!-)_Z`sUy|sV?5k7nyG6O
z1au3Dr{-hdl6yQKUUg&){GqU4}u8N
zl=gk2KjY(8Sk`VtWYKe~hpnXq%!LqOI
z-UWSdGT4Ii`p}&Cq2GOn5wHAT8;5}IvtEM}qWDK8%1}>k+Xlrv2741=t}1yPX2csk
zNRW%9)+d)*|F~t4n%CxYHbHZxK=y5|(isy=i?{T4_MOyt=Q1%m|&2<8?C=yb^NcFY|x8#?apU
z>&rqGcgz2--OLn4;4>9pyFVzE-j!>hKk{<a4fP@6nJ+r%e
zRWGNpe!fBf?{DO^cg^g;OL1PAg6tE$y?RFQfA2<35IS1%-d+-`-4bcy|FCXnM_SKt@7
zW=HU!bXhsVDX)4lIKS8??mhVkr#A-2mypffGc(-@VNZ#H!2h#2YPmCDe+EExHtmOm
z!S{!F2@UbCV($zykV!q$4UL+XdOg@+@IDYfCB$v)agXIPQ_eSviN$msX4mpJ(+|9lJj5Wwx3Y+g+^
z0sr6s0GTfN$7C-X@*jXN!6&e^|9^e^j~6m|k3SCH^T@!P{9g^PV|w
z3w51#{8jCddiJ~%_GIHN|DQuz^+D9n@A%8+Qs36e`TpX|Ptm6ux7iqYw?2QomRmw&
z+^F1$)I679OQRw)e+`%Yh~<4>3@71S^c`(WWTuD-v*kp9Q^=jaLqlOk9so1?n_*yt
zz(*LA`~~>)vq!%m|BC#@9T;uhKbF)-e;5W0AioayIC|MDSn{8LWG`JBqr2_rV$+5D
z9`W=^GwMs)F5~G=)N{@);urPSA|KSuR0pFhvbtdTz{`7pddWFw*lTr^_@mU#ZwPIe
z>1P{nWEji#|^}NSE3X*d;Gf#V_|W(%`S0Wh^EG~uOy0K(cDq(w=k}s*+0KM
zQsCNzBd1@f|NA*M!JT#e#f!AdN*@X-Mo&&nCjPJ8OPREbzIf5@$S~d
zv+CVn<<%2D)$@NGO%P``534wr;_80*8-DpjEpT?IIqboY?Hs?uzV8)0x+e`Cq;;cx
z=gQ``=I;IR1fxnGE)5x}o&EfeOYNn%EV5<1X(B4OIENWRhJiywu)^rG)C*2g!(?%|^f7sV?)SVFE{G6~lC4
zMB-4NO$)YOEwswVg;FhIQKxv^#y{1gxM+wb+n{5JR&
zZuR!wK^OMHhokH8Qs3{QqdNV^XNJ2uClAYQNuGy?Z{J?QY7{gf^ViMKBd^8h;^(oQ
z@Vw2rLx!CDKJ)3{SEZMg3^pq_S!<=g2INg2nB*RB;+@aa$6V0ReDomw_(S}idXYFB
zZw%{0&i;h!(m#Cm2jh|{?f072f5bSY`eA=V1gPM%NfS-r1-G3=30U0rb|H1Rh^$o!)gdS<)!S}`+-8l)w}|;bTibPk(R0-x$ygC$#^;nD+SrI#cT2VKkAk=R<3F_B)yi!bJ;Hm6*=
zu6IR1`;cUmzqzw9-sL;LHR!mO7u^Ym*1FkyijD+sEh#2$jXWIuvum20rjHc(CQhM&
zGJm1Z`@%HjvQ6tQy`R{R09oC-1Hnt3R=Ek~j8>m>PE?&vy~W4xRAgN1t0y-=DQmp$
z5%0CZx{o&~Ldq$a>?J1(risq2mx#lb_Vr_J4=1-(E!c-Vi#}xO3%1Xo2f4iYQ4P8B
zJZ)XKrxV`2v-KfuchWa5BoqiC_#LoGViM9ru}0wSFp`8W{XMUq9h-JjiWg2lMxr^<
zjs}GW!_S{8ojKu}osC1%qE~{T#u3^~KBDV}r!$xW1Ji^U`M2IQJWpR)w@^j4`VC#h
zma0!7jZbBoyCs~9FYSt<$5eQa<>g!m-ri8#eYeIcU)SVk@NN)OQ?ZRe)sh&+oJ8Yr
z753n0_JQUU8H@bo!=J8F(i(KdmIjF6>nya&c}hOaA76=3tlc)Bh*z@OydnP*pg(uf
zGE>aOLL(!y%ES5bw)uB$nv$n(_?R`@>eZ`fT8-R*IJ<0rQYkK%qTkQHrDEA#&Y7~&
zrYb=^S=e7PGL(bH@tVPXqCK;H3b{3eL+OL(?2T!YEz{=9Dw-Q5-EG34*CY_qtZMpa
z?~g0J>j;s86!&(ZWA%((JM3!d8?oG`!_o-p7C1!CU`C@q+jb+tv7?=uBD=BuEhSsq
zwP%{0uf0F6ghS
z^sN@-4ml0-QS_#{)3(ydaU_&+UuV@Eg@qWbAXS_#Vs!WZHl@rrxYs+O
z!+{_TB!2kmyEi%%*_=Yz?cC1qj&ZZ8ltX-amgqTHkerK@UIics{%qEgoa9>KP`F0*|
ze&Y+I?m}bxSlPK>HJm3P$-bWnHI&aKnoFsr%t#y1X13(}pSuMITy2}cCYSL|lB=R%
zLvXU}snZrfl;ean-b95%nXCnzEyrk7%YI^0%Q>I(a5*tyEhC$pLlfe&P?d8h%wO!>
zDzsoQa@{Vw6k?Zg7ZyF#?>h%U_4NBzy@)aDaf>?dv90lr7f~BC`$Rb9w&aV@4#fu{
z1Krfz75!Q_%V=?K0!vqR!bsJ%UL2K1Baa!~-A1Csq8M(VI)45gDyj(T>|+#|*X{gM
z57120Pm0~MQkqw>m`JpdHt&n{59uL=B0VI?`b5tt|8a=DL4~DWcZsv`U35WDY&=uE
zIjerUZC)63{9w1VU@~r5QEci;UMUW#nIlBvpTB1xP^rDUl%O0Eg)T2Rc>i))7{*^j
zg4j*YGFzw1no@KP%qG*1YE#E~8r*>m1GB&ruG}Oz@pUHt&~Cr=6&RtgmCdiY!mEN~
z)bdR`PVXxeEN(VoRO>{R_}*sAm+yqAwxpL>_lY!NhTmv~X!2-@%n1va-G2@nsS>Sh
zZ#Nk)ryEa@kQ6bsDB@(oDo1~`NWd%&2Re=EukmSO!Pyu)cvkG^x8Y~$(?3<5Me(vz
zJj{zc#^tQ6y`N{B$O4#0x_f}8l
zcdm7kQ%WWTW)ZMc%2o^+tC@;Kue|TAaSA2>&>*%Rj&8Bz%(SIz>niE2Vfvzc<|%6D
zJaqdv6E;@);mjkSO_K#~Ns1IU?#na!`;@lSB&{>&nLLhD=$w$}O30Z~c#?pdPV6%Z
zx*OjH$7c_eq@$WChxM7THiVQI0RM$em1rg~5V5bG+VrUleWCwyRRIyUtL!%TA!0a!
zy6czm?5LozaxjQgf>HO+otHWO5K?IB%T&R8N8l^Myi{~kapF;6J|3gZGO!plv2pMUI(^0l5Cjia?bJ7Fy*A|
zuQN6KrOzvDzPeUXI8C7<@>9o6mjIQ9kLN8b#lv#VwH*1wjFx&NH6pgQ`@Al+8;<{~
zrRLsGA$r~BmYm^av1S;_fEN3j8EafQw?!d4BS_p4dTPgZAa_MC=k`^ns
zmUyze*c06A@{jIjIbuRp{`fb@9CQT@^r!zDC`Go2P4f8IT0?GXymvVB_98vltCCsJI*!m8&nq$JC~@TM+b3
zHVhgnLb@9=qquI;vyf%rM^q}%8|yi>+0i-ezdki`jYiGgc{RU+oBw4#mkQ*EFsz_v
zV|g_*`7sOa1qzLeF2-TMhObSrUM?w3{`0Oh?VT~2_>5838puZ&Om+~Z=dt%4mUMdHuA9c1^(&iI
zxJmq?H<)Qc$$6h++FK1WE10^J8uM>Q=`|J5pVUrxz2&v7su}8Ax;h20{Wek!n@@jY
z?406p!=4&YW5rw=b^dVmXFZtF9`NBB5dA3!QcasMPCi4I9s2{wGvHK4REQ!E*C%-`
zSRH7~tzfo#pA$ao)O^UTsnfQ6(3VTGlH{T5>v$JoB~YxZ;1q>JzAG>PL&Q)I1!lUe
ziocS@m9R2pnt(aI@HC&B59BMR;&=J~i1;qQ`@&t^Mmf;j_rU3uj8#vu1*ZIT(ycT6
zQQcanE}P|6_}EDlFQp%}EEd1a%QSCV9m^SCxuuq`ccrtD$LvWPeK3<)F#mi}LKCKI
zg|P2VRFn5Z>ZLYemfj}yti&0*MA`5~>z(>&H+;WVX}HMt;pvKqcb#iGAuOR$;VdN~
zT2SML2uTMnW^6^~ZPJTwriM>3{9dqc#7FsHrFYLg+Wfl7C&F2FFE03`1_sBgO`;V4
zkzg|=1hUkj-ffVjiqA>53eNMLCMViUh;++6#q-sfY5IM>`er0z8|Ju3`Q3ZYz4JNW7js@kXE&q!f}oiwb{>4DpgZuD
z(_Z~oI=HWFv}P{fNG6wUQz_hVw+m81Qx$LA;H7S*j-$P<6Cc!C@*N#UFG@FtcPt$H
z>Pk0ooV4C^JPj=h0r$6LSrIy_OyFSo-(wrbpHieuz<><3>ZP5R`MT>FoRc-HCdgX1KJrs;y3Dz@su_}m*i$;YUcV(bC(Z*^>yF-~uoYC>30
zUUDC`>D=8WoCoGpGycbT^Qlr@$`p;*Xnn4@GcYzR__ba*{le+l+@|Jx%M6b~;d)k1
z^4rfdlJo;sgJ2=oxY&BcMx2p&X5$Z(ivUpJsHi&OuT^S2co)L>OHtXI9$h=6CLQ2c
z>B^ys)VVEOf9URXk2IvCr6aoM;pbm-5_J+q2NnamB_
zzS7(_ics**&F=F1J4K6OP1Vt(Z6k{X*jm`RhH=ai87@Ie<1|{?NwKN3Mz52Y?Za3(8ma@F&H$hSR?*YI>DRlW!sj6IP$-)bf_a)BW
zP^mOL2mUaZ?hK{(W*ACAnks$1spu-jN&op41ODJP#r|*CE<10=5DLD#9u||4b?Owt
zp3>IrokL<)F=XMT>#^UlBQU=wEppNgEL)g2YH^4dl^7v2C0;1*;d8+R=Cf%zF&2FO
z5>nh@l9Tg9HWmOF{T+duOW9;(L`5TsJ
zsGVA$&WWd8s(Ar@NzZ?pJSUi^SQTFNn``}+X!?R0U_#OB6=_#By4X5OVjgQXFQMOo
zTv{-{{FnL)d$gd^T@%|-4iPcO3mBAxcNP*E9cuBLFXML{ClQ!UXd&C%b!
z;nb3AgW9c=i+%m7Xd#e<3`7$(`e6xW4}lDxvbw94M6iSwQ799H2~!wp}=s0i!DxHvsY~f#P!Yh!`EUFUBZ?8B$x@RxBe|ZRI5J#lrrvrjhTNv(jdg
zw_T~j`6vgB5KLP|Wk@pmY-b|j0qcqu*t5$RvsrIO0&!OHJUZa8_MZ`5M~+eg+AxH)
zl7i@|W}MCBK3K|2kgZ1=cg;?w@&U&o9~K1)byl6VQ~$PGFf~OW=x<<$2`~6g#A;J!
zZ?9eZr{$B&K%Q&*z8q|lkeN?7Jfxo}V9OsW9>k6}aL=yoPh}aJ=mykPxx%ZL~UkFZbg!IpO
zHBD**y`)c$tUSn*F|NMTNUCydeGQXLCU^Pli}m%Hhq=78?n;e)zsD!u0014w;Hj1U
z_^U|O&@vKAr4f}*6fIbZMxk_3$wb;4L5FCQQqrO>Emz8$S%M|pK_+c2M&|#7tQB&)F`uzACNPg#jqcM;
zy!xIwju!X<^j>RkF>_JzL=93lRF0NC!?SEV6Hvff8qCJNk)=R7xpat8*0*355)yKW
zd_c))1SFu~A{FU|Kl3BAMn!rmFDd&61WeVeLkUE_O8_wbdl|WY_qnv6_lFYf#30T2
z)?;Yq16Q6^-0@L_r>_X7V#WYWCdM!3K_0N80c8aMZM9@+4ETVgTdzo+?eZ0vq8
zy*blp@|UlivmTozq9=^0w{MF^0e2WR^~q!MGJm
z=D&^I2fg1Vf*5SISeQ42ohb+_AtEv{j@3erN(&d)Ff$bXK-c?%0Dx5hON$Rej(ayQ
ze9t_EtQ7E@tW9@@T#1_ewb&v&s^_`uD@CMCK@J*>r|VRBu)Qq=z*E|*4s;H|us^5w
zth}6?o9nWO>XHbwYQpGMrAIL%Bv(g%Ip;&_>1d+F$I-}tpU=&aW9_+QcikL5kY6J4
z9`|4n4*Q+gbUM9m&aO1*PRekYscH^PypyLJnDt&r+X=4x9E;h{s-|mn_k(V@4#rOJ
zjkDu<_Wvm>wBIK7gT0}Y9$?cttJ7Wo;Ansy4#8`n$DEpb@IvMhg4WwKmyXt(2L-^V
zc*1gYA$p4V)$kjtN^hLrc!t(`<)=)*&g(kk*1v7N0@^wt`FCbXq9@jcH
zXuC06NEq34IqGvkLBal5`Rz0$gtVXIBD-8JFsN2@BR(E{?d<9t)tJYqhxSMEx7>H<
z<<)WgB@O=fQu5e68ebdZU*#Ipw0V#|vVs@cIQQfP5y=>g=}4`Iv5ZmW<|3lQb2X9x
zuT8rxm35f*F-A-aY<-#cgQ=$LQ@&@J!cx$TEk~Cr-fO_$=gRHWi5O!d{p%i{%C
zm};|QW5lf=B--_A>-V_N$7{BN5#B7`nrnX)wfa+}e7EYYJ#FXEmE9Se`NG8l3W=IG
zpMk)}l}U@e(+H3;(975QkrJw+9OcXhVC88oi}JO&j^(ZENi43)goy8w((-*#>BfT(m&;g4S(dvy{H(U*MS|GyB=cr^ukSYjO6U`
z!Xfn&RP?Clc2aSAe7V>mzpF*EyC9_SG(Z^wmlDT8_hh
zS?OT~E8fiGuuLnTCza&q-$lHms?=QPeKx~WS~QokheP>+xRjaDd*Txv&l3BQNrBXE
z=_#$N1M0fl&>i$o+vCOlkKT?xrI2p+3p+)LW@JG>^8s<&T=%8n2}!d
Date: Thu, 13 Apr 2023 11:45:14 +0800
Subject: [PATCH 184/272] [zh-cn] Sync user-namespaces.md

Signed-off-by: Guangwen Feng 
---
 .../workloads/pods/user-namespaces.md         | 67 ++++++++++++-------
 1 file changed, 42 insertions(+), 25 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md b/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
index f201a088748..f3f5738ced5 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
@@ -50,34 +50,63 @@ mitigate some future vulnerabilities too.
 
 {{% thirdparty-content %}}
 
+
+这是一个只对 Linux 有效的功能特性,且需要 Linux 支持在所用文件系统上挂载 idmap。
+这意味着:
+
+* 在节点上,你用于 `/var/lib/kubelet/pods/` 的文件系统,或你为此配置的自定义目录,
+  需要支持 idmap 挂载。
+* Pod 卷中使用的所有文件系统都必须支持 idmap 挂载。
+
+在实践中,这意味着你最低需要 Linux 6.3,因为 tmpfs 在该版本中开始支持 idmap 挂载。
+这通常是需要的,因为有几个 Kubernetes 功能特性使用 tmpfs
+(默认情况下挂载的服务账号令牌使用 tmpfs、Secret 使用 tmpfs 等等)。
+
+Linux 6.3 中支持 idmap 挂载的一些比较流行的文件系统是:btrfs、ext4、xfs、fat、
+tmpfs、overlayfs。
+
 
 
 
-这是一个只对 Linux 有效的功能特性。此外,需要在{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}提供支持,
+此外,需要在{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}提供支持,
 才能在 Kubernetes 无状态 Pod 中使用这一功能:
 
 * CRI-O:1.25(及更高)版本支持配置容器的用户命名空间。
-* containerd:1.7 版本支持配置容器的用户命名空间,兼容 Kubernetes v1.25 和 v1.26,但不兼容更高版本。
-  如果你运行的是不同版本的 Kubernetes,请查看该 Kubernetes 版本的文档。
+
+请注意,containerd v1.7 支持配置容器的用户命名空间,与 Kubernetes {{< skew currentVersion >}}
+兼容。它不应与 Kubernetes 1.27(及更高)版本一起使用。
 
 目前 [cri-dockerd 没有计划][CRI-dockerd-issue]支持此功能。
 
 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
-[containerd-userns-issue]: https://github.com/containerd/containerd/issues/7063
 
 
-为了保证 Pod 可以读取这些卷中的文件,卷的创建操作就像你为 Pod 指定了 `.spec.securityContext.fsGroup` 为 `0` 一样。
-如果该属性被设定为不同值,那么这个不同值当然也会被使用。
-
-作为一个副产品,这些卷的文件夹和文件将具有所给组的权限,
-即使 `defaultMode` 或 volumes 的特定项目的 `mode` 被指定为没有组的权限。
-例如,不可以在挂载这些卷时使其文件只允许所有者访问。
+* 查阅[为 Pod 配置用户命名空间](/zh-cn/docs/tasks/configure-pod-container/user-namespaces/)

From e18d5b725f3a28b1deef42cb5bed3d6c59ceeabd Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Thu, 13 Apr 2023 12:01:14 +0800
Subject: [PATCH 185/272] [zh-cn] Sync downward-api.md

Signed-off-by: Guangwen Feng 
---
 .../zh-cn/docs/concepts/workloads/pods/downward-api.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/downward-api.md b/content/zh-cn/docs/concepts/workloads/pods/downward-api.md
index 825b67caa06..42ed777570c 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/downward-api.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/downward-api.md
@@ -218,19 +218,17 @@ for resources such as CPU and memory.
 
 
 `resource: limits.hugepages-*`
-: 容器的巨页限制值(前提是启用了 `DownwardAPIHugePages`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/))
+: 容器的巨页限制值
 
 
 `resource: requests.hugepages-*`
-: 容器的巨页请求值(前提是启用了 `DownwardAPIHugePages`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/))
+: 容器的巨页请求值
 
 数字。Pod SchedulingGates" class="diagram-large" link="https://mermaid.live/edit#pako:eNplkktTwyAUhf8KgzuHWpukaYszutGlK3caFxQuCVMCGSDVTKf_XfKyPlhxz4HDB9wT5lYAptgHFuBRsdKxenFMClMYFIdfUdRYgbiD6ItJTEbR8wpEq5UpUfnDTf-5cbPoJjcbXdcaE61RVJIiqJvQ_Y30D-OCt-t3tFjcR5wZayiVnIGmkv4NiEfX9jijKTmmRH5jf0sRugOP0HyHUc1m6KGMFP27cM28fwSJDluPpNKaXqVJzmFNfHD2APRKSjnNFx9KhIpmzSfhVls3eHdTRrwG8QnxKfEZUUNeYTDBNbiaKRF_5dSfX-BQQQ0FpnEqQLJWhwIX5hyXsjbYl85wTINrgeC2EZd_xFQy7b_VJ6GCdd-itkxALE84dE3fAqXyIUZya6Qqe711OspVCI2ny2Vv35QqVO3-htt66ZWomAvVcZcv8yTfsiSFfJOydZoKvl_ttjLJVlJsblcJw-czwQ0zr9ZeqGDgeR77b2jD8xdtjtDn" >}}
+{{< figure src="/docs/images/podSchedulingGates.svg" alt="pod-scheduling-gates-diagram" caption="图:Pod SchedulingGates" class="diagram-large" link="https://mermaid.live/edit#pako:eNplkktTwyAUhf8KgzuHWpukaYszutGlK3caFxQuCVMCGSDVTKf_XfKyPlhxz4HDB9wT5lYAptgHFuBRsdKxenFMClMYFIdfUdRYgbiD6ItJTEbR8wpEq5UpUfnDTf-5cbPoJjcbXdcaE61RVJIiqJvQ_Y30D-OCt-t3tFjcR5wZayiVnIGmkv4NiEfX9jijKTmmRH5jf0sRugOP0HyHUc1m6KGMFP27cM28fwSJDluPpNKaXqVJzmFNfHD2APRKSjnNFx9KhIpmzSfhVls3eHdTRrwG8QnxKfEZUUNeYTDBNbiaKRF_5dSfX-BQQQ0FpnEqQLJWhwIX5hyXsjbYl85wTINrgeC2EZd_xFQy7b_VJ6GCdd-itkxALE84dE3fAqXyIUZya6Qqe711OspVCI2ny2Vv35QqVO3-htt66ZWomAvVcZcv8yTfsiSFfJOydZoKvl_ttjLJVlJsblcJw-czwQ0zr9ZeqGDgeR77b2jD8xdtjtDn" >}}
+
 
-鉴于 test-pod 不请求任何 CPU/内存资源,预计此 Pod 的状态会从之前的 `SchedulingGated` 转变为 `Running`:
+鉴于 test-pod 不请求任何 CPU/内存资源,预计此 Pod 的状态会从之前的
+`SchedulingGated` 转变为 `Running`:
 
 ```none
 NAME       READY   STATUS    RESTARTS   AGE   IP         NODE  
@@ -146,9 +147,61 @@ scheduling. You can use `scheduler_pending_pods{queue="gated"}` to check the met
 以区分 Pod 是否已尝试调度但被宣称不可调度,或明确标记为未准备好调度。
 你可以使用 `scheduler_pending_pods{queue="gated"}` 来检查指标结果。
 
+
+## 可变 Pod 调度指令    {#mutable-pod-scheduling-directives}
+
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
+
+
+当 Pod 具有调度门控时,你可以在某些约束条件下改变 Pod 的调度指令。
+在高层次上,你只能收紧 Pod 的调度指令。换句话说,更新后的指令将导致
+Pod 只能被调度到它之前匹配的节点子集上。
+更具体地说,更新 Pod 的调度指令的规则如下:
+
+
+1. 对于 `.spec.nodeSelector`,只允许增加。如果原来未设置,则允许设置此字段。
+
+2. 对于 `spec.affinity.nodeAffinity`,如果当前值为 nil,则允许设置为任意值。
+
+
+3. 如果 `NodeSelectorTerms` 之前为空,则允许设置该字段。
+   如果之前不为空,则仅允许增加 `NodeSelectorRequirements` 到 `matchExpressions`
+   或 `fieldExpressions`,且不允许更改当前的 `matchExpressions` 和 `fieldExpressions`。
+   这是因为 `.requiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms`
+   中的条目被执行逻辑或运算,而 `nodeSelectorTerms[].matchExpressions` 和
+   `nodeSelectorTerms[].fieldExpressions` 中的表达式被执行逻辑与运算。
+
+
+4. 对于 `.preferredDuringSchedulingIgnoredDuringExecution`,所有更新都被允许。
+   这是因为首选条目不具有权威性,因此策略控制器不会验证这些条目。
+
 ## {{% heading "whatsnext" %}}
 
 
-* 阅读 [PodSchedulingReadiness KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/3521-pod-scheduling-readiness) 了解更多详情
+* 阅读 [PodSchedulingReadiness KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/3521-pod-scheduling-readiness)
+  了解更多详情
diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md b/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
index affbe62d888..8cdc03ae42c 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
@@ -54,7 +54,8 @@ For example,
 -->
 ## 概念  {#concepts}
 
-你可以使用命令 [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint) 给节点增加一个污点。比如,
+你可以使用命令 [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint)
+给节点增加一个污点。比如:
 
 ```shell
 kubectl taint nodes node1 key1=value1:NoSchedule
@@ -82,7 +83,7 @@ to schedule onto `node1`:
 -->
 你可以在 Pod 规约中为 Pod 设置容忍度。
 下面两个容忍度均与上面例子中使用 `kubectl taint` 命令创建的污点相匹配,
-因此如果一个 Pod 拥有其中的任何一个容忍度,都能够被调度到 `node1` :
+因此如果一个 Pod 拥有其中的任何一个容忍度,都能够被调度到 `node1`:
 
 ```yaml
 tolerations:
@@ -119,11 +120,10 @@ A toleration "matches" a taint if the keys are the same and the effects are the
 -->
 一个容忍度和一个污点相“匹配”是指它们有一样的键名和效果,并且:
 
-* 如果 `operator` 是 `Exists` (此时容忍度不能指定 `value`),或者
-* 如果 `operator` 是 `Equal` ,则它们的 `value` 应该相等
+* 如果 `operator` 是 `Exists`(此时容忍度不能指定 `value`),或者
+* 如果 `operator` 是 `Equal`,则它们的 `value` 应该相等。
 
 {{< note >}}
-
 
-例如,假设你给一个节点添加了如下污点
+例如,假设你给一个节点添加了如下污点:
 
 ```shell
 kubectl taint nodes node1 key1=value1:NoSchedule
@@ -279,7 +279,7 @@ onto nodes labeled with `dedicated=groupName`.
   很容易就能做到)。
   拥有上述容忍度的 Pod 就能够被调度到上述专用节点,同时也能够被调度到集群中的其它节点。
   如果你希望这些 Pod 只能被调度到上述专用节点,
-  那么你还需要给这些专用节点另外添加一个和上述污点类似的 label (例如:`dedicated=groupName`),
+  那么你还需要给这些专用节点另外添加一个和上述污点类似的 label(例如:`dedicated=groupName`),
   同时还要在上述准入控制器中给 Pod 增加节点亲和性要求,要求上述 Pod 只能被调度到添加了
   `dedicated=groupName` 标签的节点上。
 
@@ -310,7 +310,7 @@ manually add tolerations to your pods.
   我们希望不需要这类硬件的 Pod 不要被调度到这些特殊节点,以便为后继需要这类硬件的 Pod 保留资源。
   要达到这个目的,可以先给配备了特殊硬件的节点添加污点
   (例如 `kubectl taint nodes nodename special=true:NoSchedule` 或
-  `kubectl taint nodes nodename special=true:PreferNoSchedule`),
+  `kubectl taint nodes nodename special=true:PreferNoSchedule`),
   然后给使用了这类特殊硬件的 Pod 添加一个相匹配的容忍度。
   和专用节点的例子类似,添加这个容忍度的最简单的方法是使用自定义
   [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)。
@@ -333,7 +333,7 @@ when there are node problems, which is described in the next section.
 
-## 基于污点的驱逐  {#taint-based-evictions}
+## 基于污点的驱逐   {#taint-based-evictions}
 
 {{< feature-state for_k8s_version="v1.18" state="stable" >}}
 
@@ -347,7 +347,7 @@ running on the node as follows
  * pods that tolerate the taint with a specified `tolerationSeconds` remain
    bound for the specified amount of time
 -->
-前文提到过污点的效果值 `NoExecute` 会影响已经在节点上运行的 Pod,如下
+前文提到过污点的效果值 `NoExecute` 会影响已经在节点上运行的如下 Pod:
 
 * 如果 Pod 不能忍受这类污点,Pod 会马上被驱逐。
 * 如果 Pod 能够忍受这类污点,但是在容忍度定义中没有指定 `tolerationSeconds`,
@@ -384,8 +384,8 @@ are true. The following taints are built in:
 * `node.kubernetes.io/network-unavailable`:节点网络不可用。
 * `node.kubernetes.io/unschedulable`: 节点不可调度。
 * `node.cloudprovider.kubernetes.io/uninitialized`:如果 kubelet 启动时指定了一个“外部”云平台驱动,
-   它将给当前节点添加一个污点将其标志为不可用。在 cloud-controller-manager
-   的一个控制器初始化这个节点后,kubelet 将删除这个污点。
+  它将给当前节点添加一个污点将其标志为不可用。在 cloud-controller-manager
+  的一个控制器初始化这个节点后,kubelet 将删除这个污点。
 
 
+在某些情况下,当节点不可达时,API 服务器无法与节点上的 kubelet 进行通信。
+在与 API 服务器的通信被重新建立之前,删除 Pod 的决定无法传递到 kubelet。
+同时,被调度进行删除的那些 Pod 可能会继续运行在分区后的节点上。
+
 {{< note >}}
 
-
 DaemonSet 控制器自动为所有守护进程添加如下 `NoSchedule` 容忍度,以防 DaemonSet 崩溃:
 
 * `node.kubernetes.io/memory-pressure`
@@ -531,7 +540,6 @@ DaemonSet 控制器自动为所有守护进程添加如下 `NoSchedule` 容忍
 Adding these tolerations ensures backward compatibility. You can also add
 arbitrary tolerations to DaemonSets.
 -->
-
 添加上述容忍度确保了向后兼容,你也可以选择自由向 DaemonSet 添加容忍度。
 
 ## {{% heading "whatsnext" %}}

From ff72402fb5f0441e969e90adfeec2d81e3dbad38 Mon Sep 17 00:00:00 2001
From: Zhuzhenghao 
Date: Thu, 13 Apr 2023 10:48:10 +0800
Subject: [PATCH 187/272] [zh] sync 1.27 images

---
 .../zh-cn/docs/concepts/containers/images.md  | 112 ++++++++++++++++--
 1 file changed, 101 insertions(+), 11 deletions(-)

diff --git a/content/zh-cn/docs/concepts/containers/images.md b/content/zh-cn/docs/concepts/containers/images.md
index 2c7292201f9..cb30af9d8f3 100644
--- a/content/zh-cn/docs/concepts/containers/images.md
+++ b/content/zh-cn/docs/concepts/containers/images.md
@@ -38,7 +38,7 @@ This page provides an outline of the container image concept.
 
 如果你正在寻找 Kubernetes 某个发行版本(如最新次要版本 v{{< skew latestVersion >}})
 的容器镜像,请访问[下载 Kubernetes](/zh-cn/releases/download/)。
@@ -55,8 +55,8 @@ and possibly a port number as well; for example: `fictional.registry.example:104
 
 If you don't specify a registry hostname, Kubernetes assumes that you mean the Docker public registry.
 
-After the image name part you can add a _tag_ (in the same way you would when using with commands like `docker` or `podman`).
-Tags let you identify different versions of the same series of images.
+After the image name part you can add a _tag_ (in the same way you would when using with commands
+like `docker` or `podman`).  Tags let you identify different versions of the same series of images.
 -->
 ## 镜像名称    {#image-names}
 
@@ -71,9 +71,9 @@ Tags let you identify different versions of the same series of images.
 
 
 镜像标签可以包含小写字母、大写字母、数字、下划线(`_`)、句点(`.`)和连字符(`-`)。
@@ -199,7 +199,7 @@ running the same code no matter what tag changes happen at the registry.
 在创建 Pod(和 Pod 模板)时产生变更,这样运行的工作负载就是根据镜像摘要,而不是标签来定义的。
 无论镜像仓库上的标签发生什么变化,你都想确保你所有的工作负载都运行相同的代码,那么指定镜像摘要会很有用。
 
-
+## 串行和并行镜像拉取  {#serial-and-parallel-image-pulls}
+
+
+默认情况下,kubelet 以串行方式拉取镜像。
+也就是说,kubelet 一次只向镜像服务发送一个镜像拉取请求。
+其他镜像拉取请求必须等待,直到正在处理的那个请求完成。
+
+
+节点独立地做出镜像拉取的决策。即使你使用串行的镜像拉取,两个不同的节点也可以并行拉取相同的镜像。
+
+
+如果你想启用并行镜像拉取,可以在 [kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
+中将字段 `serializeImagePulls` 设置为 false。
+
+当`serializeImagePulls` 设置为 false 时,kubelet 会立即向镜像服务发送镜像拉取请求,多个镜像将同时被拉动。
+
+
+启用并行镜像拉取时,请确保你的容器运行时的镜像服务可以处理并行镜像拉取。
+
+
+kubelet 从不代表一个 Pod 并行地拉取多个镜像。
+
+例如,如果你有一个 Pod,它有一个初始容器和一个应用容器,那么这两个容器的镜像拉取将不会并行。
+但是,如果你有两个使用不同镜像的 Pod,当启用并行镜像拉取时,kubelet 会代表两个不同的 Pod 并行拉取镜像。
+
+
+### 最大并行镜像拉取数量  {#maximum-parallel-image-pulls}
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+
+当 `serializeImagePulls` 被设置为 false 时,kubelet 默认对同时拉取的最大镜像数量没有限制。
+如果你想限制并行镜像拉取的数量,可以在 kubelet 配置中设置字段 `maxParallelImagePulls`。
+当 `maxParallelImagePulls` 设置为 _n_ 时,只能同时拉取 _n_ 个镜像,
+超过 _n_ 的任何镜像都必须等到至少一个正在进行拉取的镜像拉取完成后,才能拉取。
+
+
+当启用并行镜像拉取时,限制并行镜像拉取的数量可以防止镜像拉取消耗过多的网络带宽或磁盘 I/O。
+
+
+你可以将 `maxParallelImagePulls` 设置为大于或等于 1 的正数。
+如果将 `maxParallelImagePulls` 设置为大于等于 2,则必须将 `serializeImagePulls` 设置为 false。
+kubelet 在无效的 `maxParallelImagePulls` 设置下会启动失败。
+
 
 ## 使用私有仓库   {#using-a-private-registry}
@@ -340,7 +425,7 @@ Credentials can be provided in several ways:
   - all pods can read any configured private registries
   - requires node configuration by cluster administrator
 - Kubelet Credential Provider to dynamically fetch credentials for private registries
-  - kubelet can be configured to use credential provider exec plugin 
+  - kubelet can be configured to use credential provider exec plugin
     for the respective private registry.
 - Pre-pulled Images
   - all pods can use any images cached on a node
@@ -376,7 +461,7 @@ These options are explained in more detail below.
 Specific instructions for setting credentials depends on the container runtime and registry you
 chose to use. You should refer to your solution's documentation for the most accurate information.
 -->
-### 配置 Node 对私有仓库认证 {#configuring-nodes-to-authenticate-to-a-private-registry}
+### 配置 Node 对私有仓库认证  {#configuring-nodes-to-authenticate-to-a-private-registry}
 
 设置凭据的具体说明取决于你选择使用的容器运行时和仓库。
 你应该参考解决方案的文档来获取最准确的信息。
@@ -390,6 +475,11 @@ task. That example uses a private registry in Docker Hub.
 请参阅任务[从私有镜像库中拉取镜像](/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry)。
 该示例使用 Docker Hub 中的私有镜像仓库。
 
+
+### 用于认证镜像拉取的 kubelet 凭据提供程序  {#kubelet-credential-provider}
+
 {{< note >}}
 

From 7ea1729a85a8e34d595af1910409f325fdc07ce2 Mon Sep 17 00:00:00 2001
From: tianlj <116049443+uos-ljtian@users.noreply.github.com>
Date: Thu, 13 Apr 2023 03:30:25 +0000
Subject: [PATCH 188/272] [zh-cn]sync readme.md

Sync latest content

Update README-zh.md

easier to understand

Co-authored-by: Michael 
---
 README-zh.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README-zh.md b/README-zh.md
index ee45a6aa285..9ddf8a646be 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -22,11 +22,11 @@ This repository contains the assets required to build the [Kubernetes website an
 
 ## 使用这个仓库
 
-可以使用 Hugo(扩展版)在本地运行网站,也可以在容器中运行它。强烈建议使用容器,因为这样可以和在线网站的部署保持一致。
+可以使用 [Hugo(扩展版)](https://gohugo.io/)在本地运行网站,也可以在容器中运行它。强烈建议使用容器,因为这样可以和在线网站的部署保持一致。
 
 
-位于 `content/en/docs/reference/kubernetes-api` 的 API 参考页面是根据 Swagger 规范构建的,使用 。
+位于 `content/en/docs/reference/kubernetes-api` 的 API 参考页面是使用  根据 Swagger 规范(也称为 OpenAPI 规范)构建的。
 
 要更新 Kubernetes 新版本的参考页面,请执行以下步骤:
 

From 85adfe93bc31df6fe6171bf3c40a3f520145213a Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 12 Apr 2023 17:21:45 +0800
Subject: [PATCH 189/272] sync 1.27 kubectl.md

sync 1.27 kubectl.md
---
 content/zh-cn/docs/reference/kubectl/kubectl.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/content/zh-cn/docs/reference/kubectl/kubectl.md b/content/zh-cn/docs/reference/kubectl/kubectl.md
index f0e608fdc7e..bf2cce0d371 100644
--- a/content/zh-cn/docs/reference/kubectl/kubectl.md
+++ b/content/zh-cn/docs/reference/kubectl/kubectl.md
@@ -528,6 +528,19 @@ Toggles whether calls to `kubectl explain` use the new OpenAPIv3 data source ava
 
 
 
+
+KUBECTL_ENABLE_CMD_SHADOW
+
+
+
+
+当设置为 true 时,如果子命令不存在,外部插件可以用作内置命令的子命令。
+此功能处于 alpha 阶段,只能用于 create 命令(例如 kubectl create networkpolicy)。
+
+
+
 
 
 

From 440fc5ccc35a4f0d8be99d9a368101645dc0bcd8 Mon Sep 17 00:00:00 2001
From: Michael 
Date: Thu, 13 Apr 2023 20:32:02 +0800
Subject: [PATCH 190/272] [zh] sync cluster-cidr-v1alpha1.md

---
 .../cluster-cidr-v1alpha1.md                  | 100 ++++++++++++++++--
 1 file changed, 94 insertions(+), 6 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
index a4fd99af85b..bdf887eb0cd 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/cluster-cidr-v1alpha1.md
@@ -53,7 +53,7 @@ ClusterCIDR 表示启用 MultiCIDRRangeAllocator 时针对每个节点 Pod CIDR
 - **spec** (}}">ClusterCIDRSpec)
   
   
   spec 是 ClusterCIDR 的预期状态。更多信息:
   https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
@@ -70,7 +70,7 @@ ClusterCIDRSpec 定义 ClusterCIDR 的预期状态。
 
 - **perNodeHostBits** (int32),必需
 
@@ -83,7 +83,7 @@ ClusterCIDRSpec 定义 ClusterCIDR 的预期状态。
 - **ipv4** (string)
 
   
 
   ipv4 以 CIDR 表示法定义 IPv4 IP 块(例如 “10.0.0.0/8”)。
@@ -92,7 +92,7 @@ ClusterCIDRSpec 定义 ClusterCIDR 的预期状态。
 - **ipv6** (string)
 
   
 
   ipv6 以 CIDR 表示法定义 IPv6 IP 块(例如 “2001:db8::/64”)。
@@ -101,7 +101,7 @@ ClusterCIDRSpec 定义 ClusterCIDR 的预期状态。
 - **nodeSelector** (NodeSelector)
 
   
 - **items** ([]}}">ClusterCIDR),必需
 
@@ -179,7 +179,11 @@ ClusterCIDRList 包含 ClusterCIDR 的列表。
 
 
 ## 操作 {#Operations}
@@ -233,16 +237,50 @@ GET /apis/networking.k8s.io/v1alpha1/clustercidrs
 
 
 #### 参数
 
@@ -278,6 +316,10 @@ GET /apis/networking.k8s.io/v1alpha1/clustercidrs
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**):boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**):integer
 
   }}">timeoutSeconds
@@ -308,6 +350,7 @@ POST /apis/networking.k8s.io/v1alpha1/clustercidrs
 
 
 #### 参数
 
@@ -589,6 +673,10 @@ DELETE /apis/networking.k8s.io/v1alpha1/clustercidrs
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**):boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**):integer
 
   }}">timeoutSeconds

From f86545ddcf76263cda660668c3825bc79f807980 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 13 Apr 2023 21:19:36 +0800
Subject: [PATCH 191/272] sync 1.27 _index.md

sync 1.27 _index.md
---
 content/zh-cn/docs/reference/_index.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/content/zh-cn/docs/reference/_index.md b/content/zh-cn/docs/reference/_index.md
index 61b2b4776dc..7a788e469ae 100644
--- a/content/zh-cn/docs/reference/_index.md
+++ b/content/zh-cn/docs/reference/_index.md
@@ -193,12 +193,10 @@ operator to use or manage a cluster.
 
 ## kubeadm 的配置 API   {#config-api-for-kubeadm}
 
-* [v1beta2](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta2/)
 * [v1beta3](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)
 
 字段描述
 
 expirationTimestamp
    
-meta/v1.Time
+meta/v1.Time
 
 
    

From 7a314004d3ad0506b29e1dd98a8952a91e23002a Mon Sep 17 00:00:00 2001
From: Jefftree 
Date: Tue, 4 Apr 2023 19:54:05 +0000
Subject: [PATCH 193/272] Blog post for OpenAPI and Field Validation

---
 ...23-04-24-openapi-v3-field-validation-ga.md | 133 ++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md

diff --git a/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md b/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md
new file mode 100644
index 00000000000..1bd1295f975
--- /dev/null
+++ b/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md
@@ -0,0 +1,133 @@
+---
+layout: blog
+title: "Server Side Field Validation and OpenAPI V3 move to GA"
+date: 2023-04-24
+slug: openapi-v3-field-validation-ga
+---
+
+**Author**: Jeffrey Ying (Google), Antoine Pelisse (Google)
+
+Before Kubernetes v1.8 (!), typos, mis-indentations or minor errors in
+YAMLs could have catastrophic consequences (e.g. a typo like
+forgetting the trailing s in `replica: 1000` could cause an outage,
+because the value would be ignored and missing, forcing a reset of
+replicas back to 1). This was solved back then by fetching the OpenAPI
+v2 in kubectl and using it to verify that fields were correct and
+present before applying. Unfortunately, at that time, Custom Resource
+Definitions didn’t exist, and the code was written under that
+assumption. When CRDs were later introduced, the lack of flexibility
+in the validation code forced some hard decisions in the way CRDs
+exposed their schema, leaving us in a cycle of bad validation causing
+bad OpenAPI and vice-versa. With the new OpenAPI v3 and Server Field
+Validation being GA in 1.27, we’ve now solved both of these problems.
+
+Server Side Field Validation offers resource validation on create,
+update and patch requests to the apiserver and was added to Kubernetes
+in v1.25, beta in v1.26 and is now GA in v1.27. It provides all the
+functionality of kubectl validate on the server side.
+
+[OpenAPI](https://swagger.io/specification/) is a standard, language
+agnostic interface for discovering the set of operations and types
+that a Kubernetes cluster supports. OpenAPI V3 is the latest standard
+of the OpenAPI and is an improvement upon [OpenAPI
+V2](https://kubernetes.io/blog/2016/12/kubernetes-supports-openapi/)
+which has been supported since Kubernetes 1.5. OpenAPI V3 support was
+added in Kubernetes in v1.23, moved to beta in v1.24 and is now GA in
+v1.27.
+
+## OpenAPI V3
+
+### What does OpenAPI V3 offer over V2
+
+#### Built-in types
+
+Kubernetes offers certain annotations on fields that are not
+representable in OpenAPI V2, or sometimes not represented in the
+OpenAPI v2 that Kubernetes generate. Most notably, the "default" field
+is published in OpenAPI V3 while omitted in OpenAPI V2. A single type
+that can represent multiple types is also expressed correctly in
+OpenAPI V3 with the oneOf field. This includes proper representations
+for IntOrString and Quantity.
+
+#### Custom Resource Definitions
+
+In Kubernetes, Custom Resource Definitions use a structural OpenAPI V3
+schema that cannot be represented as OpenAPI V2 without a loss of
+certain fields. Some of these include nullable, default, anyOf, oneOf,
+not, etc. OpenAPI V3 is a completely lossless representation of the
+CustomResourceDefinition structural schema.
+
+### How do I use it?
+
+The OpenAPI V3 root discovery can be found at the `/openapi/v3`
+endpoint of a Kubernetes API server. OpenAPI V3 documents are grouped
+by group-version to reduce the size of the data transported, the
+separate documents can be accessed at
+`/openapi/v3/apis//` and `/openapi/v3/api/v1`
+representing the legacy group version. Please refer to the [Kubernetes
+API Documentation](/docs/concepts/overview/kubernetes-api/) for more
+information around this endpoint.
+
+Various consumers of the OpenAPI have already been updated to consume
+v3, including the entirety of kubectl, and server side apply. An
+OpenAPI V3 Golang client is available in
+[client-go](https://github.com/kubernetes/client-go/blob/release-1.27/openapi3/root.go).
+
+## Server Side Field Validation
+
+The query parameter `fieldValidation` may be used to indicate the
+level of field validation the server should perform. If the parameter
+is not passed, server side field validation is in `Warn` mode by
+default.
+
+- Strict: Strict field validation, errors on validation failure
+- Warn: Field validation is performed, but errors are exposed as
+  warnings rather than failing the request
+- Ignore: No server side field validation is performed
+
+kubectl will skip client side validation and will automatically use
+server side field validation in `Strict` mode. Controllers by default
+use server side field validation in `Warn` mode.
+
+With client side validation, we had to be extra lenient because some
+fields were missing from OpenAPI V2 and we didn’t want to reject
+possibly valid objects. This is all fixed in server side validation.
+Additional documentation may be found
+[here](/docs/reference/using-api/api-concepts/#field-validation)
+
+## What's next?
+
+With Server Side Field Validation and OpenAPI V3 released as GA, we
+introduce more accurate representations of Kubernetes resources. It is
+recommended to use server side field validation over client side, but
+with OpenAPI V3, clients are free to implement their own validation if
+necessary (to “shift things left”) and we guarantee a full lossless
+schema published by OpenAPI.
+
+Some existing efforts will further improve the information available
+through OpenAPI including [CEL validation and
+admission](/docs/reference/using-api/cel/), along with OpenAPI
+annotations on built-in types.
+
+Many other tools can be built for authoring and transforming resources
+using the type information found in the OpenAPI v3.
+
+## How to get involved?
+
+These two features are driven by the SIG API Machinery community,
+available on the slack channel \#sig-api-machinery, through the
+[mailing
+list](https://groups.google.com/g/kubernetes-sig-api-machinery) and we
+meet every other Wednesday at 11:00 AM PT on Zoom.
+
+We offer a huge thanks to all the contributors who helped design,
+implement, and review these two features.
+
+- Alexander Zielenski
+- Antoine Pelisse
+- Daniel Smith
+- David Eads
+- Jeffrey Ying
+- Jordan Liggitt
+- Kevin Delgado
+- Sean Sullivan

From 5f71626646335617593151a93ddaa9f644bd6a8f Mon Sep 17 00:00:00 2001
From: Dan Winship 
Date: Thu, 13 Apr 2023 12:45:10 -0400
Subject: [PATCH 194/272] Drop kube-proxy/kubelet skew requirement

KEP-3178 has removed the interdependence between kubelet and
kube-proxy as of 1.25 so there should be no skew problems in the
future.
---
 content/en/releases/version-skew-policy.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/en/releases/version-skew-policy.md b/content/en/releases/version-skew-policy.md
index c0a1528af2c..0cc10a37d89 100644
--- a/content/en/releases/version-skew-policy.md
+++ b/content/en/releases/version-skew-policy.md
@@ -170,7 +170,6 @@ Running a cluster with `kubelet` instances that are persistently two minor versi
 
 ### kube-proxy
 
-* `kube-proxy` must be the same minor version as `kubelet` on the node.
 * `kube-proxy` must not be newer than `kube-apiserver`.
 * `kube-proxy` must be at most two minor versions older than `kube-apiserver.`
 

From 936ac5574fed896adc6a489f9fb4652913910a5a Mon Sep 17 00:00:00 2001
From: Wei Huang 
Date: Thu, 13 Apr 2023 11:36:02 -0700
Subject: [PATCH 195/272] fixup: address comments

---
 .../scheduling-eviction/scheduling-framework.md     | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
index 507992b445f..8ce367db654 100644
--- a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
+++ b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
@@ -59,8 +59,17 @@ stateful tasks.
 These plugins are called prior to adding Pods to the internal active queue, where Pods are marked as
 ready for scheduling.
 
-Only when all PreEnqueue plugins return `Success`, the Pod can enter the aforementioned scheduling
-cycle. Otherwise, it's moved and parked in the internal unschedulable Pods pool.
+Only when all PreEnqueue plugins return `Success`, the Pod is allowed to enter the active queue.
+Otherwise, it's placed in the internal unschedulable Pods list.
+
+{{< note >}}
+
+More details about how internal scheduler queues work, please check this
+[document](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scheduling/scheduler_queues.md).
+
+{{< /note >}}
+
+> Check more details
 
 ### QueueSort {#queue-sort}
 

From 184185755a90f027ae11537f5c5930d809fc2621 Mon Sep 17 00:00:00 2001
From: Tim Bannister 
Date: Thu, 13 Apr 2023 20:42:37 +0100
Subject: [PATCH 196/272] Fix typography

---
 content/en/blog/_posts/2023-04-17-topology-spread-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-17-topology-spread-features.md b/content/en/blog/_posts/2023-04-17-topology-spread-features.md
index 170496742c8..9edaada138d 100644
--- a/content/en/blog/_posts/2023-04-17-topology-spread-features.md
+++ b/content/en/blog/_posts/2023-04-17-topology-spread-features.md
@@ -5,7 +5,7 @@ date: 2023-04-17
 slug: fine-grained-pod-topology-spread-features-beta
 ---
 
-**Authors:** [Alex Wang](https://github.com/denkensk)(Shopee), [Kante Yin](https://github.com/kerthcet)(DaoCloud), [Kensei Nakada](https://github.com/sanposhiho)(Mercari)
+**Authors:** [Alex Wang](https://github.com/denkensk) (Shopee), [Kante Yin](https://github.com/kerthcet) (DaoCloud), [Kensei Nakada](https://github.com/sanposhiho) (Mercari)
 
 In Kubernetes v1.19, [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/)
 went to general availability (GA).

From 625b03134442db11e06b8a54814047e0739afc99 Mon Sep 17 00:00:00 2001
From: Wei Huang 
Date: Thu, 13 Apr 2023 14:37:57 -0700
Subject: [PATCH 197/272] fixup: address comments

---
 .../scheduling-eviction/scheduling-framework.md    | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
index 8ce367db654..ea0d981055b 100644
--- a/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
+++ b/content/en/docs/concepts/scheduling-eviction/scheduling-framework.md
@@ -52,7 +52,7 @@ equivalent to "Predicate" and "Scoring" is equivalent to "Priority function".
 One plugin may register at multiple extension points to perform more complex or
 stateful tasks.
 
-{{< figure src="/images/docs/scheduling-framework-extensions.png" title="scheduling framework extension points" class="diagram-large">}}
+{{< figure src="/images/docs/scheduling-framework-extensions.png" title="Scheduling framework extension points" class="diagram-large">}}
 
 ### PreEnqueue {#pre-enqueue}
 
@@ -60,16 +60,10 @@ These plugins are called prior to adding Pods to the internal active queue, wher
 ready for scheduling.
 
 Only when all PreEnqueue plugins return `Success`, the Pod is allowed to enter the active queue.
-Otherwise, it's placed in the internal unschedulable Pods list.
+Otherwise, it's placed in the internal unschedulable Pods list, and doesn't get an `Unschedulable` condition.
 
-{{< note >}}
-
-More details about how internal scheduler queues work, please check this
-[document](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scheduling/scheduler_queues.md).
-
-{{< /note >}}
-
-> Check more details
+For more details about how internal scheduler queues work, read
+[Scheduling queue in kube-scheduler](https://github.com/kubernetes/community/blob/f03b6d5692bd979f07dd472e7b6836b2dad0fd9b/contributors/devel/sig-scheduling/scheduler_queues.md).
 
 ### QueueSort {#queue-sort}
 

From 9a6e46cce53b4e4e1c14a15d3c98a96a98f8dc28 Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Fri, 14 Apr 2023 08:41:16 +0800
Subject: [PATCH 198/272] [zh-cn] Sync disruptions.md (#40662)

Signed-off-by: Guangwen Feng 
---
 .../concepts/workloads/pods/disruptions.md    | 34 +++++++++++--------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/disruptions.md b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
index be0a46dc197..1af0d70bf35 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
@@ -130,15 +130,15 @@ deleting deployments or pods bypasses Pod Disruption Budgets.
 
 Here are some ways to mitigate involuntary disruptions:
 -->
-## 处理干扰
+## 处理干扰   {#dealing-with-disruptions}
 
 以下是减轻非自愿干扰的一些方法:
 
 
+建议在你的 PodDisruptionBudget 中将
+[不健康 Pod 驱逐策略](/zh-cn/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy)
+设置为 `AlwaysAllow` 以支持在节点腾空期间驱逐行为不当的应用程序。
+默认行为是等待应用程序 Pod 变得
+[健康](/zh-cn/docs/tasks/run-application/configure-pdb/#healthiness-of-a-pod),然后才能继续执行腾空。
+
 
-如果你正使用的 Kubernetes 版本早于 {{< skew currentVersion >}},请参阅对应版本的文档。
-{{< /note >}}
-
 {{< note >}}
 
-`PreemptionByKubeScheduler`
+`PreemptionByScheduler`
 : Pod 将被调度器{{}},
 目的是接受优先级更高的新 Pod。
 要了解更多的相关信息,请参阅 [Pod 优先级和抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)。
@@ -543,7 +547,7 @@ and Application Owner as separate roles with limited knowledge
 of each other.   This separation of responsibilities
 may make sense in these scenarios:
 -->
-## 分离集群所有者和应用所有者角色
+## 分离集群所有者和应用所有者角色   {#separating-cluster-owner-and-application-owner-roles}
 
 通常,将集群管理者和应用所有者视为彼此了解有限的独立角色是很有用的。这种责任分离在下面这些场景下是有意义的:
 
@@ -573,7 +577,7 @@ you may not need to use Pod Disruption Budgets.
 If you are a Cluster Administrator, and you need to perform a disruptive action on all
 the nodes in your cluster, such as a node or system software upgrade, here are some options:
 -->
-## 如何在集群上执行干扰性操作
+## 如何在集群上执行干扰性操作   {#how-to-perform-disruptive-actions-on-your-cluster}
 
 如果你是集群管理员,并且需要对集群中的所有节点执行干扰操作,例如节点或系统软件升级,则可以使用以下选项
 

From 22b6bc99291701f338126a93bf981243e29bbbee Mon Sep 17 00:00:00 2001
From: Michael 
Date: Fri, 14 Apr 2023 09:15:46 +0800
Subject: [PATCH 199/272] [zh] sync self-subject-review-v1beta1.md (#40665)

---
 .../self-subject-review-v1beta1.md            | 181 ++++++++++++++++++
 1 file changed, 181 insertions(+)
 create mode 100644 content/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md

diff --git a/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md
new file mode 100644
index 00000000000..fd3ce719886
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1beta1.md
@@ -0,0 +1,181 @@
+---
+api_metadata:
+  apiVersion: "authentication.k8s.io/v1beta1"
+  import: "k8s.io/api/authentication/v1beta1"
+  kind: "SelfSubjectReview"
+content_type: "api_reference"
+description: "SelfSubjectReview 包含 kube-apiserver 所拥有的与发出此请求的用户有关的用户信息。"
+title: "SelfSubjectReview v1beta1"
+weight: 6
+---
+
+
+`apiVersion: authentication.k8s.io/v1beta1`
+
+`import "k8s.io/api/authentication/v1beta1"`
+
+## SelfSubjectReview {#SelfSubjectReview}
+
+
+SelfSubjectReview 包含 kube-apiserver 所拥有的与发出此请求的用户有关的用户信息。
+使用伪装时,用户将收到被伪装用户的用户信息。
+如果使用伪装或请求头部进行身份验证,则所有额外的键都将被忽略大小写并以小写形式返回结果。
+
+
    
+
+- **apiVersion**: authentication.k8s.io/v1beta1
+
+- **kind**: SelfSubjectReview
+
+- **metadata** (}}">ObjectMeta)
+
+  
+  标准的对象元数据。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **status** (}}">SelfSubjectReviewStatus)
+
+  
+  status 由服务器以用户属性进行填充。
+
+## SelfSubjectReviewStatus {#SelfSubjectReviewStatus}
+
+
+SelfSubjectReviewStatus 由 kube-apiserver 进行填充并发送回用户。
+
+
    
+
+- **userInfo** (UserInfo)
+
+  
+  发出此请求的用户的用户属性。
+
+  
+  
+  **userInfo 包含实现 user.Info 接口所需的用户相关信息。**
+
+  - **userInfo.extra** (map[string][]string)
+
+    
+
+    由身份认证组件提供的所有附加信息。
+
+  - **userInfo.groups** ([]string)
+
+    
+
+    此用户所属的用户组的名称。
+
+  - **userInfo.uid** (string)
+
+    
+
+    跨时间标识此用户的唯一值。如果此用户被删除且另一个同名用户被添加,他们将具有不同的 UID。
+
+  - **userInfo.username** (string)
+
+    
+
+    在所有活跃用户中标识此用户的名称。
+
+
+## 操作 {#Operations}
+
+
    
+
+
+### `create` 创建 SelfSubjectReview
+
+#### HTTP 请求
+
+POST /apis/authentication.k8s.io/v1beta1/selfsubjectreviews
+
+
+#### 参数
+
+- **body**: }}">SelfSubjectReview, 必需
+
+- **dryRun** (**查询参数**): string
+
+  }}">dryRun
+
+- **fieldManager** (**查询参数**): string
+
+  }}">fieldManager
+
+- **fieldValidation** (**查询参数**): string
+
+  }}">fieldValidation
+
+- **pretty** (**查询参数**): string
+
+  }}">pretty
+
+
+#### 响应
+
+200 (}}">SelfSubjectReview): OK
+
+201 (}}">SelfSubjectReview): Created
+
+202 (}}">SelfSubjectReview): Accepted
+
+401: Unauthorized

From 6cbc3aaf2ed5aea0ab497ccca7c6a45fb451575a Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Fri, 14 Apr 2023 09:24:13 +0800
Subject: [PATCH 200/272] sync 1.27 apiserver-audit.v1.md (#40669)

sync 1.27 apiserver-audit.v1.md
---
 .../reference/config-api/apiserver-audit.v1.md   | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md b/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
index 6d2fba5492f..f3a580defc7 100644
--- a/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
@@ -101,7 +101,7 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 
     
 user [必需]
    
-authentication/v1.UserInfo
+authentication/v1.UserInfo
 
 
    
@@ -112,7 +112,7 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 
 
 impersonatedUser
    
-authentication/v1.UserInfo
+authentication/v1.UserInfo
 
 
    
@@ -187,7 +187,7 @@ Note: All but the last IP can be arbitrarily set by the client.
 
 
 responseStatus
    
-meta/v1.Status
+meta/v1.Status
 
 
    
 
 
 requestReceivedTimestamp
    
-meta/v1.MicroTime
+meta/v1.MicroTime
 
 
    
@@ -248,7 +248,7 @@ at Response Level.-->
 
 
 stageTimestamp
    
-meta/v1.MicroTime
+meta/v1.MicroTime
 
 
    
@@ -301,7 +301,7 @@ EventList 是审计事件(Event)的列表。
 kind
    stringEventList
 
 metadata
    
-meta/v1.ListMeta
+meta/v1.ListMeta
 
 
    列表结构元数据
@@ -343,7 +343,7 @@ Policy 定义的是审计日志的配置以及不同类型请求的日志记录
 kind
    stringPolicy
   
 metadata
    
-meta/v1.ObjectMeta
+meta/v1.ObjectMeta
 
 
    
@@ -428,7 +428,7 @@ PolicyList 是由审计策略(Policy)组成的列表。
 kind
    stringPolicyList
 
 metadata
    
-meta/v1.ListMeta
+meta/v1.ListMeta
 
 
    列表结构元数据。

From e0b8ec7658f5abd830afaa4ef52efa21873501de Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Thu, 13 Apr 2023 14:08:34 +0800
Subject: [PATCH 201/272] [zh] sync /controllers/cron-jobs.md

---
 .../workloads/controllers/cron-jobs.md        | 126 +++++++++---------
 1 file changed, 64 insertions(+), 62 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
index b15ebb56b50..1f4295dae81 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
@@ -3,7 +3,6 @@ title: CronJob
 content_type: concept
 weight: 80
 ---
-
 
 **CronJob** 创建基于时隔重复调度的 {{< glossary_tooltip term_id="job" text="Job" >}}。
@@ -155,21 +154,21 @@ Other than the standard syntax, some macros like `@monthly` can also be used:
 除了标准语法,还可以使用一些类似 `@monthly` 的宏:
 
 
-| 输入                      | 描述                          | 相当于         |
-| -------------             | -------------                 |-------------   |
-| @yearly (或 @annually)    | 每年 1 月 1 日的午夜运行一次  | 0 0 1 1 *      |
-| @monthly                  | 每月第一天的午夜运行一次      | 0 0 1 * *      |
-| @weekly                   | 每周的周日午夜运行一次        | 0 0 * * 0      |
-| @daily (或 @midnight)     | 每天午夜运行一次              | 0 0 * * *      |
-| @hourly                   | 每小时的开始一次              | 0 * * * *      |
+| 输入                   | 描述                      | 相当于        |
+| ---------------------- | ------------------------ | ------------ |
+| @yearly (或 @annually) | 每年 1 月 1 日的午夜运行一次 | 0 0 1 1 *    |
+| @monthly               | 每月第一天的午夜运行一次     | 0 0 1 * *    |
+| @weekly                | 每周的周日午夜运行一次       | 0 0 * * 0    |
+| @daily (或 @midnight)  | 每天午夜运行一次            | 0 0 * * *    |
+| @hourly                | 每小时的开始一次            | 0 * * * *    |
 
 
 ## 时区    {#time-zones}
 
+{{< feature-state for_k8s_version="v1.27" state="stable" >}}
+
+
 对于没有指定时区的 CronJob,
 {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}
 基于本地时区解释排期表(Schedule)。
 
-{{< feature-state for_k8s_version="v1.25" state="beta" >}}
-
 
-如果启用了 `CronJobTimeZone` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/),
-你可以为 CronJob 指定一个时区(如果你没有启用该特性门控,或者你使用的是不支持试验性时区功能的
-Kubernetes 版本,集群中所有 CronJob 的时区都是未指定的)。
-
-启用该特性后,你可以将 `spec.timeZone`
-设置为有效[时区](https://zh.wikipedia.org/wiki/%E6%97%B6%E5%8C%BA%E4%BF%A1%E6%81%AF%E6%95%B0%E6%8D%AE%E5%BA%93)名称。
-例如,设置 `spec.timeZone: "Etc/UTC"` 指示 Kubernetes 采用 UTC 来解释排期表。
-
-{{< caution >}}
-
-Kubernetes {{< skew currentVersion >}} 中 CronJob API 的实现允许你设置
-`.spec.schedule` 字段以包含时区;例如:`CRON_TZ=UTC * * * * *` 或 `TZ=UTC * * * * *`。
-
-以这种方式指定时区是**未正式支持**(而且从来没有)。
-
-如果你尝试设置包含 `TZ` 或 `CRON_TZ` 时区规范的排期表,
-Kubernetes 会向客户端报告[警告](/zh-cn/blog/2020/09/03/warnings/)。
-Kubernetes 的未来版本可能根本不会实现这种非正式的时区机制。
-{{< /caution >}}
+你可以通过将 `.spec.timeZone`
+设置为一个有效[时区](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)的名称,
+为 CronJob 指定一个时区。例如设置 `.spec.timeZone: "Etc/UTC"` 将告诉
+Kubernetes 基于世界标准时间解读排期表。
 
 
+## CronJob 的限制    {#cronjob-limitations}
+
+### 不支持的时区规范   {#unsupported-timezone-spec}
+
+
+Kubernetes {{< skew currentVersion >}} 中的 CronJob API 实现允许你设置
+`.spec.schedule` 字段,在其中包括时区信息;
+例如 `CRON_TZ=UTC * * * * *` 或 `TZ=UTC * * * * *`。
+
+
+以这种方式指定时区是 **未正式支持的**(而且也从未正式支持过)。
+
+如果你尝试设置包含 `TZ` 或 `CRON_TZ` 时区规范的排期表,
+Kubernetes 会向客户端报告一条[警告](/blog/2020/09/03/warnings/)。
+后续的 Kubernetes 版本将完全阻止设置非正式的时区机制。
+
+
-## CronJob 限制    {#cronjob-limitations}
-
-### 修改 CronJob  {#modifying-a-cronjob}
+### 修改 CronJob   {#modifying-a-cronjob}
 
 按照设计,CronJob 包含一个用于**新** Job 的模板。
 如果你修改现有的 CronJob,你所做的更改将应用于修改完成后开始运行的新任务。
@@ -491,7 +492,8 @@ CronJob 仅负责创建与其调度时间相匹配的 Job,而 Job 又负责管
   Read the {{< api-reference page="workload-resources/cron-job-v1" >}}
   API reference for more details.
 -->
-* 了解 CronJob 所依赖的 [Pod](/zh-cn/docs/concepts/workloads/pods/) 与 [Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的概念。
+* 了解 CronJob 所依赖的 [Pod](/zh-cn/docs/concepts/workloads/pods/) 与
+  [Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的概念。
 * 阅读 CronJob `.spec.schedule` 字段的详细[格式](https://pkg.go.dev/github.com/robfig/cron/v3#hdr-CRON_Expression_Format)。
 * 有关创建和使用 CronJob 的说明及 CronJob 清单的示例,
   请参见[使用 CronJob 运行自动化任务](/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/)。

From 0162b83b5af9c32f7a0dcee91a2cbd6e15417b7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=B1=E6=AD=A3=E6=B5=A9=2CZhu=20Zhenghao?=
 
Date: Wed, 12 Apr 2023 22:19:35 +0800
Subject: [PATCH 202/272] [zh] sync 1.27 virtual-ips

---
 .../docs/reference/networking/virtual-ips.md  | 169 ++++++++++++------
 1 file changed, 112 insertions(+), 57 deletions(-)

diff --git a/content/zh-cn/docs/reference/networking/virtual-ips.md b/content/zh-cn/docs/reference/networking/virtual-ips.md
index 6a3b47c44fe..14d8ddf2e6e 100644
--- a/content/zh-cn/docs/reference/networking/virtual-ips.md
+++ b/content/zh-cn/docs/reference/networking/virtual-ips.md
@@ -252,6 +252,44 @@ iptables:
 ...
 ```
 
+
+##### 对 `iptables` 模式的性能优化 {#minimize-iptables-restore}
+
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
+
+
+在 Kubernetes {{< skew currentVersion >}} 中,kube-proxy 默认采用最小方式进行 `iptables-restore` 操作,
+仅在 Service 或 EndpointSlice 实际发生变化的地方进行更新。这是一个性能优化。
+最初的实现在每次同步时都会更新所有服务的所有规则;这有时会导致大型集群出现性能问题(更新延迟)。
+
+
+如果你运行的不是 Kubernetes {{< skew currentVersion >}} 版本的 kube-proxy,
+请检查你实际运行的版本的行为和相关建议。
+
+
+如果你之前覆盖了 `minSyncPeriod`,你应该尝试删除该覆盖并让 kube-proxy 使用默认值(`1s`)或至少比升级前使用的值小。
+你可以通过禁用 `MinimizeIPTablesRestore`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)来选择执行旧的行为
+(你应该不需要)。
+
 ##### `minSyncPeriod`
 
 
 `minSyncPeriod` 的值越大,可以聚合的工作越多,
 但缺点是每个独立的变更可能最终要等待整个 `minSyncPeriod` 周期后才能被处理,
-这意味着 iptables 规则要用更多时间才能与当前的 apiserver 状态同步。
+这意味着 iptables 规则要用更多时间才能与当前的 API 服务器状态同步。
 
 
-默认值 `1s` 对于中小型集群是一个很好的折衷方案。
+默认值 `1s` 适用于大多数集群,
 在大型集群中,可能需要将其设置为更大的值。
 (特别是,如果 kube-proxy 的 `sync_proxy_rules_duration_seconds` 指标表明平均时间远大于 1 秒,
 那么提高 `minSyncPeriod` 可能会使更新更有效率。)
@@ -311,13 +348,13 @@ make updates more efficient.)
 
-`syncPeriod` 参数控制与单次 Service 和 Endpoint 的变更没有直接关系的少数同步操作。
+`syncPeriod` 参数控制与单次 Service 和 EndpointSlice 的变更没有直接关系的少数同步操作。
 特别是,它控制 kube-proxy 在外部组件已干涉 kube-proxy 的 iptables 规则时通知的速度。
 在大型集群中,kube-proxy 也仅在每隔 `syncPeriod` 时长执行某些清理操作,以避免不必要的工作。
 
@@ -331,47 +368,6 @@ and is likely to hurt functionality more than it improves performance.
 但在过去,有时将其设置为非常大的值(例如 `1h`)很有用。
 现在不再推荐这种做法,因为它对功能的破坏可能会超过对性能的改进。
 
-
-##### 实验性的性能改进 {#minimize-iptables-restore}
-
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
-
-
-在 Kubernetes 1.26 中,社区对 iptables 代理模式进行了一些新的性能改进,
-但默认未启用(并且可能还不应该在生产集群中启用)。要试用它们,
-请使用 `--feature-gates=MinimizeIPTablesRestore=true,…` 为 kube-proxy 启用 `MinimizeIPTablesRestore`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
-
-
-如果你启用该特性门控并且之前覆盖了 `minSyncPeriod`,
-你应该尝试移除该覆盖并让 kube-proxy 使用默认值 (`1s`) 或至少使用比之前更小的值。
-
-
-如果你注意到 kube-proxy 的 `sync_proxy_rules_iptables_restore_failures_total` 或
-`sync_proxy_rules_iptables_partial_restore_failures_total` 指标在启用此特性后升高,
-这可能表明你发现了该特性的错误,你应该提交错误报告。
-
 
@@ -521,31 +517,35 @@ populated in terms of the Service's virtual IP address (and port).
 One of the primary philosophies of Kubernetes is that you should not be
 exposed to situations that could cause your actions to fail through no fault
 of your own. For the design of the Service resource, this means not making
-you choose your own port number if that choice might collide with
+you choose your own IP address if that choice might collide with
 someone else's choice.  That is an isolation failure.
 -->
 Kubernetes 的主要哲学之一是,
 你不应需要在完全不是你的问题的情况下面对可能导致你的操作失败的情形。
 对于 Service 资源的设计,也就是如果你选择的端口号可能与其他人的选择冲突,
-就不应该让你自己选择端口号。这是一种失败隔离。
+就不应该让你自己选择 IP 地址。这是一种失败隔离。
 
 
-为了允许你为 Service 选择端口号,我们必须确保没有任何两个 Service 会发生冲突。
+为了允许你为 Service 选择 IP 地址,我们必须确保没有任何两个 Service 会发生冲突。
 Kubernetes 通过从为 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
 配置的 `service-cluster-ip-range` CIDR 范围内为每个 Service 分配自己的 IP 地址来实现这一点。
 
 
+#### IP 地址分配追踪
+
 为了确保每个 Service 都获得唯一的 IP,内部分配器在创建每个 Service
 之前更新 {{< glossary_tooltip term_id="etcd" >}} 中的全局分配映射,这种更新操作具有原子性。
 映射对象必须存在于数据库中,这样 Service 才能获得 IP 地址分配,
@@ -562,6 +562,61 @@ IP addresses that are no longer used by any Services.
 Kubernetes 还使用控制器来检查无效的分配(例如,因管理员干预而导致无效分配)
 以及清理已分配但没有 Service 使用的 IP 地址。
 
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+如果你启用 `MultiCIDRServiceAllocator` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gate/)
+和 [`networking.k8s.io/v1alpha1` API 组](/zh-cn/docs/tasks/administer-cluster/enable-disable-api/),
+控制平面将用一个新的分配器替换现有的 etcd 分配器,使用 IPAddress 对象而不是内部的全局分配映射。
+与每个 Service 关联的 ClusterIP 地址将有一个对应的 IPAddress 对象。
+
+
+后台控制器也被一个新的控制器取代,来处理新的 IPAddress 对象和从旧的分配器模型的迁移。
+
+
+新分配器的主要好处之一是它取消了对 `service-cluster-ip-range` 的大小限制,对 IPv4 没有大小限制,
+对于 IPv6 用户可以使用等于或大于 /64 的掩码(以前是 /108)。
+
+
+用户现在能够检查分配给他们的 Service 的 IP 地址,Kubernetes 扩展,
+如 [Gateway](https://gateway-api.sigs.k8s.io/) API
+可以使用这个新的 IPAddress 对象类别来增强 Kubernetes 的网络能力,解除内置 Service API 的限制。
+
+```shell
+kubectl get services
+```
+```
+NAME         TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)   AGE
+kubernetes   ClusterIP   2001:db8:1:2::1           443/TCP   3d1h
+```
+
+```shell
+kubectl get ipaddresses
+```
+```
+NAME              PARENTREF
+2001:db8:1:2::1   services/default/kubernetes
+2001:db8:1:2::a   services/kube-system/kube-dns
+```
+
 

From f86e6e3f8357d22ca1c5715724310c21ce26a297 Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Fri, 14 Apr 2023 17:37:42 +0800
Subject: [PATCH 203/272] [zh-cn] Sync statefulset.md

Signed-off-by: Guangwen Feng 
---
 .../zh-cn/docs/concepts/workloads/controllers/statefulset.md  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md b/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
index 136837d9504..3973d78160d 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
@@ -258,7 +258,7 @@ pods will be assigned ordinals from 0 up through N-1.
 -->
 ### 起始序号   {#start-ordinal}
 
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 ## PersistentVolumeClaim 保留  {#persistentvolumeclaim-retention}
 
-{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 ### kube-proxy  {#kube-proxy}
 
-* `kube-proxy` 和节点上的 `kubelet` 必须是相同的次要版本。
 * `kube-proxy` 版本不能比 `kube-apiserver` 版本新。
 * `kube-proxy` 最多只能比 `kube-apiserver` 落后两个次要版本。
 

From 215bceeec49de00cc86c5cfc579c8ba9aeea1186 Mon Sep 17 00:00:00 2001
From: Dipesh Rawat 
Date: Fri, 14 Apr 2023 17:48:44 +0100
Subject: [PATCH 207/272] Adds banner for KubeCon CloudNativeCon EU 2023

---
 data/announcements/scheduled.yaml                   | 13 +++++++++++++
 static/images/announcements/kccnc-eu-2023-white.svg |  1 +
 2 files changed, 14 insertions(+)
 create mode 100644 static/images/announcements/kccnc-eu-2023-white.svg

diff --git a/data/announcements/scheduled.yaml b/data/announcements/scheduled.yaml
index 79e6e2e5b0c..830f5577acb 100644
--- a/data/announcements/scheduled.yaml
+++ b/data/announcements/scheduled.yaml
@@ -152,6 +152,19 @@ announcements:
     All images available in k8s.gcr.io are available at registry.k8s.io.
    
     Please read our [announcement](/blog/2023/03/10/image-registry-redirect/) for more details.
 
+- name: Kubecon 2023 EU
+  startTime: 2023-04-15T00:00:00  #Added in https://github.com/kubernetes/website/pull/40691
+  endTime: 2023-04-22T18:00:00
+  style: >-
+    background: linear-gradient(90deg, rgba(174,28,40,1) 0%, rgba(50,79,133,1) 65%, rgba(33,70,139,1) 100%);
+    color: #fffff;
+  title: |
+    
+    KubeCon + CloudNativeCon EU 2023  Amsterdam, Netherlands + Virtual.
+  message: |
+    4 days of incredible opportunities to collaborate, learn + share with the entire community!
    
+    April 18 - April 21, 2023.
+    
 - name: Redirecting k8s.gcr.io - After
   startTime: 2023-03-27T00:00:00 # This should run after the redirect begins
   endTime: 2023-05-31T00:00:00
diff --git a/static/images/announcements/kccnc-eu-2023-white.svg b/static/images/announcements/kccnc-eu-2023-white.svg
new file mode 100644
index 00000000000..69c664329bc
--- /dev/null
+++ b/static/images/announcements/kccnc-eu-2023-white.svg
@@ -0,0 +1 @@
+kccnc-eu-2023-logos-white.svg
\ No newline at end of file

From 4a5436f42e05390ed00e12e0f7f915789aaa9973 Mon Sep 17 00:00:00 2001
From: Taahir Ahmed 
Date: Tue, 11 Apr 2023 15:38:35 -0700
Subject: [PATCH 208/272] ClusterTrustBundles: Document service account
 impersonation

(Change message to retrigger tests)
---
 .../access-authn-authz/certificate-signing-requests.md    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
index 4ce299e5fb5..ba41e551618 100644
--- a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
+++ b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
@@ -405,6 +405,14 @@ If you use your own authorization mechanism and you have enabled
 ClusterTrustBundles in your cluster, you should set up an equivalent rule to
 make these objects public within the cluster, so that they work as intended.
 
+If you do not have permission to list cluster trust bundles by default in your
+cluster, you can impersonate a service account you have access to in order to
+see available ClusterTrustBundles:
+
+```bash
+kubectl get clustertrustbundles --as='system:serviceaccount:mynamespace:default'
+```
+
 ### Signer-linked ClusterTrustBundles {#ctb-signer-linked}
 
 Signer-linked ClusterTrustBundles are associated with a _signer name_, like this:

From 83972ec198dbfbecf3ffbd92e1778d3453e95172 Mon Sep 17 00:00:00 2001
From: Maria Filocha 
Date: Fri, 14 Apr 2023 15:23:01 +0200
Subject: [PATCH 209/272] Synchronize Polish localization for ver 1.26, part 1

Synchronize Polish localization with upstream up to 6e6e4ed79a8e219e7db434fb7f6d76433901739b.

Part 1
---
 content/pl/_index.html | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/content/pl/_index.html b/content/pl/_index.html
index 5c9c8ed9618..1fa0f72c4cd 100644
--- a/content/pl/_index.html
+++ b/content/pl/_index.html
@@ -33,6 +33,8 @@ Niezależnie, czy prowadzisz tylko testy, czy globalny koncern, dzięki elastycz
 
 Kubernetes jako projekt open-source daje Ci wolność wyboru ⏤ skorzystaj z prywatnego centrum danych, infrastruktury hybrydowej lub chmury publicznej. Bez wysiłku możesz przenieść swoje aplikacje tam, gdzie są najbardziej potrzebne.
 
+Żeby pobrać Kubernetesa, odwiedź sekcję [pobierania](/releases/download/).
+
 {{% /blocks/feature %}}
 
 {{< /blocks/section >}}
@@ -44,13 +46,12 @@ Kubernetes jako projekt open-source daje Ci wolność wyboru ⏤ skorzystaj z pr
         
         
    
         
    
-        Weź udział w KubeCon North America 24-28.10.2022
+        Weź udział w KubeCon + CloudNativeCon Europe 18-21.04.2023
         
    
         
    
         
    
         
    
-        Weź udział w KubeCon Europe 17-21.04.2023
-
+        Weź udział w KubeCon + CloudNativeCon North America 6-9.11.2023
 
 
    
     

From bd49796a8fbd5b3e8f0eff5d90cbe10654a158cd Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 16:42:26 +0200
Subject: [PATCH 210/272] Add translation for "Automated rollouts and
 rollbacks"

---
 .../docs/concepts/workloads/controllers/deployment.md  | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 content/de/docs/concepts/workloads/controllers/deployment.md

diff --git a/content/de/docs/concepts/workloads/controllers/deployment.md b/content/de/docs/concepts/workloads/controllers/deployment.md
new file mode 100644
index 00000000000..35b21bc8519
--- /dev/null
+++ b/content/de/docs/concepts/workloads/controllers/deployment.md
@@ -0,0 +1,10 @@
+---
+title: Deployments
+feature:
+    title: Automatisierte Rollouts und Rollbacks
+    description: >
+        Kubernetes wendet Änderungen an deinen Anwendungen oder seiner eigenen Konfiguration stufenweise an. Währenddessen achtet es darauf, dass nicht alle Instanzen der Anwendung zur gleichen Zeit beeinträchtigt werden. Falls etwas schief geht, macht Kubernetes die Änderungen rückgängig.
+
+content_type: concept
+weight: 10
+---
\ No newline at end of file

From 14ef8798951fd2eaf1cec64a9844f2b56a2eefb2 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 16:46:07 +0200
Subject: [PATCH 211/272] Add translation for "Storage orchestration"

---
 content/de/docs/concepts/storage/persistent_volumes.md | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 content/de/docs/concepts/storage/persistent_volumes.md

diff --git a/content/de/docs/concepts/storage/persistent_volumes.md b/content/de/docs/concepts/storage/persistent_volumes.md
new file mode 100644
index 00000000000..d0320d5b977
--- /dev/null
+++ b/content/de/docs/concepts/storage/persistent_volumes.md
@@ -0,0 +1,10 @@
+---
+title: Persistente Volumes
+feature:
+  title: Speicher-Orchestrierung
+  description: >
+    Binde automatisch deinen gewünschten Speicher ein. Egal, ob lokaler Speicher, Speicher eines Cloud Providers (z.B. AWS oder GCP) oder ein Netzwerkspeicher (z.B. NFS, iSCSI, Ceph oder Cinder).
+
+content_type: concept
+weight: 10
+---
\ No newline at end of file

From adf7b99e4ba5bd1bd1e0685eba1c34be5eee833e Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:38:04 +0200
Subject: [PATCH 212/272] Add translation for "Secret and configuration
 management"

---
 content/de/docs/concepts/configuration/secret.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 content/de/docs/concepts/configuration/secret.md

diff --git a/content/de/docs/concepts/configuration/secret.md b/content/de/docs/concepts/configuration/secret.md
new file mode 100644
index 00000000000..25ee70b7c16
--- /dev/null
+++ b/content/de/docs/concepts/configuration/secret.md
@@ -0,0 +1,9 @@
+---
+title: Secrets
+content_type: concept
+feature:
+  title: Verwaltung von Secrets und Konfigurationen
+  description: >
+    Deploye und aktualisiere Secrets sowie Anwendungskonfigurationen, ohne ein Image neu zu bauen oder Secrets preiszugeben.
+weight: 30
+---
\ No newline at end of file

From 544c78cfcd30c70e241cb8761ed9148125bc08fb Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:40:26 +0200
Subject: [PATCH 213/272] Add translation for "Batch execution"

---
 content/de/docs/concepts/workloads/controllers/job.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 content/de/docs/concepts/workloads/controllers/job.md

diff --git a/content/de/docs/concepts/workloads/controllers/job.md b/content/de/docs/concepts/workloads/controllers/job.md
new file mode 100644
index 00000000000..da65fa9dca7
--- /dev/null
+++ b/content/de/docs/concepts/workloads/controllers/job.md
@@ -0,0 +1,9 @@
+---
+title: Jobs
+content_type: concept
+feature:
+  title: Stapelweise Ausführung
+  description: >
+    Neben Diensten kann Kubernetes auch die stapelweise Ausführung von Workloads verwalten. Im Falle eines Fehlers können Container ausgetauscht werden.
+weight: 50
+---
\ No newline at end of file

From 6d82d6c4fa90047f268d4d800b9d130bf4113f21 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:48:07 +0200
Subject: [PATCH 214/272] Add translation for "IPv4/IPv6 dual stack"

---
 .../concepts/services-networking/dual-stack.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 content/de/docs/concepts/services-networking/dual-stack.md

diff --git a/content/de/docs/concepts/services-networking/dual-stack.md b/content/de/docs/concepts/services-networking/dual-stack.md
new file mode 100644
index 00000000000..4e1f4be1af3
--- /dev/null
+++ b/content/de/docs/concepts/services-networking/dual-stack.md
@@ -0,0 +1,18 @@
+---
+title: IPv4/IPv6 dual-stack
+description: >-
+  Kubernetes erlaubt Netzwerkkonfigurationen mit IPv4 oder IPv6 (Single Stack).
+  Im Dual-Stack-Betrieb kann IPv4 im Verbund mit IPv6 verwendet werden.
+
+feature:
+  title: IPv4/IPv6 Dual-Stack
+  description: >
+    Pods und Dienste können gleichzeitig IPv4- und IPv6-Adressen verwenden.
+content_type: concept
+reviewers:
+  - lachie83
+  - khenidak
+  - aramase
+  - bridgetkromhout
+weight: 90
+---
\ No newline at end of file

From 1d5135574b94edeb2964e9822f3b0478b2bf309b Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:51:43 +0200
Subject: [PATCH 215/272] Add translation for "Service discovery and load
 balancing"

---
 .../de/docs/concepts/services-networking/service.md  | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 content/de/docs/concepts/services-networking/service.md

diff --git a/content/de/docs/concepts/services-networking/service.md b/content/de/docs/concepts/services-networking/service.md
new file mode 100644
index 00000000000..05b9f275a28
--- /dev/null
+++ b/content/de/docs/concepts/services-networking/service.md
@@ -0,0 +1,12 @@
+---
+title: Services
+feature:
+  title: Service-Discovery und Load Balancing
+  description: >
+    Anwendungen müssen keinen komplizierten Mechanismus für Service-Discovery verwenden. Kubernetes verteilt IP-Adressen und DNS-Einträge automatisch an Pods und übernimmt auch das Load Balancing.
+description: >-
+  Veröffentliche deine Applikation über einen einzelnen, nach außen sichtbaren Endpunkt,
+  auch wenn die Workload über mehrere Backends verteilt ist. 
+content_type: concept
+weight: 10
+---
\ No newline at end of file

From 31cc243d275dea2270ce959b10dc1a6861a39b93 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:53:35 +0200
Subject: [PATCH 216/272] Add translation for "Self healing"

---
 .../docs/concepts/workloads/controllers/replicaset.md  | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 content/de/docs/concepts/workloads/controllers/replicaset.md

diff --git a/content/de/docs/concepts/workloads/controllers/replicaset.md b/content/de/docs/concepts/workloads/controllers/replicaset.md
new file mode 100644
index 00000000000..03addcb9ca0
--- /dev/null
+++ b/content/de/docs/concepts/workloads/controllers/replicaset.md
@@ -0,0 +1,10 @@
+---
+title: ReplicaSet
+feature:
+  title: Selbstheilung
+  anchor: Funktionsweise eines ReplicaSets
+  description: >
+    Container werden mithilfe von Health-Checks überwacht und im Falle eines Fehlers neu gestartet. Sie werden erst wieder verwendet, wenn Sie komplett einsatzbereit sind.
+content_type: concept
+weight: 20
+---
\ No newline at end of file

From 791432d7f3a02b003721893b4c61ec29603aacba Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:56:23 +0200
Subject: [PATCH 217/272] Add translation for "Automatic bin packing"

---
 .../concepts/configuration/manage-resource-containers.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 content/de/docs/concepts/configuration/manage-resource-containers.md

diff --git a/content/de/docs/concepts/configuration/manage-resource-containers.md b/content/de/docs/concepts/configuration/manage-resource-containers.md
new file mode 100644
index 00000000000..9ba50de1934
--- /dev/null
+++ b/content/de/docs/concepts/configuration/manage-resource-containers.md
@@ -0,0 +1,9 @@
+---
+title: Resourcen-Verwaltung für Pods und Container
+content_type: concept
+weight: 40
+feature:
+  title: Automatisches Bin Packing
+  description: >
+    Container können je nach Systemanforderungen auf spezifischen Nodes ausgeführt werden. Somit kann eine effiziente Nutzung von Ressourcen erreicht werden.
+---
\ No newline at end of file

From 5e56b19ae29d261fb2b656f49f03cbcca2af12f2 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Sat, 8 Apr 2023 18:58:47 +0200
Subject: [PATCH 218/272] Add translation for "Designed for extensibility"

---
 content/de/docs/concepts/extend-kubernetes/_index.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/de/docs/concepts/extend-kubernetes/_index.md b/content/de/docs/concepts/extend-kubernetes/_index.md
index a537b745ada..d23443d3c31 100644
--- a/content/de/docs/concepts/extend-kubernetes/_index.md
+++ b/content/de/docs/concepts/extend-kubernetes/_index.md
@@ -1,4 +1,8 @@
 ---
 title: "Kubernetes erweitern"
 weight: 110
+feature:
+  title: Für Erweiterungen entworfen
+  description: >
+    Kubernetes kann ohne Änderungen am Upstream-Quelltext erweitert werden.
 ---

From 5ed63def8a3306c3fe6cbfdc53c1f953c7547ee8 Mon Sep 17 00:00:00 2001
From: Stanislav Kardashov 
Date: Sat, 15 Apr 2023 18:38:24 +0300
Subject: [PATCH 219/272] fix minor typo permision -> permission

---
 .../en/docs/tasks/configure-pod-container/migrate-from-psp.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
index f48ad1e7bf3..d8511ac66d7 100644
--- a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
+++ b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -201,7 +201,7 @@ For each updated PodSecurityPolicy:
 3. Create the new PodSecurityPolicies. If any Roles or ClusterRoles are granting `use` on all PSPs
    this could cause the new PSPs to be used instead of their mutating counter-parts.
 4. Update your authorization to grant access to the new PSPs. In RBAC this means updating any Roles
-   or ClusterRoles that grant the `use` permision on the original PSP to also grant it to the
+   or ClusterRoles that grant the `use` permission on the original PSP to also grant it to the
    updated PSP.
 5. Verify: after some soak time, rerun the command from step 1 to see if any pods are still using
    the original PSPs. Note that pods need to be recreated after the new policies have been rolled

From 0b25549497f9040ffc87e560e496eb4d72fdc11e Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Fri, 14 Apr 2023 22:07:53 +0800
Subject: [PATCH 220/272] sync 1.27 scheduling-framework.md

sync 1.27 scheduling-framework.md
---
 .../scheduling-framework.md                   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md b/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
index 2641362e0af..436e2cc5a5c 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
@@ -105,6 +105,28 @@ stateful tasks.
 -->
 {{< figure src="/images/docs/scheduling-framework-extensions.png" title="调度框架扩展点" class="diagram-large">}}
 
+
+### PreEnqueue {#pre-enqueue}
+
+
+这些插件在将 Pod 被添加到内部活动队列之前被调用,在此队列中 Pod 被标记为准备好进行调度。
+
+只有当所有 PreEnqueue 插件返回 `Success` 时,Pod 才允许进入活动队列。
+否则,它将被放置在内部无法调度的 Pod 列表中,并且不会获得 `Unschedulable` 状态。
+
+要了解有关内部调度器队列如何工作的更多详细信息,请阅读 [kube-scheduler 调度队列](https://github.com/kubernetes/community/blob/f03b6d5692bd979f07dd472e7b6836b2dad0fd9b/contributors/devel/sig-scheduling/scheduler_queues.md)。
+
 

From 210c50f967913724105093c7dd0678321feabc4f Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Sun, 16 Apr 2023 09:17:29 +0800
Subject: [PATCH 221/272] sync patch-releases

sync patch-releases
---
 content/zh-cn/releases/patch-releases.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/content/zh-cn/releases/patch-releases.md b/content/zh-cn/releases/patch-releases.md
index ff755a51489..94e444dc0d0 100644
--- a/content/zh-cn/releases/patch-releases.md
+++ b/content/zh-cn/releases/patch-releases.md
@@ -149,16 +149,15 @@ releases may also occur in between these.
 
-
-| 月度补丁发布    | Cherry Pick 截止日期 |   目标日期  |
-| -------------- | -------------------- | ----------- |
-| 2023 年 2 月   | 2023-02-10           | 2023-02-15  |
-| 2023 年 3 月   | 2023-03-10           | 2023-03-15  |
-| 2023 年 4 月   | 2023-04-07           | 2023-04-12  |
+| 月度补丁发布     | Cherry Pick 截止日期 | 目标日期       |
+|------------|------------------|------------|
+| 2023 年 4 月 | 2023-04-07       | 2023-04-12 |
+| 2023 年 5 月 | 2023-05-12       | 2023-05-17 |
+| 2023 年 6 月 | 2023-06-09       | 2023-06-14 |
 
 
 
    
 一组键值对,用于描述各种功能。选项包括:
-
    PublicKeysECDSA=true|false (ALPHA - 默认值=false
+
    EtcdLearnerMode=true|false (ALPHA - 默认值=false)
+
    PublicKeysECDSA=true|false (ALPHA - 默认值=false)
 
    RootlessControlPlane=true|false (ALPHA - 默认值=false)
 
    
 

From ae4f12001fcdf7ef22c7a1a2d39f603dec47d9eb Mon Sep 17 00:00:00 2001
From: Michael 
Date: Fri, 14 Apr 2023 19:45:25 +0800
Subject: [PATCH 224/272] [zh] sync /services-networking/service.md

---
 .../concepts/services-networking/service.md   | 174 +++++++++++++-----
 1 file changed, 130 insertions(+), 44 deletions(-)

diff --git a/content/zh-cn/docs/concepts/services-networking/service.md b/content/zh-cn/docs/concepts/services-networking/service.md
index 76e931ae4c9..fbd4e5374c0 100644
--- a/content/zh-cn/docs/concepts/services-networking/service.md
+++ b/content/zh-cn/docs/concepts/services-networking/service.md
@@ -1079,6 +1079,22 @@ The cloud provider decides how it is load balanced.
 -->
 来自外部负载均衡器的流量将直接重定向到后端 Pod 上,不过实际它们是如何工作的,这要依赖于云提供商。
 
+
+要实现 `type: LoadBalancer` 的服务,Kubernetes 通常首先进行与请求 `type: NodePort` 服务等效的更改。
+cloud-controller-manager 组件随后配置外部负载均衡器以将流量转发到已分配的节点端口。
+
+你可以将负载均衡服务配置为[忽略](#load-balancer-nodeport-allocation)分配节点端口,
+前提是云提供商实现支持这点。
+
 
-要实现 `type: LoadBalancer` 的服务,Kubernetes 通常首先进行与请求 `type: NodePort` 服务等效的更改。
-cloud-controller-manager 组件然后配置外部负载均衡器以将流量转发到已分配的节点端口。
-
-你可以将负载均衡服务配置为[忽略](#load-balancer-nodeport-allocation)分配节点端口,
-前提是云提供商实现支持这点。
-
 {{< note >}}
 
-在 **Azure** 上,如果要使用用户指定的公共类型 `loadBalancerIP`,
-则首先需要创建静态类型的公共 IP 地址资源。
-此公共 IP 地址资源应与集群中其他自动创建的资源位于同一资源组中。
-例如,`MC_myResourceGroup_myAKSCluster_eastus`。
+针对 Service 的 `.spec.loadBalancerIP` 字段已在 Kubernetes v1.24 中被弃用。
 
-将分配的 IP 地址设置为 loadBalancerIP。确保你已更新云提供程序配置文件中的 securityGroupName。
-有关对 `CreatingLoadBalancerFailed` 权限问题进行故障排除的信息,
-请参阅[与 Azure Kubernetes 服务(AKS)负载均衡器一起使用静态 IP 地址](https://docs.microsoft.com/zh-cn/azure/aks/static-ip)
-或[在 AKS 集群上使用高级联网时出现 CreatingLoadBalancerFailed](https://github.com/Azure/AKS/issues/357)。
+此字段的定义模糊,其含义因实现而异。它也不支持双协议栈联网。
+此字段可能会在未来的 API 版本中被移除。
+
+
+如果你正在集成某云平台,该平台通过(特定于提供商的)注解为 Service 指定负载均衡器 IP 地址,
+你应该切换到这样做。
+
+如果你正在为集成到 Kubernetes 的负载均衡器编写代码,请避免使用此字段。
+你可以与 [Gateway](https://gateway-api.sigs.k8s.io/) 而不是 Service 集成,
+或者你可以在 Service 上定义自己的(特定于提供商的)注解,以指定等效的细节。
 {{< /note >}}
+
 
+#### 混合协议类型的负载均衡器
 
 {{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
+
-#### 混合协议类型的负载均衡器
-
-{{< feature-state for_k8s_version="v1.20" state="alpha" >}}
-
 默认情况下,对于 LoadBalancer 类型的服务,当定义了多个端口时,
 所有端口必须具有相同的协议,并且该协议必须是受云提供商支持的协议。
 
-当服务中定义了多个端口时,特性门控 `MixedProtocolLBService`(在 kube-apiserver 1.24 版本默认为启用)允许
-LoadBalancer 类型的服务使用不同的协议。
+当服务中定义了多个端口时,特性门控 `MixedProtocolLBService`
+(在 kube-apiserver 1.24 版本默认为启用)
+允许 LoadBalancer 类型的服务使用不同的协议。
 
 {{< note >}}
 百度云" %}}
 
 ```yaml
 [...]
@@ -1320,7 +1324,7 @@ metadata:
 ```
 
 {{% /tab %}}
-{{% tab name="Tencent Cloud" %}}
+{{% tab name="腾讯云" %}}
 
 ```yaml
 [...]
@@ -1331,7 +1335,7 @@ metadata:
 ```
 
 {{% /tab %}}
-{{% tab name="Alibaba Cloud" %}}
+{{% tab name="阿里云" %}}
 
 ```yaml
 [...]
@@ -1449,7 +1453,7 @@ You can then specify any one of those policies using the
 annotation; for example:
 -->
 然后,你可以使用 "`service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy`"
-注解; 例如:
+注解;例如:
 
 ```yaml
     metadata:
@@ -1483,6 +1487,7 @@ Since version 1.3.0, the use of this annotation applies to all ports proxied by
 and cannot be configured otherwise.
 -->
 从 1.3.0 版开始,此注解的使用适用于 ELB 代理的所有端口,并且不能进行其他配置。
+
 
 ```yaml
     metadata:
       name: my-service
@@ -1565,6 +1588,63 @@ There are other annotations to manage Classic Elastic Load Balancers that are de
 
 还有其他一些注解,用于管理经典弹性负载均衡器,如下所述。
 
+
 ```yaml
     metadata:
       name: my-service
@@ -1691,9 +1771,16 @@ groups are modified with the following IP rules:
 
 为了使客户端流量能够到达 NLB 后面的实例,使用以下 IP 规则修改了节点安全组:
 
+
+| 规则 | 协议 | 端口 | IpRange(s) | IpRange 描述 |
+|------|----------|---------|------------|---------------------|
+| Health Check | TCP | NodePort(s) (`.spec.healthCheckNodePort` for `.spec.externalTrafficPolicy = Local`) | Subnet CIDR | kubernetes.io/rule/nlb/health=\ |
 | Client Traffic | TCP | NodePort(s) | `.spec.loadBalancerSourceRanges` (默认值为 `0.0.0.0/0`) | kubernetes.io/rule/nlb/client=\ |
 | MTU Discovery | ICMP | 3,4 | `.spec.loadBalancerSourceRanges` (默认值为 `0.0.0.0/0`) | kubernetes.io/rule/nlb/mtu=\ |
 
@@ -1864,7 +1951,6 @@ to learn more.
 
 Service is a top-level resource in the Kubernetes REST API. You can find more details
 about the [Service API object](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core).
-
 -->
 ## API 对象   {#api-object}
 

From 46e88db8f17e41f06b7a8b441d68bf47a3e47074 Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Fri, 14 Apr 2023 17:38:54 +0800
Subject: [PATCH 225/272] [zh] sync csi-driver-v1.md

---
 .../csi-driver-v1.md                          | 177 ++++++++++++++----
 1 file changed, 144 insertions(+), 33 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
index c6cac3bbdf7..568f0736160 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
@@ -41,10 +41,12 @@ CSIDriver 对象未划分命名空间。
 
 
 - **metadata** (}}">ObjectMeta)
   
@@ -58,7 +60,7 @@ CSIDriver 对象未划分命名空间。
 
 - **spec** (}}">CSIDriverSpec),必需
   
-  CSI 驱动的规约。
+  spec 表示 CSI 驱动的规约。
 
 ## CSIDriverSpec {#CSIDriverSpec}
 
@@ -89,7 +91,8 @@ CSIDriverSpec 是 CSIDriver 的规约。
 
 
 - **fsGroupPolicy** (string)
   
-  定义底层卷是否支持在挂载之前更改卷的所有权和权限。
+  fsGroupPolicy 定义底层卷是否支持在挂载之前更改卷的所有权和权限。
   有关更多详细信息,请参考特定的 FSGroupPolicy 值。
   
   此字段不可变更。
@@ -107,28 +110,38 @@ CSIDriverSpec 是 CSIDriver 的规约。
 
 
 - **podInfoOnMount** (boolean)
+
+  如果 podInfoOnMount 设为 true,则表示在挂载操作期间这个 CSI 卷驱动需要更多的
+  Pod 信息(例如 podName 和 podUID 等)。
+  如果设为 false,则挂载时将不传递 Pod 信息。默认为 false。
   
-  如果设为 true,则 podInfoOnMount 表示在挂载操作期间这个 CSI 卷需要更多的 Pod 信息(例如 podName 和 podUID 等)。
-  如果设为 false,则挂载时将不传递 Pod 信息。
-  默认为 false。
+  
   CSI 驱动将 podInfoOnMount 指定为驱动部署的一部分。
   如果为 true,Kubelet 将在 CSI NodePublishVolume() 调用中作为 VolumeContext 传递 Pod 信息。
   CSI 驱动负责解析和校验作为 VolumeContext 传递进来的信息。
+
   如果 podInfoOnMount 设为 true,将传递以下 VolumeConext。
   此列表可能变大,但将使用前缀。
+
   - "csi.storage.k8s.io/pod.name": pod.name
   - "csi.storage.k8s.io/pod.namespace": pod.namespace
   - "csi.storage.k8s.io/pod.uid": string(pod.UID)
   - "csi.storage.k8s.io/ephemeral":
     如果此卷是 CSIVolumeSource 定义的一个临时内联卷,则为 “true”,否则为 “false”
+
+  
   “csi.storage.k8s.io/ephemeral” 是 Kubernetes 1.16 中一个新的功能特性。
   只有同时支持 “Persistent” 和 “Ephemeral” VolumeLifecycleMode 的驱动,此字段才是必需的。
   其他驱动可以保持禁用 Pod 信息或忽略此字段。
@@ -139,7 +152,8 @@ CSIDriverSpec 是 CSIDriver 的规约。
 
 
@@ -155,7 +169,7 @@ CSIDriverSpec 是 CSIDriver 的规约。
 
@@ -178,9 +192,11 @@ CSIDriverSpec 是 CSIDriver 的规约。
   这通常用于代表更大共享文件系统的子目录的卷。
   
   默认为 “false”。
+
 
 - **tokenRequests** ([]TokenRequest)
   
@@ -230,21 +249,27 @@ CSIDriverSpec 是 CSIDriver 的规约。
   }
   ```
 
+  
   注:每个 tokenRequest 中的受众应该不同,且最多有一个令牌是空字符串。
   要在令牌过期后接收一个新的令牌,requiresRepublish 可用于周期性地触发 NodePublishVolume。
   
   
   **tokenRequest 包含一个服务帐户令牌的参数。**
 
-  
+    expirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
+  -->  
   - **tokenRequests.audience** (string),必需
     
     audience 是 “TokenRequestSpec” 中令牌的目标受众。
@@ -260,9 +285,7 @@ CSIDriverSpec 是 CSIDriver 的规约。
 
   *Set: unique values will be kept during a merge*
   
-  volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.
-  
-  This field is immutable.
+  volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
 -->
 - **volumeLifecycleModes** ([]string)
   
@@ -271,15 +294,23 @@ CSIDriverSpec 是 CSIDriver 的规约。
   volumeLifecycleModes 定义这个 CSI 卷驱动支持哪种类别的卷。
   如果列表为空,则默认值为 “Persistent”,这是 CSI 规范定义的用法,
   并通过常用的 PV/PVC 机制在 Kubernetes 中实现。
+
+  
   另一种模式是 “Ephemeral”。
   在这种模式下,在 Pod 规约中用 CSIVolumeSource 以内联方式定义卷,其生命周期与该 Pod 的生命周期相关联。
   驱动必须感知到这一点,因为只有针对这种卷才会接收到 NodePublishVolume 调用。
+
   有关实现此模式的更多信息,请参阅
   https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html。
   驱动可以支持其中一种或多种模式,将来可能会添加更多模式。
-  此字段处于 Beta 阶段。
   
-  此字段不可变更。
+  此字段处于 Beta 阶段。此字段不可变更。
 
 ## CSIDriverList {#CSIDriverList}
 
@@ -344,7 +375,7 @@ GET /apis/storage.k8s.io/v1/csidrivers/{name}
 
 - **name** (**路径参数**): string,必需
   
-  CSIDriver 的名称
+  CSIDriver 的名称。
 
 - **pretty** (**查询参数**): string
   
@@ -372,16 +403,50 @@ GET /apis/storage.k8s.io/v1/csidrivers
 
 
 #### 参数
 
@@ -417,6 +482,10 @@ GET /apis/storage.k8s.io/v1/csidrivers
   
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**): integer
   
   }}">timeoutSeconds
@@ -511,7 +580,7 @@ PUT /apis/storage.k8s.io/v1/csidrivers/{name}
 
 - **name** (**路径参数**): string,必需
   
-  CSIDriver 的名称
+  CSIDriver 的名称。
 
 - **body**: }}">CSIDriver,必需
 
@@ -568,7 +637,7 @@ PATCH /apis/storage.k8s.io/v1/csidrivers/{name}
 
 - **name** (**路径参数**): string,必需
   
-  CSIDriver 的名称
+  CSIDriver 的名称。
 
 - **body**: }}">Patch,必需
 
@@ -628,7 +697,7 @@ DELETE /apis/storage.k8s.io/v1/csidrivers/{name}
 
 - **name** (**路径参数**): string,必需
   
-  CSIDriver 的名称
+  CSIDriver 的名称。
 
 - **body**: }}">DeleteOptions
 
@@ -672,18 +741,56 @@ DELETE /apis/storage.k8s.io/v1/csidrivers
 
 
 #### 参数
 
@@ -729,6 +836,10 @@ DELETE /apis/storage.k8s.io/v1/csidrivers
   
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**): integer
   
   }}">timeoutSeconds

From ad7c0712c646fe559be6508686516419fd6c502d Mon Sep 17 00:00:00 2001
From: Qiming Teng 
Date: Sun, 16 Apr 2023 16:26:38 +0800
Subject: [PATCH 226/272] Fix examples test for 1.27

- Some examples are actually not good "examples", i.e. they are not
  not ready for the users to try out.
- Some examples are failing the validation in their current format.
- Some examples skipped the test case.

These issues are fixed.
---
 .../extensible-admission-controllers.md       |  50 ++++-
 .../validating-admission-policy.md            |  17 +-
 .../admission-webhook-match-conditions.yaml   |  47 ----
 .../audit-event-with-audit-annotation.yaml    |  12 --
 .../access/deployment-replicas-policy.yaml    |   3 +-
 ...ing-admission-policy-audit-annotation.yaml |   3 +-
 content/en/examples/examples_test.go          |  51 +++--
 go.mod                                        | 130 ++++++-----
 go.sum                                        | 203 ++++++++++--------
 9 files changed, 292 insertions(+), 224 deletions(-)
 delete mode 100644 content/en/examples/access/admission-webhook-match-conditions.yaml
 delete mode 100644 content/en/examples/access/audit-event-with-audit-annotation.yaml

diff --git a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
index aa1a61b2e38..7c3636e49b1 100644
--- a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
@@ -736,7 +736,55 @@ webhook to be called.
 
 Here is an example illustrating a few different uses for match conditions:
 
-{{< codenew file="access/admission-webhook-match-conditions.yaml" >}}
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # Fail-open (optional)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: ''
+    matchConditions:
+      - name: 'exclude-leases' # Each match condition must have a unique name
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+      - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+  
+  # This example illustrates the use of the 'authorizer'. The authorization check is more expensive
+  # than a simple expression, so in this example it is scoped to only RBAC requests by using a second
+  # webhook. Both webhooks can be served by the same endpoint.
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # Fail-closed (the default)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: ''
+    matchConditions:
+      - name: 'breakglass'
+        # Skip requests made by users authorized to 'breakglass' on this webhook.
+        # The 'breakglass' API verb does not need to exist outside this check.
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
+```
 
 Match conditions have access to the following CEL variables:
 
diff --git a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
index ffb7f96965c..a9c802b6058 100644
--- a/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
+++ b/content/en/docs/reference/access-authn-authz/validating-admission-policy.md
@@ -438,7 +438,20 @@ For example, here is an admission policy with an audit annotation:
 
 When an API request is validated with this admission policy, the resulting audit event will look like:
 
-{{< codenew file="access/audit-event-with-audit-annotation.yaml" >}}
+```
+# the audit event recorded
+{
+    "kind": "Event",
+    "apiVersion": "audit.k8s.io/v1",
+    "annotations": {
+        "demo-policy.example.com/high-replica-count": "Deployment spec.replicas set to 128"
+        # other annotations
+        ...
+    }
+    # other fields
+    ...
+}
+```
 
 In this example the annotation will only be included if the `spec.replicas` of the Deployment is more than
 50, otherwise the CEL expression evalutes to null and the annotation will not be included.
@@ -564,4 +577,4 @@ Type Checking has the following limitation:
   to consume excessive computing resources. In the order of ascending group, version, and then resource, 11th combination and beyond are ignored.
 - Type Checking does not affect the policy behavior in any way. Even if the type checking detects errors, the policy will continue
   to evaluate. If errors do occur during evaluate, the failure policy will decide its outcome.
-- Type Checking does not apply to CRDs, including matched CRD types and reference of paramKind. The support for CRDs will come in future release.
\ No newline at end of file
+- Type Checking does not apply to CRDs, including matched CRD types and reference of paramKind. The support for CRDs will come in future release.
diff --git a/content/en/examples/access/admission-webhook-match-conditions.yaml b/content/en/examples/access/admission-webhook-match-conditions.yaml
deleted file mode 100644
index 96705289a95..00000000000
--- a/content/en/examples/access/admission-webhook-match-conditions.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-webhooks:
-- name: my-webhook.example.com
-  matchPolicy: Equivalent
-  rules:
-  - operations: ['CREATE','UPDATE']
-    apiGroups: ['*']
-    apiVersions: ['*']
-    resources: ['*']
-  failurePolicy: 'Ignore' # Fail-open (optional)
-  sideEffects: None
-  clientConfig:
-    service:
-      namespace: my-namespace
-      name: my-webhook
-    caBundle: ''
-  matchConditions:
-  - name: 'exclude-leases' # Each match condition must have a unique name
-    expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
-  - name: 'exclude-kubelet-requests'
-    expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
-  - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
-    expression: 'request.resource.group != "rbac.authorization.k8s.io"'
-
-# This example illustrates the use of the 'authorizer'. The authorization check is more expensive
-# than a simple expression, so in this example it is scoped to only RBAC requests by using a second
-# webhook. Both webhooks can be served by the same endpoint.
-- name: rbac.my-webhook.example.com
-  matchPolicy: Equivalent
-  rules:
-  - operations: ['CREATE','UPDATE']
-    apiGroups: ['rbac.authorization.k8s.io']
-    apiVersions: ['*']
-    resources: ['*']
-  failurePolicy: 'Fail' # Fail-closed (the default)
-  sideEffects: None
-  clientConfig:
-    service:
-      namespace: my-namespace
-      name: my-webhook
-    caBundle: ''
-  matchConditions:
-  - name: 'breakglass'
-    # Skip requests made by users authorized to 'breakglass' on this webhook.
-    # The 'breakglass' API verb does not need to exist outside this check.
-    expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
diff --git a/content/en/examples/access/audit-event-with-audit-annotation.yaml b/content/en/examples/access/audit-event-with-audit-annotation.yaml
deleted file mode 100644
index 6d947745d4b..00000000000
--- a/content/en/examples/access/audit-event-with-audit-annotation.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-# the audit event recorded
-{
-    "kind": "Event",
-    "apiVersion": "audit.k8s.io/v1",
-    "annotations": {
-        "demo-policy.example.com/high-replica-count": "Deployment spec.replicas set to 128"
-        # other annotations
-        ...
-    }
-    # other fields
-    ...
-}
diff --git a/content/en/examples/access/deployment-replicas-policy.yaml b/content/en/examples/access/deployment-replicas-policy.yaml
index 23c04fff621..e12a8a0961f 100644
--- a/content/en/examples/access/deployment-replicas-policy.yaml
+++ b/content/en/examples/access/deployment-replicas-policy.yaml
@@ -4,9 +4,8 @@ metadata:
   name: "deploy-replica-policy.example.com"
 spec:
   paramKind:
-    group: rules.example.com
+    apiVersion: rules.example.com/v1
     kind: ReplicaLimit
-    version: v1
   matchConstraints:
     resourceRules:
     - apiGroups:   ["apps"]
diff --git a/content/en/examples/access/validating-admission-policy-audit-annotation.yaml b/content/en/examples/access/validating-admission-policy-audit-annotation.yaml
index 378fa97247a..5a7a20ac56a 100644
--- a/content/en/examples/access/validating-admission-policy-audit-annotation.yaml
+++ b/content/en/examples/access/validating-admission-policy-audit-annotation.yaml
@@ -12,4 +12,5 @@ spec:
       resources:   ["deployments"]
   validations:
     - key: "high-replica-count"
-      valueExpression: "object.spec.replicas > 50 ? 'Deployment spec.replicas set to ' + string(object.spec.replicas) : null"
+      expression: "object.spec.replicas > 50"
+      messageExpression: "'Deployment spec.replicas set to ' + string(object.spec.replicas)"
diff --git a/content/en/examples/examples_test.go b/content/en/examples/examples_test.go
index 82c2fdc14aa..4bc95fadcd3 100644
--- a/content/en/examples/examples_test.go
+++ b/content/en/examples/examples_test.go
@@ -34,6 +34,9 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
+	"k8s.io/kubernetes/pkg/apis/admissionregistration"
+	admreg_validation "k8s.io/kubernetes/pkg/apis/admissionregistration/validation"
+
 	"k8s.io/kubernetes/pkg/apis/apps"
 	apps_validation "k8s.io/kubernetes/pkg/apis/apps/validation"
 
@@ -65,6 +68,7 @@ import (
 	"k8s.io/kubernetes/pkg/registry/batch/job"
 
 	// initialize install packages
+	_ "k8s.io/kubernetes/pkg/apis/admissionregistration/install"
 	_ "k8s.io/kubernetes/pkg/apis/apps/install"
 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"
 	_ "k8s.io/kubernetes/pkg/apis/batch/install"
@@ -102,6 +106,7 @@ func (g TestGroup) Codec() runtime.Codec {
 func initGroups() {
 	Groups = make(map[string]TestGroup)
 	groupNames := []string{
+		admissionregistration.GroupName,
 		api.GroupName,
 		apps.GroupName,
 		autoscaling.GroupName,
@@ -152,7 +157,6 @@ func getCodecForObject(obj runtime.Object) (runtime.Codec, error) {
 
 func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	podValidationOptions := validation.PodValidationOptions{
-		AllowDownwardAPIHugePages:       true,
 		AllowInvalidPodDeletionCost:     false,
 		AllowIndivisibleHugePagesValues: true,
 		AllowExpandedDNSConfig:          true,
@@ -170,6 +174,10 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	// Enable CustomPodDNS for testing
 	// feature.DefaultFeatureGate.Set("CustomPodDNS=true")
 	switch t := obj.(type) {
+	case *admissionregistration.ValidatingWebhookConfiguration:
+		errors = admreg_validation.ValidateValidatingWebhookConfiguration(t)
+	case *admissionregistration.ValidatingAdmissionPolicy:
+		errors = admreg_validation.ValidateValidatingAdmissionPolicy(t)
 	case *api.ConfigMap:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -390,7 +398,10 @@ func TestExampleObjectSchemas(t *testing.T) {
 	// Please help maintain the alphabeta order in the map
 	cases := map[string]map[string][]runtime.Object{
 		"access": {
-			"endpoints-aggregated": {&rbac.ClusterRole{}},
+			"deployment-replicas-policy":                   {&admissionregistration.ValidatingAdmissionPolicy{}},
+			"endpoints-aggregated":                         {&rbac.ClusterRole{}},
+			"validating-admission-policy-audit-annotation": {&admissionregistration.ValidatingAdmissionPolicy{}},
+			"validating-admission-policy-match-conditions": {&admissionregistration.ValidatingAdmissionPolicy{}},
 		},
 		"access/certificate-signing-request": {
 			"clusterrole-approve": {&rbac.ClusterRole{}},
@@ -544,20 +555,21 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"configure-pod":       {&api.Pod{}},
 		},
 		"controllers": {
-			"daemonset":                      {&apps.DaemonSet{}},
-			"fluentd-daemonset":              {&apps.DaemonSet{}},
-			"fluentd-daemonset-update":       {&apps.DaemonSet{}},
-			"frontend":                       {&apps.ReplicaSet{}},
-			"hpa-rs":                         {&autoscaling.HorizontalPodAutoscaler{}},
-			"job":                            {&batch.Job{}},
-			"job-pod-failure-policy-example": {&batch.Job{}},
-			"job-pod-failure-policy-failjob": {&batch.Job{}},
-			"job-pod-failure-policy-ignore":  {&batch.Job{}},
-			"replicaset":                     {&apps.ReplicaSet{}},
-			"replication":                    {&api.ReplicationController{}},
-			"replication-nginx-1.14.2":       {&api.ReplicationController{}},
-			"replication-nginx-1.16.1":       {&api.ReplicationController{}},
-			"nginx-deployment":               {&apps.Deployment{}},
+			"daemonset":                           {&apps.DaemonSet{}},
+			"fluentd-daemonset":                   {&apps.DaemonSet{}},
+			"fluentd-daemonset-update":            {&apps.DaemonSet{}},
+			"frontend":                            {&apps.ReplicaSet{}},
+			"hpa-rs":                              {&autoscaling.HorizontalPodAutoscaler{}},
+			"job":                                 {&batch.Job{}},
+			"job-pod-failure-policy-config-issue": {&batch.Job{}},
+			"job-pod-failure-policy-example":      {&batch.Job{}},
+			"job-pod-failure-policy-failjob":      {&batch.Job{}},
+			"job-pod-failure-policy-ignore":       {&batch.Job{}},
+			"replicaset":                          {&apps.ReplicaSet{}},
+			"replication":                         {&api.ReplicationController{}},
+			"replication-nginx-1.14.2":            {&api.ReplicationController{}},
+			"replication-nginx-1.16.1":            {&api.ReplicationController{}},
+			"nginx-deployment":                    {&apps.Deployment{}},
 		},
 		"debug": {
 			"counter-pod":                     {&api.Pod{}},
@@ -627,6 +639,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"qos-pod-2": {&api.Pod{}},
 			"qos-pod-3": {&api.Pod{}},
 			"qos-pod-4": {&api.Pod{}},
+			"qos-pod-5": {&api.Pod{}},
 		},
 		"pods/resource": {
 			"cpu-request-limit":       {&api.Pod{}},
@@ -678,13 +691,15 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"mysecretname": {&api.Secret{}},
 		},
 		"security": {
+			"example-baseline-pod":   {&api.Pod{}},
 			"podsecurity-baseline":   {&api.Namespace{}},
 			"podsecurity-privileged": {&api.Namespace{}},
 			"podsecurity-restricted": {&api.Namespace{}},
 		},
 		"service": {
-			"nginx-service":         {&api.Service{}},
-			"load-balancer-example": {&apps.Deployment{}},
+			"nginx-service":                 {&api.Service{}},
+			"load-balancer-example":         {&apps.Deployment{}},
+			"pod-with-graceful-termination": {&apps.Deployment{}},
 		},
 		"service/access": {
 			"backend-deployment":  {&apps.Deployment{}},
diff --git a/go.mod b/go.mod
index c84a9c62aa0..23d361595c5 100644
--- a/go.mod
+++ b/go.mod
@@ -1,55 +1,68 @@
 module k8s.io/website
 
-go 1.19
+go 1.20
 
 require (
-	k8s.io/apimachinery v0.26.0
+	k8s.io/apimachinery v0.27.0
 	k8s.io/kubernetes v0.0.0
 )
 
 require (
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/cel-go v0.12.6 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/google/uuid v1.1.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/spf13/cobra v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.7 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.7 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect
 	go.opentelemetry.io/otel v1.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0 // indirect
@@ -61,60 +74,67 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.19.0 // indirect
-	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
-	google.golang.org/grpc v1.49.0 // indirect
+	google.golang.org/grpc v1.51.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.26.0 // indirect
-	k8s.io/apiserver v0.0.0 // indirect
-	k8s.io/client-go v0.26.0 // indirect
-	k8s.io/component-base v0.26.0 // indirect
-	k8s.io/component-helpers v0.0.0 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	k8s.io/api v0.27.0 // indirect
+	k8s.io/apiserver v0.27.0 // indirect
+	k8s.io/client-go v0.27.0 // indirect
+	k8s.io/cloud-provider v0.0.0 // indirect
+	k8s.io/component-base v0.27.0 // indirect
+	k8s.io/component-helpers v0.27.0 // indirect
+	k8s.io/controller-manager v0.27.0 // indirect
+	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/kms v0.27.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
+	k8s.io/kubelet v0.0.0 // indirect
+	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.26.0
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.26.0
-	k8s.io/apimachinery => k8s.io/apimachinery v0.26.0
-	k8s.io/apiserver => k8s.io/apiserver v0.26.0
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.26.0
-	k8s.io/client-go => k8s.io/client-go v0.26.0
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.26.0
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.26.0
-	k8s.io/code-generator => k8s.io/code-generator v0.26.0
-	k8s.io/component-base => k8s.io/component-base v0.26.0
-	k8s.io/component-helpers => k8s.io/component-helpers v0.26.0
-	k8s.io/controller-manager => k8s.io/controller-manager v0.26.0
-	k8s.io/cri-api => k8s.io/cri-api v0.26.0
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.0
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.0
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.0
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.0
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.26.0
-	k8s.io/kubectl => k8s.io/kubectl v0.26.0
-	k8s.io/kubelet => k8s.io/kubelet v0.26.0
+	k8s.io/api => k8s.io/api v0.27.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.27.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
+	k8s.io/apiserver => k8s.io/apiserver v0.27.0
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.27.0
+	k8s.io/client-go => k8s.io/client-go v0.27.0
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.27.0
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.27.0
+	k8s.io/code-generator => k8s.io/code-generator v0.27.0
+	k8s.io/component-base => k8s.io/component-base v0.27.0
+	k8s.io/component-helpers => k8s.io/component-helpers v0.27.0
+	k8s.io/controller-manager => k8s.io/controller-manager v0.27.0
+	k8s.io/cri-api => k8s.io/cri-api v0.27.0
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.27.0
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.27.0
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.27.0
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.27.0
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.27.0
+	k8s.io/kubectl => k8s.io/kubectl v0.27.0
+	k8s.io/kubelet => k8s.io/kubelet v0.27.0
 	k8s.io/kubernetes => ../kubernetes
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.26.0
-	k8s.io/metrics => k8s.io/metrics v0.26.0
-	k8s.io/mount-utils => k8s.io/mount-utils v0.26.0
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.26.0
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.26.0
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.26.0
-	k8s.io/sample-controller => k8s.io/sample-controller v0.26.0
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.27.0
+	k8s.io/metrics => k8s.io/metrics v0.27.0
+	k8s.io/mount-utils => k8s.io/mount-utils v0.27.0
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.27.0
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.27.0
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.27.0
+	k8s.io/sample-controller => k8s.io/sample-controller v0.27.0
 )
diff --git a/go.sum b/go.sum
index 9d1140f1e7e..013dc6455fc 100644
--- a/go.sum
+++ b/go.sum
@@ -32,8 +32,11 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -41,6 +44,10 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
+github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -70,8 +77,9 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU=
+github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -80,22 +88,22 @@ github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
 github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -114,25 +122,28 @@ github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
-github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8=
+github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -155,11 +166,14 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M=
+github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw=
 github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -186,9 +200,11 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
@@ -202,6 +218,10 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4Zs
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
+github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -222,17 +242,19 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM=
 github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -244,10 +266,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs=
-github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys=
+github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk=
+github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -260,7 +280,6 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
 github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
@@ -287,42 +306,50 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI=
+github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
-go.etcd.io/etcd/api/v3 v3.5.5 h1:BX4JIbQ7hl7+jL+g+2j5UAr0o1bctCm6/Ct+ArBGkf0=
-go.etcd.io/etcd/api/v3 v3.5.5/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8=
-go.etcd.io/etcd/client/pkg/v3 v3.5.5 h1:9S0JUVvmrVl7wCF39iTQthdaaNIiAaQbmK75ogO6GU8=
-go.etcd.io/etcd/client/pkg/v3 v3.5.5/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ=
-go.etcd.io/etcd/client/v2 v2.305.5 h1:DktRP60//JJpnPC0VBymAN/7V71GHMdjDCBt4ZPXDjI=
-go.etcd.io/etcd/client/v3 v3.5.5 h1:q++2WTJbUgpQu4B6hCuT7VkdwaTP7Qz6Daak3WzbrlI=
-go.etcd.io/etcd/client/v3 v3.5.5/go.mod h1:aApjR4WGlSumpnJ2kloS75h6aHUmAyaPLjHMxpc7E7c=
-go.etcd.io/etcd/pkg/v3 v3.5.5 h1:Ablg7T7OkR+AeeeU32kdVhw/AGDsitkKPl7aW73ssjU=
-go.etcd.io/etcd/raft/v3 v3.5.5 h1:Ibz6XyZ60OYyRopu73lLM/P+qco3YtlZMOhnXNS051I=
-go.etcd.io/etcd/server/v3 v3.5.5 h1:jNjYm/9s+f9A9r6+SC4RvNaz6AqixpOvhrFdT0PvIj0=
+go.etcd.io/etcd/api/v3 v3.5.7 h1:sbcmosSVesNrWOJ58ZQFitHMdncusIifYcrBfwrlJSY=
+go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA=
+go.etcd.io/etcd/client/pkg/v3 v3.5.7 h1:y3kf5Gbp4e4q7egZdn5T7W9TSHUvkClN6u+Rq9mEOmg=
+go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY=
+go.etcd.io/etcd/client/v2 v2.305.7 h1:AELPkjNR3/igjbO7CjyF1fPuVPjrblliiKj+Y6xSGOU=
+go.etcd.io/etcd/client/v3 v3.5.7 h1:u/OhpiuCgYY8awOHlhIhmGIGpxfBU/GZBUP3m/3/Iz4=
+go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw=
+go.etcd.io/etcd/pkg/v3 v3.5.7 h1:obOzeVwerFwZ9trMWapU/VjDcYUJb5OfgC1zqEGWO/0=
+go.etcd.io/etcd/raft/v3 v3.5.7 h1:aN79qxLmV3SvIq84aNTliYGmjwsW6NqJSnqmI1HLJKc=
+go.etcd.io/etcd/server/v3 v3.5.7 h1:BTBD8IJUV7YFgsczZMHhMTS67XuA4KpRquL0MFOJGRk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -330,8 +357,8 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 h1:xFSRQBbXF6VvYRf2lqMJXxoB72XI1K/azav8TekHHSw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0 h1:Ajldaqhxqw/gNzQA45IKFWLdG7jZuXX/wBW1d5qvbUI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 h1:sxoY9kG1s1WpSYNyzm24rlwH4lnRYFXUVVBmKMBfRgw=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c=
 go.opentelemetry.io/otel v1.10.0 h1:Y7DTJMR6zs1xkS/upamJYk0SxxN4C9AqRd77jmZnyY4=
 go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ=
 go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0 h1:TaB+1rQhddO1sF71MpZOZAuSPW1klK2M8XxfrBMfK7Y=
@@ -352,10 +379,9 @@ go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -365,6 +391,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -387,7 +414,6 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -396,7 +422,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -430,8 +455,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc=
-golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -451,7 +476,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -488,19 +514,19 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -509,8 +535,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -559,7 +585,7 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -619,7 +645,6 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 h1:hrbNEivu7Zn1pxvHk6MBrq9iE22woVILTHqexqBxe6I=
 google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
@@ -637,13 +662,11 @@ google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
+google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -664,12 +687,13 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -691,33 +715,40 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.26.0 h1:IpPlZnxBpV1xl7TGk/X6lFtpgjgntCg8PJ+qrPHAC7I=
-k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg=
-k8s.io/apimachinery v0.26.0 h1:1feANjElT7MvPqp0JT6F3Ss6TWDwmcjLypwoPpEf7zg=
-k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
-k8s.io/apiserver v0.26.0 h1:q+LqIK5EZwdznGZb8bq0+a+vCqdeEEe4Ux3zsOjbc4o=
-k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84=
-k8s.io/client-go v0.26.0 h1:lT1D3OfO+wIi9UFolCrifbjUUgu7CpLca0AD8ghRLI8=
-k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg=
-k8s.io/component-base v0.26.0 h1:0IkChOCohtDHttmKuz+EP3j3+qKmV55rM9gIFTXA7Vs=
-k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8=
-k8s.io/component-helpers v0.26.0 h1:KNgwqs3EUdK0HLfW4GhnbD+q/Zl9U021VfIU7qoVYFk=
-k8s.io/component-helpers v0.26.0/go.mod h1:jHN01qS/Jdj95WCbTe9S2VZ9yxpxXNY488WjF+yW4fo=
-k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
-k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/api v0.27.0 h1:2owttiA8Oa+J3idFeq8TSnNpm4y6AOGPI3PDbIpp2cE=
+k8s.io/api v0.27.0/go.mod h1:Wl+QRvQlh+T8SK5f4F6YBhhyH6hrFO08nl74xZb1MUE=
+k8s.io/apimachinery v0.27.0 h1:vEyy/PVMbPMCPutrssCVHCf0JNZ0Px+YqPi82K2ALlk=
+k8s.io/apimachinery v0.27.0/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM=
+k8s.io/apiserver v0.27.0 h1:sXt/2yVMebZef6GqJHs4IYHSdSYwwrJCafBV/KSCwDw=
+k8s.io/apiserver v0.27.0/go.mod h1:8heEJ5f6EqiKwXC3Ez3ikgOvGtRSEQG/SQZkhO9UzIg=
+k8s.io/client-go v0.27.0 h1:DyZS1fJkv73tEy7rWv4VF6NwGeJ7SKvNaLRXZBYLA+4=
+k8s.io/client-go v0.27.0/go.mod h1:XVEmpNnM+4JYO3EENoFV/ZDv3KxKVJUnzGo70avk+C4=
+k8s.io/cloud-provider v0.27.0 h1:UWEvGvfd9VDRSrtmek7dDeHfUUtycHyvIO6TGI9bFJE=
+k8s.io/cloud-provider v0.27.0/go.mod h1:hUbqXpAWGaOTUhwL5k2QO9i2l9mEMhdMV9ChbvB3Gmw=
+k8s.io/component-base v0.27.0 h1:g3/FkscH8Uqg9SiDCEfhfhTVwKiVo4T2+iBwUqiFkMg=
+k8s.io/component-base v0.27.0/go.mod h1:PXyBQd/vYYjqqGB83rnsHffTTG6zlmxZAd0ZSOu6evk=
+k8s.io/component-helpers v0.27.0 h1:rymQGJc4s30hHeb5VGuPdht8gKIPecj+Bw2FOJSavE4=
+k8s.io/component-helpers v0.27.0/go.mod h1:vMjVwym/Y0BVyNvg8a4Et2vyPJAh/JhBM0OTRAt0Ceg=
+k8s.io/controller-manager v0.27.0 h1:xW0V4tXJfxRmc5OEwZn0GHU0auKySRJmlVMS/tqrWPw=
+k8s.io/controller-manager v0.27.0/go.mod h1:E9SEe60LMWkBTe7IUm1pVTrikc5tjzEl6RUNbBUdm3c=
+k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=
+k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kms v0.27.0 h1:adCotKQybOjxwbxW7ogXyv8uQGan/3Y126S2aNW4YFY=
+k8s.io/kms v0.27.0/go.mod h1:vI2R4Nhw+PZ+DYtVPVYKsIqip2IYjZWK9bESR64WdIw=
+k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a h1:gmovKNur38vgoWfGtP5QOGNOA7ki4n6qNYoFAgMlNvg=
+k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a/go.mod h1:y5VtZWM9sHHc2ZodIH/6SHzXj+TPU5USoA8lcIeKEKY=
+k8s.io/kubelet v0.27.0 h1:zn70SDJKNmRSFG2qeU2UITzZWdEbLVWIf/u1kd1raUQ=
+k8s.io/kubelet v0.27.0/go.mod h1:Z6ipUvM0AFzUWxvSmot8OodwcMN15lgkFM3bcBexBsI=
+k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
+k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 h1:LYqFq+6Cj2D0gFfrJvL7iElD4ET6ir3VDdhDdTK7rgc=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33/go.mod h1:soWkSNf2tZC7aMibXEqVhCd73GOY5fJikn8qbdzemB0=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1 h1:MB1zkK+WMOmfLxEpjr1wEmkpcIhZC7kfTkZ0stg5bog=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.1/go.mod h1:/4NLd21PQY0B+H+X0aDZdwUiVXYJQl/2NXA5KVtDiP4=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

From 1cec38acc0c65f1bf2c5b0e3fadd8ff176deb4d3 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Sun, 16 Apr 2023 11:16:24 +0800
Subject: [PATCH 227/272] sync blog
 2023-04-20-read-write-once-pod-access-mode-beta.md

sync blog 2023-04-20-read-write-once-pod-access-mode-beta.md
---
 ...20-read-write-once-pod-access-mode-beta.md | 205 ++++++++++++++++++
 1 file changed, 205 insertions(+)
 create mode 100644 content/zh-cn/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md

diff --git a/content/zh-cn/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md b/content/zh-cn/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md
new file mode 100644
index 00000000000..acb6db74c19
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2023-04-20-read-write-once-pod-access-mode-beta.md
@@ -0,0 +1,205 @@
+---
+layout: blog
+title: "Kubernetes 1.27: Single Pod Access Mode for PersistentVolumes Graduates to Beta"
+date: 2023-04-20
+slug: read-write-once-pod-access-mode-beta
+---
+
+
+
+**作者**:Chris Henzie (Google)
+
+**译者**:顾欣 (ICBC)
+
+
+随着 Kubernetes v1.27 的发布,ReadWriteOncePod 功能已经升级为 Beta 版。
+在这篇博客文章中,我们将更详细地介绍这个功能,作用以及在 Beta 版本中的发展。
+
+
+## 什么是 ReadWriteOncePod  {#what-is-readwriteoncepod}
+
+
+ReadWriteOncePod 是 Kubernetes 在 v1.22 中引入的一种新的访问模式,
+适用于 [PersistentVolume](/zh-cn/docs/concepts/storage/persistent-volumes/#persistent-volumes)(PVs)
+和 [PersistentVolumeClaim](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)(PVCs)。
+此访问模式使你能够将存储卷访问限制在集群中的单个 Pod 上,确保一次只有一个 Pod 可以写入存储卷。
+这可能对需要单一写入者访问存储的有状态工作负载特别有用。
+
+
+要了解有关访问模式和 ReadWriteOncePod 如何工作的更多背景信息,
+请阅读 2021 年介绍 PersistentVolume 的单个 Pod 访问模式的文章中的[什么是访问模式和为什么它们如此重要?](/blog/2021/09/13/read-write-once-pod-access-mode-alpha/#what-are-access-modes-and-why-are-they-important)。
+
+
+## ReadWriteOncePod 的 Beta 版中变化  {#changes-in-the-readwriteoncepod-beta}
+
+
+ReadWriteOncePod Beta 版为使用 ReadWriteOncePod PVC 的 Pod 添加[调度器抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)。
+
+
+调度器抢占允许更高优先级的 Pod 抢占较低优先级的 Pod,以便它们可以在同一节点上运行。
+在此版本中,如果更高优先级的 Pod 需要相同的 PVC,使用 ReadWriteOncePod PVCs 的 Pod 也可以被抢占。
+
+
+## 如何开始使用 ReadWriteOncePod?  {#how-can-i-start-using-readwriteoncepod}
+
+
+随着 ReadWriteOncePod 现已升级为 Beta 版,在 v1.27 及更高版本的集群中将默认启用该功能。
+
+
+请注意,ReadWriteOncePod [仅支持 CSI 卷](/zh-cn/docs/concepts/storage/persistent-volumes/#access-modes)。
+在使用此功能之前,你需要将以下 [CSI Sidecars](https://kubernetes-csi.github.io/docs/sidecar-containers.html)更新至以下版本或更高版本:
+
+
+- [csi-provisioner:v3.0.0+](https://github.com/kubernetes-csi/external-provisioner/releases/tag/v3.0.0)
+- [csi-attacher:v3.3.0+](https://github.com/kubernetes-csi/external-attacher/releases/tag/v3.3.0)
+- [csi-resizer:v1.3.0+](https://github.com/kubernetes-csi/external-resizer/releases/tag/v1.3.0)
+
+
+要开始使用 ReadWriteOncePod,请创建具有 ReadWriteOncePod 访问模式的 PVC:
+
+```yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: single-writer-only
+spec:
+  accessModes:
+  - ReadWriteOncePod #仅允许一个容器访问且独占写入权限。
+  resources:
+    requests:
+      storage: 1Gi
+```
+
+
+如果你的存储插件支持[动态制备](/zh-cn/docs/concepts/storage/dynamic-provisioning/),
+新创建的持久卷将应用 ReadWriteOncePod 访问模式。
+
+阅读[迁移现有持久卷](/blog/2021/09/13/read-write-once-pod-access-mode-alpha/#migrating-existing-persistentvolumes)
+以了解如何迁移现有卷以使用 ReadWriteOncePod。
+
+
+## 如何了解更多信息? {#how-can-i-learn-more}
+
+
+请查看 [Alpha 版博客](/blog/2021/09/13/read-write-once-pod-access-mode-alpha)和
+[KEP-2485](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/2485-read-write-once-pod-pv-access-mode/README.md)
+以了解关于 ReadWriteOncePod 访问模式的更多详细信息以及对 CSI 规约作更改的动机。
+
+
+## 如何参与? {#how-do-i-get-involved}
+
+
+[Kubernetes #csi Slack](https://kubernetes.slack.com/messages/csi)频道以及任何常规的
+[SIG 存储沟通渠道](https://github.com/kubernetes/community/blob/master/sig-storage/README.md#contact)
+都是联系 SIG 存储和 CSI 团队的最佳途径。
+
+
+特别感谢以下人士的仔细的审查和反馈,帮助完成了这个功能:
+
+
+* Abdullah Gharaibeh (ahg-g)
+* Aldo Culquicondor (alculquicondor)
+* Antonio Ojea (aojea)
+* David Eads (deads2k)
+* Jan Šafránek (jsafrane)
+* Joe Betz (jpbetz)
+* Kante Yin (kerthcet)
+* Michelle Au (msau42)
+* Tim Bannister (sftim)
+* Xing Yang (xing-yang)
+
+
+如果您有兴趣参与 CSI 或 Kubernetes 存储系统的任何部分的设计和开发,
+请加入 [Kubernetes 存储特别兴趣小组](https://github.com/kubernetes/community/tree/master/sig-storage)(SIG)。
+我们正在迅速发展,始终欢迎新的贡献者。
\ No newline at end of file

From f368fe085ce603de5dadf3ca68dd31a27bc8af80 Mon Sep 17 00:00:00 2001
From: Ricardo Katz 
Date: Sun, 16 Apr 2023 17:32:25 -0300
Subject: [PATCH 228/272] Add missing index on pt-br tasks

---
 content/pt-br/docs/tasks/configure-pod-container/_index.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 content/pt-br/docs/tasks/configure-pod-container/_index.md

diff --git a/content/pt-br/docs/tasks/configure-pod-container/_index.md b/content/pt-br/docs/tasks/configure-pod-container/_index.md
new file mode 100644
index 00000000000..9fa656fb20a
--- /dev/null
+++ b/content/pt-br/docs/tasks/configure-pod-container/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Configurar Pods e Contêineres"
+description: Realizar tarefas comuns de configuração de Pods e contêineres 
+weight: 30
+---
\ No newline at end of file

From b5130362639674da47351a0c155f6ebb3449918e Mon Sep 17 00:00:00 2001
From: Guangwen Feng 
Date: Fri, 14 Apr 2023 17:25:39 +0800
Subject: [PATCH 229/272] [zh-cn] Sync pod-lifecycle.md

Signed-off-by: Guangwen Feng 
---
 .../concepts/workloads/pods/pod-lifecycle.md  | 71 ++++++++++++++-----
 1 file changed, 52 insertions(+), 19 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index b944e99b709..1af273c7a47 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -148,12 +148,13 @@ Pod 阶段的数量和含义是严格定义的。
 下面是 `phase` 可能的值:
 
 
 取值 | 描述
 :-----|:-----------
@@ -176,6 +177,18 @@ Pod 被赋予一个可以体面终止的期限,默认为 30 秒。
 你可以使用 `--force` 参数来[强制终止 Pod](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced)。
 {{< /note >}}
 
+
+从 Kubernetes 1.27 开始,除了[静态 Pod](/zh-cn/docs/tasks/configure-pod-container/static-pod/)
+和没有 Finalizer 的[强制终止 Pod](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced)
+之外,`kubelet` 会将已删除的 Pod 转换到终止阶段
+(`Failed` 或 `Succeeded` 具体取决于 Pod 容器的退出状态),然后再从 API 服务器中删除。
+
 
-3. 在 `kubelet` 启动体面关闭逻辑的同时,控制面会将关闭的 Pod 从对应的
-   EndpointSlice(和 Endpoints)对象中移除,过滤条件是 Pod
+3. 在 `kubelet` 启动 Pod 的体面关闭逻辑的同时,控制平面会评估是否将关闭的
+   Pod 从对应的 EndpointSlice(和端点)对象中移除,过滤条件是 Pod
    被对应的{{< glossary_tooltip term_id="service" text="服务" >}}以某
    {{< glossary_tooltip text="选择算符" term_id="selector" >}}选定。
    {{< glossary_tooltip text="ReplicaSet" term_id="replica-set" >}}
    和其他工作负载资源不再将关闭进程中的 Pod 视为合法的、能够提供服务的副本。
-   关闭动作很慢的 Pod 也无法继续处理请求数据,
-   因为负载均衡器(例如服务代理)已经在终止宽限期开始的时候将其从端点列表中移除。
+   关闭动作很慢的 Pod 不应继续处理常规服务请求,而应开始终止并完成对打开的连接的处理。
+   一些应用程序不仅需要完成对打开的连接的处理,还需要更进一步的体面终止逻辑 -
+   比如:排空和完成会话。任何正在终止的 Pod 所对应的端点都不会立即从 EndpointSlice
+   中被删除,EndpointSlice API(以及传统的 Endpoints API)会公开一个状态来指示其处于
+   [终止状态](/zh-cn/docs/concepts/services-networking/endpoint-slices/#conditions)。
+   正在终止的端点始终将其 `ready` 状态设置为 `false`(为了向后兼容 1.26 之前的版本),
+   因此负载均衡器不会将其用于常规流量。
+   如果需要排空正被终止的 Pod 上的流量,可以将 `serving` 状况作为实际的就绪状态。
+   你可以在教程
+   [探索 Pod 及其端点的终止行为](/zh-cn/docs/tutorials/services/pods-and-endpoint-termination-flow/)
+   中找到有关如何实现连接排空的更多详细信息。
+
    {{}}
    
 ### 容器资源指标   {#container-resource-metrics}
 
-{{< feature-state for_k8s_version="v1.20" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
 

From 6e985800b286f216ada24e7c2e8209e47014ace8 Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Tue, 18 Apr 2023 00:28:03 +0300
Subject: [PATCH 233/272] [id] Fix mismatch in Labels and Selectors concept
 page

---
 .../id/docs/concepts/overview/working-with-objects/labels.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/id/docs/concepts/overview/working-with-objects/labels.md b/content/id/docs/concepts/overview/working-with-objects/labels.md
index 90f58d5a5a5..dc4c16da733 100644
--- a/content/id/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/id/docs/concepts/overview/working-with-objects/labels.md
@@ -172,7 +172,7 @@ Seperti yang telah disebutkan sebelumnya, kondisi _set-based_ lebih ekspresif.
 kubectl get pods -l 'environment in (production, qa)'
 ```
 
-atau membatasi pencocokan negatif dengan operator _exists_:
+atau membatasi pencocokan negatif dengan operator _notin_:
 
 ```shell
 kubectl get pods -l 'environment,environment notin (frontend)'

From 53ca344721be1df7db20ae5fcf129bd250b4e53d Mon Sep 17 00:00:00 2001
From: Paul Sanford 
Date: Mon, 17 Apr 2023 16:52:42 -0600
Subject: [PATCH 234/272] Fix references to exclude-from-external-load-balancer
 (add s)

The annotation is "node.kubernetes.io/exclude-from-external-load-balancers," but the docs refer to it twice as "node.kubernetes.io/exclude-from-external-load-balancer" (without the s at the end). This change fixes those references.
---
 content/en/docs/reference/labels-annotations-taints/_index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index 5ede3e30731..0ef92685794 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -339,9 +339,9 @@ Used on: ServiceAccount
 
 The value for this annotation must be **true** to take effect. This annotation indicates that pods running as this service account may only reference Secret API objects specified in the service account's `secrets` field.
 
-### node.kubernetes.io/exclude-from-external-load-balancer
+### node.kubernetes.io/exclude-from-external-load-balancers
 
-Example: `node.kubernetes.io/exclude-from-external-load-balancer`
+Example: `node.kubernetes.io/exclude-from-external-load-balancers`
 
 Used on: Node
 

From 38c756b3b261f7637a647a0904d72ea9b39acf0d Mon Sep 17 00:00:00 2001
From: ydFu 
Date: Tue, 18 Apr 2023 14:56:38 +0800
Subject: [PATCH 235/272] [zh] sync
 tasks/configure-pod-container/migrate-from-psp.md

Signed-off-by: ydFu 
---
 .../docs/tasks/configure-pod-container/migrate-from-psp.md     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
index e99a2c04b1b..d5da098123c 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -12,6 +12,7 @@ reviewers:
 - liggitt
 content_type: task
 min-kubernetes-server-version: v1.22
+weight: 260
 -->
 
 
@@ -388,7 +389,7 @@ For each updated PodSecurityPolicy:
 3. Create the new PodSecurityPolicies. If any Roles or ClusterRoles are granting `use` on all PSPs
    this could cause the new PSPs to be used instead of their mutating counter-parts.
 4. Update your authorization to grant access to the new PSPs. In RBAC this means updating any Roles
-   or ClusterRoles that grant the `use` permision on the original PSP to also grant it to the
+   or ClusterRoles that grant the `use` permission on the original PSP to also grant it to the
    updated PSP.
 -->
 3. 创建新的 PodSecurityPolicy。如果存在 Role 或 ClusterRole 对象为用户授权了在所有 PSP

From 4e239493a2d02f9de663d13b9170bcd3ecbf7135 Mon Sep 17 00:00:00 2001
From: nishipy 
Date: Tue, 18 Apr 2023 07:56:09 -0400
Subject: [PATCH 236/272] Update design doc reference link of PLEG

Signed-off-by: nishipy 
---
 content/ru/docs/concepts/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ru/docs/concepts/_index.md b/content/ru/docs/concepts/_index.md
index 93fbc731a10..19e42ed49e9 100644
--- a/content/ru/docs/concepts/_index.md
+++ b/content/ru/docs/concepts/_index.md
@@ -17,7 +17,7 @@ weight: 40
 
 Чтобы работать с Kubernetes, вы используете *объекты API Kubernetes* для описания *желаемого состояния вашего кластера*: какие приложения или другие рабочие нагрузки вы хотите запустить, какие образы контейнеров они используют, количество реплик, какие сетевые и дисковые ресурсы вы хотите использовать и сделать доступными и многое другое. Вы устанавливаете желаемое состояние, создавая объекты с помощью API Kubernetes, обычно через интерфейс командной строки `kubectl`. Вы также можете напрямую использовать API Kubernetes для взаимодействия с кластером и установки или изменения желаемого состояния.
 
-После того, как вы установили желаемое состояние, *Плоскость управления Kubernetes* заставляет текущее состояние кластера соответствовать желаемому состоянию с помощью генератора событий жизненного цикла подов ([Pod Lifecycle Event Generator, PLEG](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/pod-lifecycle-event-generator.md)). Для этого Kubernetes автоматически выполняет множество задач, таких как запуск или перезапуск контейнеров, масштабирование количества реплик данного приложения и многое другое. Плоскость управления Kubernetes состоит из набора процессов, запущенных в вашем кластере:
+После того, как вы установили желаемое состояние, *Плоскость управления Kubernetes* заставляет текущее состояние кластера соответствовать желаемому состоянию с помощью генератора событий жизненного цикла подов ([Pod Lifecycle Event Generator, PLEG](https://github.com/kubernetes/design-proposals-archive/blob/main/node/pod-lifecycle-event-generator.md)). Для этого Kubernetes автоматически выполняет множество задач, таких как запуск или перезапуск контейнеров, масштабирование количества реплик данного приложения и многое другое. Плоскость управления Kubernetes состоит из набора процессов, запущенных в вашем кластере:
 
 * **Мастер Kubernetes** — это коллекция из трех процессов, которые выполняются на одном узле в вашем кластере, который обозначен как главный узел. Это процессы: [kube-apiserver](/docs/admin/kube-apiserver/), [kube-controller-manager](/docs/admin/kube-controller-manager/) и [kube-scheduler](/docs/admin/kube-scheduler/).
 * Каждый отдельный неосновной узел в вашем кластере выполняет два процесса:

From b2a9c3cd75b1f3ae30c18b39f606d4a5c52f3a3b Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Tue, 18 Apr 2023 19:28:45 +0800
Subject: [PATCH 237/272] sync configure-pdb.md

sync configure-pdb.md
---
 .../zh-cn/docs/tasks/run-application/configure-pdb.md  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/zh-cn/docs/tasks/run-application/configure-pdb.md b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
index 6b2da2697c2..0fb6a139a23 100644
--- a/content/zh-cn/docs/tasks/run-application/configure-pdb.md
+++ b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
@@ -429,18 +429,18 @@ These pods are tracked via `.status.currentHealthy` field in the PDB status.
 -->
 ## 不健康的 Pod 驱逐策略   {#unhealthy-pod-eviction-policy}
 
-{{< feature-state for_k8s_version="v1.26" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.26" state="beta" >}}
 
 {{< note >}}
 
-为了使用此行为,你必须在
-[API 服务器](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)上启用
+此特性默认启用,你可以通过在
+[API 服务器](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)上禁用
 `PDBUnhealthyPodEvictionPolicy`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)来禁用它。
 {{< /note >}}
 
 
-请注意 **如果你的容器运行时环境不支持用户名字空间,字段 `pod.spec` 将被忽略,
+请注意 **如果你的容器运行时环境不支持用户名字空间,那么 Pod 规约中的 `hostUsers` 字段将被静默忽略,
 并且系统会在没有用户名字空间的环境中创建 Pod。**
 
 

From 729689eeb5cc3d138539dd2d34a63f1333cb1ec0 Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Wed, 19 Apr 2023 00:20:15 +0300
Subject: [PATCH 239/272] [id] Fixed Calico Quickstart link

---
 .../network-policy-provider/calico-network-policy.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/id/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md b/content/id/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
index 9eb79e76769..a7a7bb457da 100644
--- a/content/id/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
+++ b/content/id/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
@@ -42,7 +42,7 @@ Putuskan apakah kamu ingin menggelar (_deploy_) sebuah klaster di [_cloud_](#mem
 
 Untuk membuat satu klaster Calico dengan hos tunggal dalam waktu lima belas menit dengan menggunakan kubeadm, silakan merujuk pada
 
-[Memulai cepat Calico](https://docs.projectcalico.org/latest/getting-started/kubernetes/).
+[Memulai cepat Calico](https://projectcalico.docs.tigera.io/getting-started/kubernetes/).
 
 
 ## {{% heading "whatsnext" %}}

From 06ac68baf6b1baaa1be0b7e6ed6c561b24810f6b Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Tue, 18 Apr 2023 16:21:09 +0800
Subject: [PATCH 240/272] [zh] sync /tutorials/security/seccomp.md

---
 .../zh-cn/docs/tutorials/security/seccomp.md  | 98 ++++++++++---------
 1 file changed, 52 insertions(+), 46 deletions(-)

diff --git a/content/zh-cn/docs/tutorials/security/seccomp.md b/content/zh-cn/docs/tutorials/security/seccomp.md
index 6d469437853..08e8c28408b 100644
--- a/content/zh-cn/docs/tutorials/security/seccomp.md
+++ b/content/zh-cn/docs/tutorials/security/seccomp.md
@@ -33,7 +33,7 @@ profiles that give only the necessary privileges to your container processes.
 -->
 Seccomp 代表安全计算(Secure Computing)模式,自 2.6.12 版本以来,一直是 Linux 内核的一个特性。
 它可以用来沙箱化进程的权限,限制进程从用户态到内核态的调用。
-Kubernetes 能使你自动将加载到 {{< glossary_tooltip text="节点" term_id="node" >}}上的
+Kubernetes 能使你自动将加载到{{< glossary_tooltip text="节点" term_id="node" >}}上的
 seccomp 配置文件应用到你的 Pod 和容器。
 
 识别你的工作负载所需要的权限是很困难的。在本篇教程中,
@@ -137,6 +137,7 @@ ls profiles
 You should see three profiles listed at the end of the final step:
 -->
 你应该看到在最后一步的末尾列出有三个配置文件:
+
 ```
 audit.json  fine-grained.json  violation.json
 ```
@@ -150,7 +151,6 @@ so each node of the cluster is a container. This allows for files
 to be mounted in the filesystem of each container similar to loading files
 onto a node.
 -->
-
 ## 使用 kind 创建本地 Kubernetes 集群 {#create-a-local-kubernetes-cluster-with-kind}
 
 为简单起见,[kind](https://kind.sigs.k8s.io/) 可用来创建加载了 seccomp 配置文件的单节点集群。
@@ -163,6 +163,7 @@ Kind 在 Docker 中运行 Kubernetes,因此集群的每个节点都是一个
 Download that example kind configuration, and save it to a file named `kind.yaml`:
 -->
 下载该示例 kind 配置,并将其保存到名为 `kind.yaml` 的文件中:
+
 ```shell
 curl -L -O https://k8s.io/examples/pods/security/seccomp/kind.yaml
 ```
@@ -233,6 +234,12 @@ of the kubelet. Use `docker exec` to run a command in the Pod:
 你应该会看到 `profiles/` 目录已成功加载到 kubelet 的默认 seccomp 路径中。
 使用 `docker exec` 在 Pod 中运行命令:
 
+
 ```shell
 # 将 6a96207fed4b 更改为你从 “docker ps” 看到的容器 ID
 docker exec -it 6a96207fed4b ls /var/lib/kubelet/seccomp/profiles
@@ -253,21 +260,17 @@ running within kind.
 -->
 ## 启用使用 `RuntimeDefault` 作为所有工作负载的默认 seccomp 配置文件 {#enable-runtimedefault-as-default}
 
-{{< feature-state state="beta" for_k8s_version="v1.25" >}}
+{{< feature-state state="stable" for_k8s_version="v1.27" >}}
 
 
-要使用 Seccomp(安全计算模式)配置文件来设定默认值,你必须要在启用 `SeccompDefault`
-[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)的情况下运行 kubelet
-(这是默认值)。
-你还必须显式地启用每个节点的默认行为,以及相应的
-`--seccomp-default` [命令行标志](/zh-cn/docs/reference/command-line-tools-reference/kubelet)。两者必须同时启用才能使用该特性。
+要使用 Seccomp(安全计算模式)配置文件采用默认设置这一行为,你必须使用在想要启用此行为的每个节点上启用
+`--seccomp-default`
+[命令行标志](/zh-cn/docs/reference/command-line-tools-reference/kubelet)来运行 kubelet。
 
 
 Kubernetes {{< skew currentVersion >}} 允许你配置 Seccomp 配置文件,
 当 Pod 的规约未定义特定的 Seccomp 配置文件时应用该配置文件。
-这是一个 Beta 特性,默认启用相应的 `SeccompDefault` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 但是,你仍然需要为要使用它的每个节点启用此默认设置。
 
 
-如果你已经启用了 `SeccompDefault` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/),
+如果你已经启用了 `seccompDefault` [配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/),
 只要没有指定其他 seccomp 配置文件,那么 Pod 就会使用 `RuntimeDefault` seccomp 配置文件。
 否则,默认值为 `Unconfined`。
 {{< /note >}}
@@ -506,26 +503,15 @@ Here's a manifest for that Pod:
 
 {{< note >}}
 
-已弃用的 seccomp 注解 `seccomp.security.alpha.kubernetes.io/pod`(针对整个 Pod)和
-`container.seccomp.security.alpha.kubernetes.io/[name]`(针对单个容器)
-将随着未来 Kubernetes 的发布而被删除。
-请在可能的情况下使用原生 API 字段而不是注解。
-
-从 Kubernetes v1.25 开始,kubelet 不再支持这些注解,
-也不再支持在静态 Pod 中使用注解,并且当创建带有 seccomp 字段的 Pod 时不再自动填充 seccomp 注解。
-从注释中自动填充 seccomp 字段的特性,将计划在未来的版本中删除。
+旧版本的 Kubernetes 允许你使用{{< glossary_tooltip text="注解" term_id="annotation" >}}配置
+seccomp 行为。Kubernetes {{< skew currentVersion >}} 仅支持使用位于 `.spec.securityContext`
+内的字段来配置 seccomp。本教程将阐述这个方法。
 {{< /note >}}
 
 
 ```shell
 # 将 6a96207fed4b 更改为你从 “docker ps” 看到的控制平面容器 ID
 docker exec -it 6a96207fed4b curl localhost:32373
@@ -625,6 +617,7 @@ For example:
 如果你在控制平面容器中 `curl` 端点,你会看到更多的写入。
 
 例如:
+
 ```
 Jul  6 15:37:40 my-machine kernel: [369128.669452] audit: type=1326 audit(1594067860.484:14536): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=29064 comm="http-echo" exe="/http-echo" sig=0 arch=c000003e syscall=51 compat=0 ip=0x46fe1f code=0x7ffc0000
 Jul  6 15:37:40 my-machine kernel: [369128.669453] audit: type=1326 audit(1594067860.484:14537): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=29064 comm="http-echo" exe="/http-echo" sig=0 arch=c000003e syscall=54 compat=0 ip=0x46fdba code=0x7ffc0000
@@ -683,7 +676,7 @@ kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/violation-pod.
 The Pod creates, but there is an issue.
 If you check the status of the Pod, you should see that it failed to start.
 -->
-Pod 创建,但存在问题。
+Pod 已创建,但存在问题。
 如果你检查 Pod 状态,你应该看到它没有启动。
 
 ```shell
@@ -732,7 +725,7 @@ The manifest for this example is:
 如果你看一看 `fine-grained.json` 配置文件,
 你会注意到第一个示例的 syslog 中看到的一些系统调用,
 其中配置文件设置为 `"defaultAction": "SCMP_ACT_LOG"`。
-现在的配置文件设置 `"defaultAction": "SCMP_ACT_ERRNO"`,
+现在的配置文件设置 `"defaultAction": "SCMP_ACT_ERRNO"`,
 但在 `"action": "SCMP_ACT_ALLOW"` 块中明确允许一组系统调用。
 理想情况下,容器将成功运行,并且你看到没有消息发送到 `syslog`。
 
@@ -769,6 +762,12 @@ mention calls from `http-echo`:
 -->
 打开一个新的终端窗口并使用 `tail` 来监视提到来自 `http-echo` 的调用的日志条目:
 
+
 ```shell
 # 你计算机上的日志路径可能与 “/var/log/syslog” 不同
 tail -f /var/log/syslog | grep 'http-echo'
@@ -796,6 +795,7 @@ kubectl get service fine-pod
 The output is similar to:
 -->
 输出类似于:
+
 ```
 NAME        TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
 fine-pod    NodePort   10.111.36.142           5678:32373/TCP   72s
@@ -806,6 +806,12 @@ Use `curl` to access that endpoint from inside the kind control plane container:
 -->
 使用 `curl` 从 kind 控制平面容器内部访问端点:
 
+
 ```shell
 # 将 6a96207fed4b 更改为你从 “docker ps” 看到的控制平面容器 ID
 docker exec -it 6a96207fed4b curl localhost:32373
@@ -847,4 +853,4 @@ You can learn more about Linux seccomp:
 你可以了解有关 Linux seccomp 的更多信息:
 
 * [seccomp 概述](https://lwn.net/Articles/656307/)
-* [Docker 的 Seccomp 安全配置文件](https://docs.docker.com/engine/security/seccomp/)
\ No newline at end of file
+* [Docker 的 Seccomp 安全配置文件](https://docs.docker.com/engine/security/seccomp/)

From ea3440dca92862c823f1cba17f13df7282625640 Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Tue, 18 Apr 2023 13:51:15 +0800
Subject: [PATCH 241/272] [zh] sync
 /kubernetes-api/cluster-resources/lease-v1.md

---
 .../cluster-resources/lease-v1.md             | 329 ++++--------------
 1 file changed, 73 insertions(+), 256 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
index 03c44053d26..2ca911ff9b1 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
@@ -8,59 +8,56 @@ description: "Lease 定义了租约的概念。"
 title: "Lease"
 weight: 5
 ---
-
 
 
 `apiVersion: coordination.k8s.io/v1`
 
 `import "k8s.io/api/coordination/v1"`
 
-
 ## Lease {#Lease}
+
 
 Lease 定义了租约的概念。
+
 
    
 
 - **apiVersion**: coordination.k8s.io/v1
 
-
 - **kind**: Lease
 
-
 - **metadata** (}}">ObjectMeta)
 
-
+  -->
   更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
 - **spec** (}}">LeaseSpec)
 
-
-  Lease 规范。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-
-
-
+  
+  spec 包含 Lease 的规约。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 ## LeaseSpec {#LeaseSpec}
 
 
-LeaseSpec 是一个 Lease 的规范。
+LeaseSpec 是一个 Lease 的规约。
 
 
    
 
@@ -75,21 +72,6 @@ LeaseSpec 是一个 Lease 的规范。
 - **holderIdentity** (string)
 
   holderIdentity contains the identity of the holder of a current lease.
-
-- **leaseDurationSeconds** (int32)
-
-  leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.
-
-- **leaseTransitions** (int32)
-
-  leaseTransitions is the number of transitions of a lease between holders.
-
-- **renewTime** (MicroTime)
-
-  renewTime is a time when the current holder of a lease has last updated the lease.
-
-  
-  *MicroTime is version of Time with microsecond level precision.*
 -->
 - **acquireTime** (MicroTime)
 
@@ -102,13 +84,29 @@ LeaseSpec 是一个 Lease 的规范。
 
   holderIdentity 包含当前租约持有人的身份。
 
+
+- **leaseDurationSeconds** (int32)
+
+  leaseDurationSeconds 是租约候选人需要等待强制获取租约的持续时间。这是相对于上次观察到的 renewTime 的度量。
+
+- **leaseTransitions** (int32)
+
+  leaseTransitions 是租约持有人之间的转换次数。
 
 - **renewTime** (MicroTime)
 
@@ -117,9 +115,6 @@ LeaseSpec 是一个 Lease 的规范。
   
   **MicroTime 是具有微秒级精度的时间版本。**
 
-
-
-
 ## LeaseList {#LeaseList}
 
 
-   标准列表元数据。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  -->
+  标准的列表元数据。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
 - **items** ([]}}">Lease), required
 
-
-  Items 是架构对象的列表。
-
-
+  
+  items 是架构对象的列表。
 
 
 ## 操作   {#operations}
 
-
 
    
 
-
-
-
-
 
-### `get` 读取指定的租赁
+### `get` 读取指定的 Lease
 
 #### HTTP 请求
 
@@ -185,19 +172,17 @@ GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 
   name of the Lease
 
-
 - **namespace** (*in path*): string, required
 
   }}">namespace
 
-
 - **pretty** (*in query*): string
 
   }}">pretty
 -->
 - **name** (**路径参数**): string, 必需
 
-  Lease 名称
+  Lease 名称。
 
 - **namespace** (**路径参数**): string, 必需
 
@@ -232,99 +217,84 @@ GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 
 #### 参数
 
-
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **allowWatchBookmarks** (**查询参数**): boolean
 
   }}">allowWatchBookmarks
 
-
 - **continue** (**查询参数**): string
 
   }}">continue
 
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
 
-
 - **labelSelector** (**查询参数**): string
 
   }}">labelSelector
 
-
 - **limit** (**查询参数**): integer
 
   }}">limit
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
 
-
 - **resourceVersion** (**查询参数**): string
 
   }}">resourceVersion
@@ -333,12 +303,14 @@ GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
   }}">timeoutSeconds
 
-
 - **watch** (**查询参数**): boolean
 
   }}">watch
@@ -366,84 +338,73 @@ GET /apis/coordination.k8s.io/v1/leases
 
 #### 参数
 
-
 - **allowWatchBookmarks** (**查询参数**): boolean
 
   }}">allowWatchBookmarks
 
-
 - **continue** (**查询参数**): string
 
   }}">continue
 
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
 
-
 - **labelSelector** (**查询参数**): string
 
   }}">labelSelector
 
-
 - **limit** (**查询参数**): integer
 
   }}">limit
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
@@ -456,27 +417,23 @@ GET /apis/coordination.k8s.io/v1/leases
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
   }}">timeoutSeconds
 
-
 - **watch** (**查询参数**): boolean
 
   }}">watch
 
 
 #### 响应
 
-
 200 (}}">LeaseList): OK
 
 401: Unauthorized
@@ -485,8 +442,6 @@ GET /apis/coordination.k8s.io/v1/leases
 ### `create` create a Lease
 
 #### HTTP Request
-
-POST /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 -->
 ### `create` 创建 Lease
 
@@ -497,83 +452,57 @@ POST /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 
 #### 参数
 
-
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **body**: }}">Lease, 必需
 
-  
-
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
 
-
 - **fieldManager** (**查询参数**): string
 
   }}">fieldManager
 
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
 
 
 #### 响应
 
-
 200 (}}">Lease): OK
 
 201 (}}">Lease): Created
@@ -586,80 +515,62 @@ POST /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 ### `update` replace the specified Lease
 
 #### HTTP Request
-
-PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 -->
 ### `update` 替换指定的 Lease
 
 #### HTTP 请求
 
 PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+
 
 #### 参数
 
-
 - **name** (**路径参数**): string, 必需
 
-  租贷名称
-
+  Lease 的名称。
 
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **body**: }}">Lease, 必需
 
-  
-
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
 
-
 - **fieldManager** (**查询参数**): string
 
   }}">fieldManager
 
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -670,17 +581,9 @@ PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 
 
 #### 响应
 
-
 200 (}}">Lease): OK
 
 201 (}}">Lease): Created
@@ -691,112 +594,83 @@ PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 ### `patch` partially update the specified Lease
 
 #### HTTP Request
-
-PATCH /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 -->
 ### `patch` 部分更新指定的 Lease
 
 #### HTTP 请求
 
 PATCH /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+
 
 #### 参数
 
-
 - **name** (**路径参数**): string, 必需
 
-  租贷名称
-
+  Lease 的名称。
 
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **body**: }}">Patch, 必需
 
-  
-
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
 
-
 - **fieldManager** (**查询参数**): string
 
   }}">fieldManager
 
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
 
-
 - **force** (**查询参数**): boolean
 
   }}">force
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
 
 
 #### 响应
 
-
 200 (}}">Lease): OK
 
 201 (}}">Lease): Created
@@ -807,102 +681,75 @@ PATCH /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 ### `delete` delete a Lease
 
 #### HTTP Request
-
-DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 -->
 ### `delete` 删除一个 Lease
 
 #### HTTP 请求
 
 DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+
 
 #### 参数
 
-
 - **name** (**路径参数**): string, 必需
 
-  租贷的名称
-
+  Lease 的名称。
 
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **body**: }}">DeleteOptions
 
-  
-
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
 
-
 - **gracePeriodSeconds** (**查询参数**): integer
 
   }}">gracePeriodSeconds
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
 
-
 - **propagationPolicy** (**查询参数**): string
 
   }}">propagationPolicy
 
 
 #### 响应
 
-
 200 (}}">Status): OK
 
 202 (}}">Status): Accepted
@@ -913,77 +760,65 @@ DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
 ### `deletecollection` delete collection of Lease
 
 #### HTTP Request
-
-DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 -->
 ### `deletecollection` 删除 Lease 收款
 
 #### HTTP 请求
 
 DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+
 
 #### 参数
 
-
 - **namespace** (**路径参数**): string, 必需
 
   }}">namespace
 
-
 - **body**: }}">DeleteOptions
 
-  
-
-
 - **continue** (**查询参数**): string
 
   }}">continue
 
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
 
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
 
-
 - **gracePeriodSeconds** (**查询参数**): integer
 
   }}">gracePeriodSeconds
 
-
 - **labelSelector** (**查询参数**): string
 
   }}">labelSelector
 
-
 - **limit** (**查询参数**): integer
 
   }}">limit
 
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
 
-
 - **propagationPolicy** (**查询参数**): string
 
   }}">propagationPolicy
 
-
 - **resourceVersion** (**查询参数**): string
 
   }}">resourceVersion
 
-
 - **resourceVersionMatch** (**查询参数**): string
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
@@ -1058,16 +882,9 @@ DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
 
 
 #### 响应
 
-
 200 (}}">Status): OK
 
 401: Unauthorized
-

From 51462146f35dee41a6446a9f01db6f70cf1284de Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Tue, 18 Apr 2023 14:17:08 +0800
Subject: [PATCH 242/272] [zh] sync
 /kubernetes-api/cluster-resources/node-v1.md

---
 .../cluster-resources/node-v1.md              | 201 ++++++++++--------
 1 file changed, 116 insertions(+), 85 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1.md
index 21b7a6c99bc..db12827b3e1 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1.md
@@ -8,7 +8,6 @@ description: "Node 是 Kubernetes 中的工作节点。"
 title: "Node"
 weight: 1
 ---
-
 
-
 Node 是 Kubernetes 中的工作节点。
 每个节点在缓存中(即在 etcd 中)都有一个唯一的标识符。
 
@@ -44,7 +42,6 @@ Node 是 Kubernetes 中的工作节点。
 
   Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 
 -->
-
 - **metadata** (}}">ObjectMeta)
 
   标准的对象元数据。
@@ -55,7 +52,6 @@ Node 是 Kubernetes 中的工作节点。
 
   Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 
 -->
-
 - **spec** (}}">NodeSpec)
 
   spec 定义节点的行为。
@@ -66,7 +62,6 @@ Node 是 Kubernetes 中的工作节点。
 
   Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 
 -->
-
 - **status** (}}">NodeStatus)
 
   此节点的最近观测状态。由系统填充。只读。
@@ -77,7 +72,6 @@ Node 是 Kubernetes 中的工作节点。
 
-
 NodeSpec 描述了创建节点时使用的属性。
 
 
    
@@ -87,14 +81,12 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   已弃用:以前用于为 DynamicKubeletConfig 功能指定节点配置的来源。此功能已删除。
 
   
   
-
   **NodeConfigSource 指定节点配置的来源。指定一个子字段(不包括元数据)必须为非空。此 API 自 1.22的版本起已被弃用**
 
   - **configSource.configMap** (ConfigMapNodeConfigSource)
@@ -158,7 +150,8 @@ NodeSpec 描述了创建节点时使用的属性。
     - **configSource.configMap.uid** (string)
 
       
+      UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.
+      -->
 
       uid 是所引用的 ConfigMap 的 metadata.uid。
       该字段在 Node.spec 中是禁止的,在 Node.status 中是必需的。
@@ -168,7 +161,6 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   已弃用。并非所有 kubelet 都会设置此字段。
   1.13 的版本之后会删除该字段。参见: https://issues.k8s.io/61966
 
@@ -177,7 +169,6 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   podCIDR 表示分配给节点的 Pod IP 范围。
 
 - **podCIDRs** ([]string)
@@ -185,7 +176,6 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   podCIDRs 表示分配给节点以供该节点上的 Pod 使用的 IP 范围。
   如果指定了该字段,则第 0 个条目必须与 podCIDR 字段匹配。
   对于 IPv4 和 IPv6,它最多可以包含 1 个值。
@@ -195,7 +185,6 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   云提供商分配的节点ID,格式为:\://\
 
 - **taints** ([]Taint)
@@ -203,14 +192,12 @@ NodeSpec 描述了创建节点时使用的属性。
   
-
   如果设置了,则为节点的污点。
 
   
   
-
   **此污点附加到的节点对任何不容忍污点的 Pod 都有 “影响”。**
 
   
 
-    Time 是 time.Time 的包装器,它支持对 YAML 和 JSON 的正确编组。
-    time 包的许多工厂方法提供了包装器。
+    **Time 是 time.Time 的包装器,它支持对 YAML 和 JSON 的正确编组。
+    time 包的许多工厂方法提供了包装器。**
 
   - **taints.value** (string)
 
@@ -272,7 +259,6 @@ NodeSpec 描述了创建节点时使用的属性。
 
-
 NodeStatus 是有关节点当前状态的信息。
 
 
    
@@ -282,9 +268,8 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   **补丁策略:根据 `type` 键执行合并操作**
 
   节点可到达的地址列表。从云提供商处查询(如果有)。
@@ -294,11 +279,14 @@ NodeStatus 是有关节点当前状态的信息。
   调用者应改为使用完全替换性质的补丁操作。
   有关示例,请参见 https://pr.k8s.io/79391。
 
+  消费者应假设地址可以在节点的生命期内发生变化。
+  然而在一些例外情况下这是不可能的,例如在自身状态中继承 Node 地址的 Pod
+  或 downward API (status.hostIP) 的消费者。
+
   
   
-
   **NodeAddress 包含节点地址的信息。**
 
   
-
   allocatable 表示节点的可用于调度的资源。默认为容量。
 
 - **capacity** (map[string]}}">Quantity)
@@ -334,7 +321,6 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   capacity 代表一个节点的总资源。
   更多信息: https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes/#capacity
 
@@ -345,7 +331,6 @@ NodeStatus 是有关节点当前状态的信息。
   
   Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition 
   -->
-
   **补丁策略:根据 `type` 键执行合并操作**
 
   conditions 是当前观测到的节点状况的数组。
@@ -355,7 +340,6 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   **NodeCondition 包含节点状况的信息。**
 
   
-
   通过动态 Kubelet 配置功能分配给节点的配置状态。
 
   
   
-
   **NodeConfigStatus 描述了由 Node.spec.configSource 分配的配置的状态。**
 
   - **config.active** (NodeConfigSource)
@@ -690,8 +672,8 @@ NodeStatus 是有关节点当前状态的信息。
 
       - **config.lastKnownGood.configMap.namespace** (string), 必需
 
-       namespace 是所引用的 ConfigMap 的 metadata.namespace。
-       此字段在所有情况下都是必需的。
+        namespace 是所引用的 ConfigMap 的 metadata.namespace。
+        此字段在所有情况下都是必需的。
 
       - **config.lastKnownGood.configMap.resourceVersion** (string)
 
@@ -716,14 +698,12 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   在节点上运行的守护进程的端点。
 
   
   
-
   **NodeDaemonEndpoints 列出了节点上运行的守护进程打开的端口。**
 
   - **daemonEndpoints.kubeletEndpoint** (DaemonEndpoint)
@@ -756,14 +736,12 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   该节点上的容器镜像列表。
 
   
   
-
   **描述一个容器镜像**
 
   - **images.names** ([]string)
@@ -788,7 +766,6 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   用于唯一标识节点的 ids/uuids 集。
   更多信息: https://kubernetes.io/zh-cn/docs/concepts/architecture/nodes/#info
 
@@ -796,7 +773,6 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   **NodeSystemInfo 是一组用于唯一标识节点的 ids/uuids。**
 
   
-
   NodePhase 是最近观测到的节点的生命周期阶段。
   更多信息: https://kubernetes.io/zh-cn/docs/concepts/architecture/nodes/#phase
   
@@ -919,14 +894,12 @@ NodeStatus 是有关节点当前状态的信息。
   
-
   附加到节点的卷的列表。
 
   
   
-
   **AttachedVolume 描述附加到节点的卷**
 
   
-
   节点正在使用(安装)的可附加卷的列表。
 
 ## NodeList {#NodeList}
@@ -962,7 +934,6 @@ NodeStatus 是有关节点当前状态的信息。
 
-
 NodeList 是已注册到 master 的所有节点的完整列表。
 
 
    
@@ -976,7 +947,6 @@ NodeList 是已注册到 master 的所有节点的完整列表。
   
-
   标准的列表元数据。
   更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
@@ -985,7 +955,6 @@ NodeList 是已注册到 master 的所有节点的完整列表。
 
   List of nodes
 -->
-
 - **items** ([]}}">Node), 必需
 
   节点的列表。
@@ -998,7 +967,6 @@ NodeList 是已注册到 master 的所有节点的完整列表。
 GET /api/v1/nodes/{name}
 #### Parameters 
 -->
-
 ## 操作 {#Operations}
 
 
    
@@ -1017,7 +985,6 @@ GET /api/v1/nodes/{name}
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1038,7 +1005,6 @@ GET /api/v1/nodes/{name}
 GET /api/v1/nodes/{name}/status
 #### Parameters 
 -->
-
 ### `get` 读取指定节点的状态
 
 #### HTTP 请求
@@ -1053,7 +1019,6 @@ GET /api/v1/nodes/{name}/status
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1074,28 +1039,60 @@ GET /api/v1/nodes/{name}/status
 GET /api/v1/nodes
 #### Parameters
 -->
-
 ### `list` 列出或监视节点类型的对象
 
 #### HTTP 请求
 
 GET /api/v1/nodes
 
-#### 参数
-
 
+#### 参数
 
 - **allowWatchBookmarks** (**查询参数**): boolean
 
@@ -1129,6 +1126,10 @@ GET /api/v1/nodes
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**): integer
 
   }}">timeoutSeconds
@@ -1137,6 +1138,9 @@ GET /api/v1/nodes
 
   }}">watch
 
+
 #### 响应
 
 200 (}}">NodeList): OK
@@ -1149,7 +1153,6 @@ GET /api/v1/nodes
 POST /api/v1/nodes
 #### Parameters 
 -->
-
 ### `create` 创建一个节点
 
 #### HTTP 请求
@@ -1166,7 +1169,6 @@ POST /api/v1/nodes
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **body**: }}">Node, 必需
 
 - **dryRun** (**查询参数**): string
@@ -1201,7 +1203,6 @@ POST /api/v1/nodes
 PUT /api/v1/nodes/{name}
 #### Parameters 
 -->
-
 ### `update` 替换指定节点
 
 #### HTTP 请求
@@ -1220,7 +1221,6 @@ PUT /api/v1/nodes/{name}
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1260,7 +1260,6 @@ PUT /api/v1/nodes/{name}/status
 
 #### Parameters 
 -->
-
 ### `update` 替换指定节点的状态
 
 #### HTTP 请求
@@ -1279,7 +1278,6 @@ PUT /api/v1/nodes/{name}/status
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1316,7 +1314,6 @@ PUT /api/v1/nodes/{name}/status
 PATCH /api/v1/nodes/{name}
 #### Parameters 
 -->
-
 ### `patch` 部分更新指定节点
 
 #### HTTP 请求
@@ -1336,7 +1333,6 @@ PATCH /api/v1/nodes/{name}
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1377,7 +1373,6 @@ PATCH /api/v1/nodes/{name}
 PATCH /api/v1/nodes/{name}/status
 #### Parameters 
 -->
-
 ### `patch` 部分更新指定节点的状态
 
 #### HTTP 请求
@@ -1397,7 +1392,6 @@ PATCH /api/v1/nodes/{name}/status
 - **pretty** (*in query*): string
 #### Response 
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1438,7 +1432,6 @@ PATCH /api/v1/nodes/{name}/status
 DELETE /api/v1/nodes/{name}
 #### Parameters 
 -->
-
 ### `delete` 删除一个节点
 
 #### HTTP 请求
@@ -1457,7 +1450,6 @@ DELETE /api/v1/nodes/{name}
 - **propagationPolicy** (*in query*): string
 #### Response
 -->
-
 - **name** (**路径参数**): string, 必需
 
   节点的名称。
@@ -1490,36 +1482,68 @@ DELETE /api/v1/nodes/{name}
 
 
 
+#### HTTP Request
+-->
 ### `deletecollection` 删除节点的集合
 
 #### HTTP 请求
 
 DELETE /api/v1/nodes
 
-#### 参数
+
 
+  }}">continue
+
+- **dryRun** (*in query*): string
+
+  }}">dryRun
+
+- **fieldSelector** (*in query*): string
+
+  }}">fieldSelector
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  }}">gracePeriodSeconds
+
+- **labelSelector** (*in query*): string
+
+  }}">labelSelector
+
+- **limit** (*in query*): integer
+
+  }}">limit
+
+- **pretty** (*in query*): string
+
+  }}">pretty
+
+- **propagationPolicy** (*in query*): string
+
+  }}">propagationPolicy
+
+- **resourceVersion** (*in query*): string
+
+  }}">resourceVersion
+
+- **resourceVersionMatch** (*in query*): string
+
+  }}">resourceVersionMatch
+
+- **sendInitialEvents** (*in query*): boolean
+
+  }}">sendInitialEvents
+
+- **timeoutSeconds** (*in query*): integer
+
+  }}">timeoutSeconds
+-->
 - **continue** (**查询参数**): string
 
   }}">continue
@@ -1560,12 +1584,19 @@ DELETE /api/v1/nodes
 
   }}">resourceVersionMatch
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
+
 - **timeoutSeconds** (**查询参数**): integer
 
   }}">timeoutSeconds
 
+
 #### 响应
 
 200 (}}">Status): OK
 
-401: Unauthorized
\ No newline at end of file
+401: Unauthorized

From 8ea2718e0841481e29a328f88a34a2c6a3f43342 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 19 Apr 2023 15:42:51 +0800
Subject: [PATCH 243/272] sync controller-manager-leader-migration.md

sync controller-manager-leader-migration.md
---
 .../administer-cluster/controller-manager-leader-migration.md   | 2 --
 1 file changed, 2 deletions(-)

diff --git a/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md b/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
index 0c548ab635c..785635a560d 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
@@ -17,8 +17,6 @@ weight: 250
 
 
 
-{{< feature-state for_k8s_version="v1.24" state="stable"  >}}
-
 {{< glossary_definition term_id="cloud-controller-manager" length="all">}}
 
 
 * 需要 etcd v3.0 或者更高版本
 
 * 要加密自定义资源,你的集群必须运行 Kubernetes v1.26 或更高版本。
 
+* 在 Kubernetes v1.27 或更高版本中可以使用通配符配置资源加密。
+
 
 
 
 ## 理解静态数据加密    {#understanding-the-encryption-at-rest-configuration}
 
+
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
@@ -93,6 +100,24 @@ resources:
           keys:
             - name: key1
               secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
+  - resources:
+      - events
+    providers:
+      - identity: {} # 即使如下指定 *.* 也不会加密 events
+  - resources:
+      - '*.apps'
+    providers:
+      - aescbc:
+          keys:
+          - name: key2
+            secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
+  - resources:
+      - '*.*'
+    providers:
+      - aescbc:
+          keys:
+          - name: key3
+            secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==
 ```
 
 
 每个条目只能指定一个 provider 类型(可以是 `identity` 或 `aescbc`,但不能在同一个项目中同时指定二者)。
 列表中的第一个 provider 用于加密写入存储的资源。
 当从存储器读取资源时,与存储的数据匹配的所有 provider 将按顺序尝试解密数据。
 如果由于格式或密钥不匹配而导致没有 provider 能够读取存储的数据,则会返回一个错误,以防止客户端访问该资源。
 
-有关 `EncryptionConfiguration` 结构体的更多详细信息,请参阅[加密配置 API](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/)。
+
+`EncryptionConfiguration` 支持使用通配符指定应加密的资源。
+使用 “`*.`” 加密 group 内的所有资源(例如以上例子中的 “`*.apps`”)或使用
+“`*.*`” 加密所有资源。“`*.`” 可用于加密核心组中的所有资源。“`*.*`”
+将加密所有资源,甚至包括 API 服务器启动之后添加的自定义资源。
+
+{{< note >}}
+
+不允许在同一资源列表或跨多个条目中使用相互重疊的通配符,因为这样一来配置的一部分将无法生效。
+`resources` 列表的处理顺序和优先级由配置中列出的顺序决定。
+{{< /note >}}
+
+
+如果启用了通配符,但想要针对特定资源退出加密,则可以通过添加带有资源名称的新 `resources` 数组项,
+后跟附带 `identity` 提供商的 `providers` 数组项。例如,如果启用了 “`*.*`”,
+但想要排除对 `events` 资源的加密,则应向 `resources` 数组添加一个新项(以 `events` 为资源名称),
+后跟包含 `identity` 的 providers 数组。新项应如下所示:
+
+```yaml
+- resources:
+    - events
+  providers:
+    - identity: {}
+```
+
+
+确保新项列在资源数组中的通配符 “`*.*`” 项之前,使新项优先。
+
+
+有关 `EncryptionConfiguration` 结构体的更多详细信息,
+请参阅[加密配置 API](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/)。
 
 {{< caution >}}
 
 {{< table caption="Kubernetes 静态数据加密的 Provider" >}}
 名称 | 加密类型   | 强度     | 速度  | 密钥长度   | 其它事项
@@ -170,9 +240,13 @@ is the first provider, the first key is used for encryption.
 `secretbox` | XSalsa20 和 Poly1305 | 强 | 更快 | 32 字节 | 较新的标准,在需要高度评审的环境中可能不被接受。
 `aesgcm` | 带有随机数的 AES-GCM | 必须每 200k 写入一次 | 最快 | 16、24 或者 32字节 | 建议不要使用,除非实施了自动密钥循环方案。
 `aescbc` | 填充 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 的 AES-CBC | 弱 | 快 | 32 字节 | 由于 CBC 容易受到密文填塞攻击(Padding Oracle Attack),不推荐使用。
-`kms` | 使用信封加密方案:数据使用带有 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 填充的 AES-CBC(v1.25 之前),从 v1.25 开始使用 AES-GCM 通过数据加密密钥(DEK)加密,DEK 根据 Key Management Service(KMS)中的配置通过密钥加密密钥(Key Encryption Keys,KEK)加密 | 最强 | 快 | 32 字节 | 建议使用第三方工具进行密钥管理。为每个加密生成新的 DEK,并由用户控制 KEK 轮换来简化密钥轮换。[配置 KMS 提供程序](/zh-cn/docs/tasks/administer-cluster/kms-provider/)
+`kms v1` | 使用信封加密方案:数据使用带有 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 填充的 AES-CBC(v1.25 之前),从 v1.25 开始使用 AES-GCM 通过数据加密密钥(DEK)加密,DEK 根据 Key Management Service(KMS)中的配置通过密钥加密密钥(Key Encryption Keys,KEK)加密 | 最强 | 快 | 32 字节 | 建议使用第三方工具进行密钥管理。为每个加密生成新的 DEK,并由用户控制 KEK 轮换来简化密钥轮换。从 `v1.27` 开始,该功能处于 Beta 阶段。系统在启动时生成一个新的 DEK 并重复使用它进行加密。当 KEK 被轮转时,DEK 也会被轮转。[配置 KMS V2 provider](/zh-cn/docs/tasks/administer-cluster/kms-provider#configuring-the-kms-provider-kms-v2)。
 {{< /table >}}
 
+
 每个 provider 都支持多个密钥 - 在解密时会按顺序使用密钥,如果是第一个 provider,则第一个密钥用于加密。
 
 {{< caution >}}
@@ -267,6 +341,9 @@ To create a new Secret, perform the following steps:
    2. 编辑 `kube-apiserver` 静态 Pod 的清单:`/etc/kubernetes/manifests/kube-apiserver.yaml`,
       代码范例如下:
 
+   
    ```yaml
    apiVersion: v1
    kind: Pod
@@ -339,7 +416,7 @@ program to retrieve the contents of your secret data.
 
-2. 使用 etcdctl 命令行,从 etcd 中读取 Secret:
+2. 使用 `etcdctl` 命令行,从 etcd 中读取 Secret:
 
    ```
    ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C
@@ -458,7 +535,7 @@ When running a single `kube-apiserver` instance, step 2 may be skipped.
 在不发生停机的情况下更改 Secret 需要多步操作,特别是在有多个 `kube-apiserver`
 进程正在运行的高可用环境中。
 
-1. 生成一个新密钥并将其添加为所有服务器上当前提供程序的第二个密钥条目
+1. 生成一个新密钥并将其添加为所有服务器上当前 provider 的第二个密钥条目
 1. 重新启动所有 `kube-apiserver` 进程以确保每台服务器都可以使用新密钥进行解密
 1. 将新密钥设置为 `keys` 数组中的第一个条目,以便在配置中使用其进行加密
 1. 重新启动所有 `kube-apiserver` 进程以确保每个服务器现在都使用新密钥进行加密

From 3dd4b95a606da721771188741e8aada64176137f Mon Sep 17 00:00:00 2001
From: Sergey Shevchenko 
Date: Wed, 19 Apr 2023 13:18:20 +0300
Subject: [PATCH 246/272] fix: Fix column order for feature-gates table

---
 .../reference/command-line-tools-reference/feature-gates.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 56fb28b56b0..7e157bd00f3 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -56,7 +56,7 @@ For a reference to old feature gates that are removed, please refer to
 
 | Feature | Default | Stage | Since | Until |
 |---------|---------|-------|-------|-------|
-| `AdmissionWebhookMatchConditions` | Alpha | `false` | 1.27 | |
+| `AdmissionWebhookMatchConditions` | `false` | Alpha | 1.27 | |
 | `APIListChunking` | `false` | Alpha | 1.8 | 1.8 |
 | `APIListChunking` | `true` | Beta | 1.9 | |
 | `APIPriorityAndFairness` | `false` | Alpha | 1.18 | 1.19 |

From 10fe5e561377d03a716c07fa113497db8ea56ff9 Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Thu, 20 Apr 2023 00:26:45 +0300
Subject: [PATCH 247/272] [fr] update curl command

---
 content/fr/docs/concepts/cluster-administration/certificates.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/fr/docs/concepts/cluster-administration/certificates.md b/content/fr/docs/concepts/cluster-administration/certificates.md
index 46637f2fda5..8e82e075bb5 100644
--- a/content/fr/docs/concepts/cluster-administration/certificates.md
+++ b/content/fr/docs/concepts/cluster-administration/certificates.md
@@ -21,7 +21,7 @@ manuellement grâce à `easyrsa`, `openssl` ou `cfssl`.
 
 1.  Téléchargez, décompressez et initialisez la version corrigée de easyrsa3.
 
-        curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
+        curl -LO https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz
         tar xzf easy-rsa.tar.gz
         cd easy-rsa-master/easyrsa3
         ./easyrsa init-pki

From e4360124e4a1aadc8cc45b5c281f572253591771 Mon Sep 17 00:00:00 2001
From: Fabian B 
Date: Thu, 20 Apr 2023 11:23:13 +0200
Subject: [PATCH 248/272] Add translation for "Install tools"

---
 content/de/docs/tasks/tools/_index.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/de/docs/tasks/tools/_index.md b/content/de/docs/tasks/tools/_index.md
index 1de111c0ce8..cb0a825dc58 100644
--- a/content/de/docs/tasks/tools/_index.md
+++ b/content/de/docs/tasks/tools/_index.md
@@ -3,3 +3,25 @@ title: "Werkzeuge installieren"
 weight: 10
 ---
 
+## kubectl
+
+Das Kubernetes Befehlszeilenprogramm [kubectl](/docs/user-guide/kubectl/) ermöglicht es Ihnen, Befehle auf einem Kubernetes-Cluster auszuführen. Sie können mit kubectl Anwendungen bereitstellen, Cluster-Ressourcen überwachen und verwalten sowie Logs einsehen.
+Weitere Informationen über alle verfügbaren `kubectl`-Befehle finden Sie in der [Kommandoreferenz von kubectl](/docs/reference/kubectl/).
+
+`kubectl` kann unter Linux, macOS und Windows installiert werden. [Hier](install-kubectl) finden Sie Anleitungen zur Installation von `kubectl`.
+
+## kind
+Mit [`kind`](https://kind.sigs.k8s.io/) können Sie Kubernetes lokal auf Ihrem Computer ausführen. Voraussetzung hierfür ist eine konfigurierte und funktionierende [Docker](https://docs.docker.com/get-docker/)-Installation.
+
+Die `kind` [Schnellstart](https://kind.sigs.k8s.io/docs/user/quick-start/)-Seite gibt Informationen darüber, was für den schnellen Einstieg mit `kind` benötigt wird.
+
+## minikube
+Ähnlich wie `kind` ist [`minikube`](https://minikube.sigs.k8s.io/) ein Tool, mit dem man Kubernetes lokal auf dem Computer ausführen kann. Minikube erstellt Cluster mit einer Node oder mehreren Nodes. Somit ist es ein praktisches Tool für tägliche Entwicklungsaktivitäten mit Kubernetes, oder um Kubernetes einfach einmal lokal auszuprobieren. 
+
+[Hier](/install-minikube) erfahren Sie, wie Sie `minikube` auf Ihrem Computer installieren können.
+Falls Sie `minikube` bereits installiert haben, können Sie es verwenden, um eine [Beispiel-Anwendung zu bereitzustellen.](/docs/tutorials/hello-minikube/).
+
+## kubeadm
+Mit `kubeadm` können Sie Kubernetes-Cluster erstellen und verwalten. `kubeadm` führt alle notwendigen Schritte aus, um ein minimales aber sicheres Cluster in einer benutzerfreundlichen Art und Weise aufzusetzen.
+[Auf dieser Seite](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) finden Sie Anleitungen zur Installation von `kubeadm`.
+Sobald Sie `kubeadm` installiert haben, erfahren Sie [hier](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) wie man ein Cluster mit `kubeadm` erstellt.
\ No newline at end of file

From 25e2d857cf602a65ebe57dbb276fb432a2e739d5 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 20 Apr 2023 19:50:19 +0800
Subject: [PATCH 249/272] sync assign-cpu-resource.md

sync assign-cpu-resource.md
---
 .../docs/tasks/configure-pod-container/assign-cpu-resource.md  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
index 20c151905f6..fc966259669 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
@@ -425,6 +425,7 @@ kubectl delete namespace cpu-example
 * [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
 * [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+* [Resize CPU and Memory Resources assigned to Containers](/docs/tasks/configure-pod-container/resize-container-resources/)
 -->
 ### 针对集群管理员 {for-cluster-administrators}
 
@@ -435,3 +436,5 @@ kubectl delete namespace cpu-example
 * [为名字空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
 * [为名字空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 * [配置 API 对象的配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
+* [调整分配给容器的 CPU 和内存资源](/zh-cn/docs/tasks/configure-pod-container/resize-container-resources/)
+ 
\ No newline at end of file

From 80ce7b0f5734fa7dddea1af712723c350e0427d6 Mon Sep 17 00:00:00 2001
From: Qiming Teng 
Date: Wed, 12 Apr 2023 12:15:15 +0800
Subject: [PATCH 250/272] Update feature gates for v1.27

---
 .../feature-gates-removed.md                  |  83 +++++++++++--
 .../feature-gates.md                          | 113 +++++-------------
 2 files changed, 106 insertions(+), 90 deletions(-)

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
index 50d1dd29bfc..eebb0137e38 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
@@ -58,8 +58,22 @@ In the following table:
 | `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 |
 | `CSIDriverRegistry` | `true` | Beta | 1.14 | 1.17 |
 | `CSIDriverRegistry` | `true` | GA | 1.18 | 1.21 |
+| `CSIInlineVolume` | `false` | Alpha | 1.15 | 1.15 |
+| `CSIInlineVolume` | `true` | Beta | 1.16 | 1.24 |
+| `CSIInlineVolume` | `true` | GA | 1.25 | 1.26 |
+| `CSIMigration` | `false` | Alpha | 1.14 | 1.16 |
+| `CSIMigration` | `true` | Beta | 1.17 | 1.24 |
+| `CSIMigration` | `true` | GA | 1.25 | 1.26 |
+| `CSIMigrationAWS` | `false` | Alpha | 1.14 | 1.16 |
+| `CSIMigrationAWS` | `false` | Beta | 1.17 | 1.22 |
+| `CSIMigrationAWS` | `true` | Beta | 1.23 | 1.24 |
+| `CSIMigrationAWS` | `true` | GA | 1.25 | 1.26 |
 | `CSIMigrationAWSComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationAWSComplete` | - | Deprecated | 1.21 | 1.21 |
+| `CSIMigrationAzureDisk` | `false` | Alpha | 1.15 | 1.18 |
+| `CSIMigrationAzureDisk` | `false` | Beta | 1.19 | 1.22 |
+| `CSIMigrationAzureDisk` | `true` | Beta | 1.23 | 1.23 |
+| `CSIMigrationAzureDisk` | `true` | GA | 1.24 | 1.26 |
 | `CSIMigrationAzureDiskComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationAzureDiskComplete` | - | Deprecated | 1.21 | 1.21 |
 | `CSIMigrationAzureFileComplete` | `false` | Alpha | 1.17 | 1.20 |
@@ -85,17 +99,17 @@ In the following table:
 | `CSIVolumeFSGroupPolicy` | `false` | Alpha | 1.19 | 1.19 |
 | `CSIVolumeFSGroupPolicy` | `true` | Beta | 1.20 | 1.22 |
 | `CSIVolumeFSGroupPolicy` | `true` | GA | 1.23 | 1.25 |
+| `CSRDuration` | `true` | Beta | 1.22 | 1.23 |
+| `CSRDuration` | `true` | GA | 1.24 | 1.25 |
 | `ConfigurableFSGroupPolicy` | `false` | Alpha | 1.18 | 1.19 |
 | `ConfigurableFSGroupPolicy` | `true` | Beta | 1.20 | 1.22 |
 | `ConfigurableFSGroupPolicy` | `true` | GA | 1.23 | 1.25 |
-| `CronJobControllerV2` | `false` | Alpha | 1.20 | 1.20 |
-| `CronJobControllerV2` | `true` | Beta | 1.21 | 1.21 |
-| `CronJobControllerV2` | `true` | GA | 1.22 | 1.23 |
-| `CSRDuration` | `true` | Beta | 1.22 | 1.23 |
-| `CSRDuration` | `true` | GA | 1.24 | 1.25 |
 | `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 |
 | `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | 1.23 |
 | `ControllerManagerLeaderMigration` | `true` | GA | 1.24 | 1.26 |
+| `CronJobControllerV2` | `false` | Alpha | 1.20 | 1.20 |
+| `CronJobControllerV2` | `true` | Beta | 1.21 | 1.21 |
+| `CronJobControllerV2` | `true` | GA | 1.22 | 1.23 |
 | `CustomPodDNS` | `false` | Alpha | 1.9 | 1.9 |
 | `CustomPodDNS` | `true` | Beta| 1.10 | 1.13 |
 | `CustomPodDNS` | `true` | GA | 1.14 | 1.16 |
@@ -114,6 +128,9 @@ In the following table:
 | `CustomResourceWebhookConversion` | `false` | Alpha | 1.13 | 1.14 |
 | `CustomResourceWebhookConversion` | `true` | Beta | 1.15 | 1.15 |
 | `CustomResourceWebhookConversion` | `true` | GA | 1.16 | 1.18 |
+| `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 |
+| `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | 1.24 |
+| `DaemonSetUpdateSurge` | `true` | GA | 1.25 | 1.26 |
 | `DefaultPodTopologySpread` | `false` | Alpha | 1.19 | 1.19 |
 | `DefaultPodTopologySpread` | `true` | Beta | 1.20 | 1.23 |
 | `DefaultPodTopologySpread` | `true` | GA | 1.24 | 1.25 |
@@ -138,18 +155,21 @@ In the following table:
 | `EndpointSliceProxying` | `false` | Alpha | 1.18 | 1.18 |
 | `EndpointSliceProxying` | `true` | Beta | 1.19 | 1.21 |
 | `EndpointSliceProxying` | `true` | GA | 1.22 | 1.24 |
+| `EphemeralContainers` | `false` | Alpha | 1.16 | 1.22 |
+| `EphemeralContainers` | `true` | Beta | 1.23 | 1.24 |
+| `EphemeralContainers` | `true` | GA | 1.25 | 1.26 |
 | `EvenPodsSpread` | `false` | Alpha | 1.16 | 1.17 |
 | `EvenPodsSpread` | `true` | Beta | 1.18 | 1.18 |
 | `EvenPodsSpread` | `true` | GA | 1.19 | 1.21 |
 | `ExpandCSIVolumes` | `false` | Alpha | 1.14 | 1.15 |
 | `ExpandCSIVolumes` | `true` | Beta | 1.16 | 1.23 |
-| `ExpandCSIVolumes` | `true` | GA | 1.24 | 1.27 |
+| `ExpandCSIVolumes` | `true` | GA | 1.24 | 1.26 |
 | `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.14 |
 | `ExpandInUsePersistentVolumes` | `true` | Beta | 1.15 | 1.23 |
-| `ExpandInUsePersistentVolumes` | `true` | GA | 1.24 | 1.27 |
+| `ExpandInUsePersistentVolumes` | `true` | GA | 1.24 | 1.26 |
 | `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 |
 | `ExpandPersistentVolumes` | `true` | Beta | 1.11 | 1.23 |
-| `ExpandPersistentVolumes` | `true` | GA | 1.24 | 1.27 |
+| `ExpandPersistentVolumes` | `true` | GA | 1.24 | 1.26 |
 | `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | 1.12 |
 | `ExperimentalCriticalPodAnnotation` | `false` | Deprecated | 1.13 | 1.16 |
 | `ExternalPolicyForExternalIP` | `true` | GA | 1.18 | 1.22 |
@@ -171,7 +191,7 @@ In the following table:
 | `IPv6DualStack` | `true` | GA | 1.23 | 1.24 |
 | `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 |
 | `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 |
-| `IdentifyPodOS` | `true` | GA | 1.25 | 1.27 |
+| `IdentifyPodOS` | `true` | GA | 1.25 | 1.26 |
 | `ImmutableEphemeralVolumes` | `false` | Alpha | 1.18 | 1.18 |
 | `ImmutableEphemeralVolumes` | `true` | Beta | 1.19 | 1.20 |
 | `ImmutableEphemeralVolumes` | `true` | GA | 1.21 | 1.24 |
@@ -191,6 +211,9 @@ In the following table:
 | `LegacyNodeRoleBehavior` | `false` | Alpha | 1.16 | 1.18 |
 | `LegacyNodeRoleBehavior` | `true` | Beta | 1.19 | 1.20 |
 | `LegacyNodeRoleBehavior` | `false` | GA | 1.21 | 1.22 |
+| `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 |
+| `LocalStorageCapacityIsolation` | `true` | Beta | 1.10 | 1.24 |
+| `LocalStorageCapacityIsolation` | `true` | GA | 1.25 | 1.26 |
 | `MountContainers` | `false` | Alpha | 1.9 | 1.16 |
 | `MountContainers` | `false` | Deprecated | 1.17 | 1.17 |
 | `MountPropagation` | `false` | Alpha | 1.8 | 1.9 |
@@ -198,6 +221,9 @@ In the following table:
 | `MountPropagation` | `true` | GA | 1.12 | 1.14 |
 | `NamespaceDefaultLabelName` | `true` | Beta | 1.21 | 1.21 |
 | `NamespaceDefaultLabelName` | `true` | GA | 1.22 | 1.23 |
+| `NetworkPolicyEndPort` | `false` | Alpha | 1.21 | 1.21 |
+| `NetworkPolicyEndPort` | `true` | Beta | 1.22 | 1.24 |
+| `NetworkPolicyEndPort` | `true` | GA | 1.25 | 1.26 |
 | `NodeDisruptionExclusion` | `false` | Alpha | 1.16 | 1.18 |
 | `NodeDisruptionExclusion` | `true` | Beta | 1.19 | 1.20 |
 | `NodeDisruptionExclusion` | `true` | GA | 1.21 | 1.22 |
@@ -285,6 +311,9 @@ In the following table:
 | `StartupProbe` | `false` | Alpha | 1.16 | 1.17 |
 | `StartupProbe` | `true` | Beta | 1.18 | 1.19 |
 | `StartupProbe` | `true` | GA | 1.20 | 1.23 |
+| `StatefulSetMinReadySeconds` | `false` | Alpha | 1.22 | 1.22 |
+| `StatefulSetMinReadySeconds` | `true` | Beta | 1.23 | 1.24 |
+| `StatefulSetMinReadySeconds` | `true` | GA | 1.25 | 1.26 |
 | `StorageObjectInUseProtection` | `true` | Beta | 1.10 | 1.10 |
 | `StorageObjectInUseProtection` | `true` | GA | 1.11 | 1.24 |
 | `StreamingProxyRedirects` | `false` | Beta | 1.5 | 1.5 |
@@ -400,6 +429,18 @@ In the following table:
 - `CSIDriverRegistry`: Enable all logic related to the CSIDriver API object in
   `csi.storage.k8s.io`.
 
+- `CSIInlineVolume`: Enable CSI Inline volumes support for pods.
+
+- `CSIMigration`: Enables shims and translation logic to route volume
+  operations from in-tree plugins to corresponding pre-installed CSI plugins
+
+- `CSIMigrationAWS`: Enables shims and translation logic to route volume
+  operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Supports
+  falling back to in-tree EBS plugin for mount operations to nodes that have
+  the feature disabled or that do not have EBS CSI plugin installed and
+  configured. Does not support falling back for provision operations, for those
+  the CSI plugin must be installed and configured.
+
 - `CSIMigrationAWSComplete`: Stops registering the EBS in-tree plugin in
   kubelet and volume controllers and enables shims and translation logic to
   route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin.
@@ -408,6 +449,14 @@ In the following table:
   been deprecated in favor of the `InTreePluginAWSUnregister` feature flag
   which prevents the registration of in-tree EBS plugin.
 
+- `CSIMigrationAzureDisk`: Enables shims and translation logic to route volume
+  operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin.
+  Supports falling back to in-tree AzureDisk plugin for mount operations to
+  nodes that have the feature disabled or that do not have AzureDisk CSI plugin
+  installed and configured. Does not support falling back for provision
+  operations, for those the CSI plugin must be installed and configured.
+  Requires CSIMigration feature flag enabled.
+
 - `CSIMigrationAzureDiskComplete`: Stops registering the Azure-Disk in-tree
   plugin in kubelet and volume controllers and enables shims and translation
   logic to route volume operations from the Azure-Disk in-tree plugin to
@@ -508,6 +557,10 @@ In the following table:
 - `CustomResourceWebhookConversion`: Enable webhook-based conversion
   on resources created from [CustomResourceDefinition](/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 
+- `DaemonSetUpdateSurge`: Enables the DaemonSet workloads to maintain
+  availability during update per node.
+  See [Perform a Rolling Update on a DaemonSet](/docs/tasks/manage-daemon/update-daemon-set/).
+
 - `DefaultPodTopologySpread`: Enables the use of `PodTopologySpread` scheduling plugin to do
   [default spreading](/docs/concepts/scheduling-eviction/topology-spread-constraints/#internal-default-constraints).
 
@@ -540,6 +593,10 @@ In the following table:
    Endpoints, enabling scalability and performance improvements. See
    [Enabling Endpoint Slices](/docs/concepts/services-networking/endpoint-slices/).
 
+- `EphemeralContainers`: Enable the ability to add
+  {{< glossary_tooltip text="ephemeral containers" term_id="ephemeral-container" >}}
+  to running Pods.
+
 - `EvenPodsSpread`: Enable pods to be scheduled evenly across topology domains. See
   [Pod Topology Spread Constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/).
 
@@ -608,6 +665,11 @@ In the following table:
   node disruption will ignore the `node-role.kubernetes.io/master` label in favor of the
   feature-specific labels provided by `NodeDisruptionExclusion` and `ServiceNodeExclusion`.
 
+- `LocalStorageCapacityIsolation`: Enable the consumption of
+  [local ephemeral storage](/docs/concepts/configuration/manage-resources-containers/)
+  and also the `sizeLimit` property of an
+  [emptyDir volume](/docs/concepts/storage/volumes/#emptydir).
+
 - `MountContainers`: Enable using utility containers on host as the volume mounter.
 
 - `MountPropagation`: Enable sharing volume mounted by one container to other containers or pods.
@@ -718,6 +780,9 @@ In the following table:
 - `StartupProbe`: Enable the [startup](/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-startup-probe)
   probe in the kubelet.
 
+- `StatefulSetMinReadySeconds`: Allows `minReadySeconds` to be respected by
+  the StatefulSet controller.
+
 - `StorageObjectInUseProtection`: Postpone the deletion of PersistentVolume or
   PersistentVolumeClaim objects if they are still being used.
 
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 7e157bd00f3..a68aa6a9a19 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -56,7 +56,6 @@ For a reference to old feature gates that are removed, please refer to
 
 | Feature | Default | Stage | Since | Until |
 |---------|---------|-------|-------|-------|
-| `AdmissionWebhookMatchConditions` | `false` | Alpha | 1.27 | |
 | `APIListChunking` | `false` | Alpha | 1.8 | 1.8 |
 | `APIListChunking` | `true` | Beta | 1.9 | |
 | `APIPriorityAndFairness` | `false` | Alpha | 1.18 | 1.19 |
@@ -69,6 +68,7 @@ For a reference to old feature gates that are removed, please refer to
 | `APIServerIdentity` | `true` | Beta | 1.26 | |
 | `APIServerTracing` | `false` | Alpha | 1.22 | 1.26 |
 | `APIServerTracing` | `true` | Beta | 1.27 | |
+| `AdmissionWebhookMatchConditions` | `false` | Alpha | 1.27 | |
 | `AggregatedDiscoveryEndpoint` | `false` | Alpha | 1.26 | 1.26 |
 | `AggregatedDiscoveryEndpoint` | `true` | Beta | 1.27 | |
 | `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 |
@@ -84,7 +84,9 @@ For a reference to old feature gates that are removed, please refer to
 | `CSINodeExpandSecret` | `false` | Alpha | 1.25 | 1.26 |
 | `CSINodeExpandSecret` | `true` | Beta | 1.27 | |
 | `CSIVolumeHealth` | `false` | Alpha | 1.21 | |
+| `CloudControllerManagerWebhook` | false | Alpha | 1.27 | |
 | `CloudDualStackNodeIPs` | false | Alpha | 1.27 | |
+| `ClusterTrustBundle` | false | Alpha | 1.27 | |
 | `ComponentSLIs` | `false` | Alpha | 1.26 | 1.26 |
 | `ComponentSLIs` | `true` | Beta | 1.27 | |
 | `ContainerCheckpoint` | `false` | Alpha | 1.25 | |
@@ -110,7 +112,9 @@ For a reference to old feature gates that are removed, please refer to
 | `HPAContainerMetrics` | `true` | Beta | 1.27 | |
 | `HPAScaleToZero` | `false` | Alpha | 1.16 | |
 | `HonorPVReclaimPolicy` | `false` | Alpha | 1.23 |  |
-| `IPTablesOwnershipCleanup` | `false` | Alpha | 1.25 | |
+| `IPTablesOwnershipCleanup` | `false` | Alpha | 1.25 | 1.26 |
+| `IPTablesOwnershipCleanup` | `true` | Beta | 1.27 | |
+| `InPlacePodVerticalScaling` | `false` | Alpha | 1.27 | |
 | `InTreePluginAWSUnregister` | `false` | Alpha | 1.21 | |
 | `InTreePluginAzureDiskUnregister` | `false` | Alpha | 1.21 | |
 | `InTreePluginAzureFileUnregister` | `false` | Alpha | 1.21 | |
@@ -123,14 +127,15 @@ For a reference to old feature gates that are removed, please refer to
 | `JobPodFailurePolicy` | `true` | Beta | 1.26 | |
 | `JobReadyPods` | `false` | Alpha | 1.23 | 1.23 |
 | `JobReadyPods` | `true` | Beta | 1.24 | |
-| `KMSv2` | `false` | Alpha | 1.25 | |
+| `KMSv2` | `false` | Alpha | 1.25 | 1.26 |
+| `KMSv2` | `true` | Beta | 1.27 | |
 | `KubeletInUserNamespace` | `false` | Alpha | 1.22 | |
 | `KubeletPodResources` | `false` | Alpha | 1.13 | 1.14 |
 | `KubeletPodResources` | `true` | Beta | 1.15 | |
+| `KubeletPodResourcesDynamicResources` | `false` | Alpha | 1.27 | |
 | `KubeletPodResourcesGet` | `false` | Alpha | 1.27 | |
 | `KubeletPodResourcesGetAllocatable` | `false` | Alpha | 1.21 | 1.22 |
 | `KubeletPodResourcesGetAllocatable` | `true` | Beta | 1.23 | |
-| `KubeletPodResourcesDynamicResources` | `false` | Alpha | 1.27 | |
 | `KubeletTracing` | `false` | Alpha | 1.25 | 1.26 |
 | `KubeletTracing` | `true` | Beta | 1.27 | |
 | `LegacyServiceAccountTokenTracking` | `false` | Alpha | 1.26 | 1.26 |
@@ -149,10 +154,8 @@ For a reference to old feature gates that are removed, please refer to
 | `MinDomainsInPodTopologySpread` | `false` | Alpha | 1.24 | 1.24 |
 | `MinDomainsInPodTopologySpread` | `false` | Beta | 1.25 | 1.26 |
 | `MinDomainsInPodTopologySpread` | `true` | Beta | 1.27 | |
-| `MixedProtocolLBService` | `false` | Alpha | 1.20 | 1.23 |
-| `MixedProtocolLBService` | `true` | Beta | 1.24 | |
-| `MinDomainsInPodTopologySpread` | `false` | Beta | 1.25 | |
-| `MinimizeIPTablesRestore` | `false` | Alpha | 1.26 | - |
+| `MinimizeIPTablesRestore` | `false` | Alpha | 1.26 | 1.26 |
+| `MinimizeIPTablesRestore` | `true` | Beta | 1.27 | |
 | `MultiCIDRRangeAllocator` | `false` | Alpha | 1.25 | |
 | `MultiCIDRServiceAllocator` | `false` | Alpha | 1.27 | |
 | `NetworkPolicyStatus` | `false` | Alpha | 1.24 |  |
@@ -193,9 +196,11 @@ For a reference to old feature gates that are removed, please refer to
 | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
 | `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | 1.26 |
 | `SELinuxMountReadWriteOncePod` | `true` | Beta | 1.27 | |
+| `SecurityContextDeny` | `false` | Alpha | 1.27 | |
 | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | |
 | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
 | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
+| `StableLoadBalancerNodeGet` | `true` | Beta | 1.27 | |
 | `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | 1.26 |
 | `StatefulSetAutoDeletePVC` | `false` | Beta | 1.27 | |
 | `StatefulSetStartOrdinal` | `false` | Alpha | 1.26 | 1.26 |
@@ -231,20 +236,6 @@ For a reference to old feature gates that are removed, please refer to
 | `CPUManager` | `false` | Alpha | 1.8 | 1.9 |
 | `CPUManager` | `true` | Beta | 1.10 | 1.25 |
 | `CPUManager` | `true` | GA | 1.26 | - |
-| `CSIInlineVolume` | `false` | Alpha | 1.15 | 1.15 |
-| `CSIInlineVolume` | `true` | Beta | 1.16 | 1.24 |
-| `CSIInlineVolume` | `true` | GA | 1.25 | - |
-| `CSIMigration` | `false` | Alpha | 1.14 | 1.16 |
-| `CSIMigration` | `true` | Beta | 1.17 | 1.24 |
-| `CSIMigration` | `true` | GA | 1.25 | - |
-| `CSIMigrationAWS` | `false` | Alpha | 1.14 | 1.16 |
-| `CSIMigrationAWS` | `false` | Beta | 1.17 | 1.22 |
-| `CSIMigrationAWS` | `true` | Beta | 1.23 | 1.24 |
-| `CSIMigrationAWS` | `true` | GA | 1.25 | - |
-| `CSIMigrationAzureDisk` | `false` | Alpha | 1.15 | 1.18 |
-| `CSIMigrationAzureDisk` | `false` | Beta | 1.19 | 1.22 |
-| `CSIMigrationAzureDisk` | `true` | Beta | 1.23 | 1.23 |
-| `CSIMigrationAzureDisk` | `true` | GA | 1.24 | |
 | `CSIMigrationAzureFile` | `false` | Alpha | 1.15 | 1.20 |
 | `CSIMigrationAzureFile` | `false` | Beta | 1.21 | 1.23 |
 | `CSIMigrationAzureFile` | `true` | Beta | 1.24 | 1.25 |
@@ -264,9 +255,6 @@ For a reference to old feature gates that are removed, please refer to
 | `CronJobTimeZone` | `false` | Alpha | 1.24 | 1.24 |
 | `CronJobTimeZone` | `true` | Beta | 1.25 | 1.26 |
 | `CronJobTimeZone` | `true` | GA | 1.27 | - |
-| `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 |
-| `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | 1.24 |
-| `DaemonSetUpdateSurge` | `true` | GA | 1.25 | - |
 | `DelegateFSGroupToCSIDriver` | `false` | Alpha | 1.22 | 1.22 |
 | `DelegateFSGroupToCSIDriver` | `true` | Beta | 1.23 | 1.25 |
 | `DelegateFSGroupToCSIDriver` | `true` | GA | 1.26 |-|
@@ -289,18 +277,12 @@ For a reference to old feature gates that are removed, please refer to
 | `EndpointSliceTerminatingCondition` | `false` | Alpha | 1.20 | 1.21 |
 | `EndpointSliceTerminatingCondition` | `true` | Beta | 1.22 | 1.25 |
 | `EndpointSliceTerminatingCondition` | `true` | GA | 1.26 | |
-| `EphemeralContainers` | `false` | Alpha | 1.16 | 1.22 |
-| `EphemeralContainers` | `true` | Beta | 1.23 | 1.24 |
-| `EphemeralContainers` | `true` | GA | 1.25 | - |
 | `ExecProbeTimeout` | `true` | GA | 1.20 | - |
-| `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | 1.26 |
-| `JobMutableNodeSchedulingDirectives` | `true` | GA | 1.27 | |
 | `GRPCContainerProbe` | `false` | Alpha | 1.23 | 1.23 |
 | `GRPCContainerProbe` | `true` | Beta | 1.24 | 1.26 |
 | `GRPCContainerProbe` | `true` | GA | 1.27 | |
-| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 |
-| `IdentifyPodOS` | `true` | Beta | 1.24 | 1.24 |
-| `IdentifyPodOS` | `true` | GA | 1.25 | - |
+| `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | 1.26 |
+| `JobMutableNodeSchedulingDirectives` | `true` | GA | 1.27 | |
 | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 |
 | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 |
 | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 |
@@ -310,15 +292,12 @@ For a reference to old feature gates that are removed, please refer to
 | `KubeletCredentialProviders` | `true` | GA | 1.26 | - |
 | `LegacyServiceAccountTokenNoAutoGeneration` | `true` | Beta | 1.24 | 1.25 |
 | `LegacyServiceAccountTokenNoAutoGeneration` | `true` | GA | 1.26 | - |
-| `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 |
-| `LocalStorageCapacityIsolation` | `true` | Beta | 1.10 | 1.24 |
-| `LocalStorageCapacityIsolation` | `true` | GA | 1.25 | - |
 | `MixedProtocolLBService` | `false` | Alpha | 1.20 | 1.23 |
 | `MixedProtocolLBService` | `true` | Beta | 1.24 | 1.25 |
 | `MixedProtocolLBService` | `true` | GA | 1.26 | - |
-| `NetworkPolicyEndPort` | `false` | Alpha | 1.21 | 1.21 |
-| `NetworkPolicyEndPort` | `true` | Beta | 1.22 | 1.24 |
-| `NetworkPolicyEndPort` | `true` | GA | 1.25 | - |
+| `OpenAPIV3` | `false` | Alpha | 1.23 | 1.23 |
+| `OpenAPIV3` | `true` | Beta | 1.24 | 1.26 |
+| `OpenAPIV3` | `true` | GA | 1.27 | - |
 | `PodSecurity` | `false` | Alpha | 1.22 | 1.22 |
 | `PodSecurity` | `true` | Beta | 1.23 | 1.24 |
 | `PodSecurity` | `true` | GA | 1.25 | |
@@ -334,18 +313,12 @@ For a reference to old feature gates that are removed, please refer to
 | `ServerSideFieldValidation` | `false` | Alpha | 1.23 | 1.24 |
 | `ServerSideFieldValidation` | `true` | Beta | 1.25 | 1.26 |
 | `ServerSideFieldValidation` | `true` | GA | 1.27 | - |
-| `OpenAPIV3` | `false` | Alpha | 1.23 | 1.23 |
-| `OpenAPIV3` | `true` | Beta | 1.24 | 1.26 |
-| `OpenAPIV3` | `true` | GA | 1.27 | - |
 | `ServiceIPStaticSubrange` | `false` | Alpha | 1.24 | 1.24 |
 | `ServiceIPStaticSubrange` | `true` | Beta | 1.25 | 1.25 |
 | `ServiceIPStaticSubrange` | `true` | GA | 1.26 | - |
 | `ServiceInternalTrafficPolicy` | `false` | Alpha | 1.21 | 1.21 |
 | `ServiceInternalTrafficPolicy` | `true` | Beta | 1.22 | 1.25 |
 | `ServiceInternalTrafficPolicy` | `true` | GA | 1.26 | - |
-| `StatefulSetMinReadySeconds` | `false` | Alpha | 1.22 | 1.22 |
-| `StatefulSetMinReadySeconds` | `true` | Beta | 1.23 | 1.24 |
-| `StatefulSetMinReadySeconds` | `true` | GA | 1.25 | - |
 | `TopologyManager` | `false` | Alpha | 1.16 | 1.17 |
 | `TopologyManager` | `true` | Beta | 1.18 | 1.26 |
 | `TopologyManager` | `true` | GA | 1.27 | - |
@@ -400,7 +373,8 @@ A *General Availability* (GA) feature is also referred to as a *stable* feature.
 
 Each feature gate is designed for enabling/disabling a specific feature:
 
-- `AdmissionWebhookMatchConditions`: Enable [match conditions](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) on mutating & validating admission webhooks.
+- `AdmissionWebhookMatchConditions`: Enable [match conditions](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions)
+  on mutating & validating admission webhooks.
 - `APIListChunking`: Enable the API clients to retrieve (`LIST` or `GET`)
   resources from API server in chunks.
 - `APIPriorityAndFairness`: Enable managing request concurrency with
@@ -420,11 +394,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
   {{< glossary_tooltip text="PVC" term_id="persistent-volume-claim" >}}.
 - `AppArmor`: Enable use of AppArmor mandatory access control for Pods running on Linux nodes.
   See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details.
-- `CloudDualStackNodeIPs`: Enables dual-stack `kubelet --node-ip` with external cloud providers.
-  See [Configure IPv4/IPv6 dual-stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)
-  for more details.
-- `ContainerCheckpoint`: Enables the kubelet `checkpoint` API.
-  See [Kubelet Checkpoint API](/docs/reference/node/kubelet-checkpoint-api/) for more details.
 - `CPUManager`: Enable container level CPU affinity support, see
   [CPU Management Policies](/docs/tasks/administer-cluster/cpu-management-policies/).
 - `CPUManagerPolicyAlphaOptions`: This allows fine-tuning of CPUManager policies,
@@ -436,22 +405,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
   This feature gate guards *a group* of CPUManager options whose quality level is beta.
   This feature gate will never graduate to stable.
 - `CPUManagerPolicyOptions`: Allow fine-tuning of CPUManager policies.
-- `CSIInlineVolume`: Enable CSI Inline volumes support for pods.
-- `CSIMigration`: Enables shims and translation logic to route volume
-  operations from in-tree plugins to corresponding pre-installed CSI plugins
-- `CSIMigrationAWS`: Enables shims and translation logic to route volume
-  operations from the AWS-EBS in-tree plugin to EBS CSI plugin. Supports
-  falling back to in-tree EBS plugin for mount operations to nodes that have
-  the feature disabled or that do not have EBS CSI plugin installed and
-  configured. Does not support falling back for provision operations, for those
-  the CSI plugin must be installed and configured.
-- `CSIMigrationAzureDisk`: Enables shims and translation logic to route volume
-  operations from the Azure-Disk in-tree plugin to AzureDisk CSI plugin.
-  Supports falling back to in-tree AzureDisk plugin for mount operations to
-  nodes that have the feature disabled or that do not have AzureDisk CSI plugin
-  installed and configured. Does not support falling back for provision
-  operations, for those the CSI plugin must be installed and configured.
-  Requires CSIMigration feature flag enabled.
 - `CSIMigrationAzureFile`: Enables shims and translation logic to route volume
   operations from the Azure-File in-tree plugin to AzureFile CSI plugin.
   Supports falling back to in-tree AzureFile plugin for mount operations to
@@ -489,11 +442,18 @@ Each feature gate is designed for enabling/disabling a specific feature:
   [Storage Capacity](/docs/concepts/storage/storage-capacity/).
   Check the [`csi` volume type](/docs/concepts/storage/volumes/#csi) documentation for more details.
 - `CSIVolumeHealth`: Enable support for CSI volume health monitoring on node.
+- `CloudControllerManagerWebhook`: Enable webhooks in cloud controller manager.
+- `CloudDualStackNodeIPs`: Enables dual-stack `kubelet --node-ip` with external cloud providers.
+  See [Configure IPv4/IPv6 dual-stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack)
+  for more details.
+- `ClusterTrustBundle`: Enable ClusterTrustBundle objects and kubelet integration.
 - `ComponentSLIs`: Enable the `/metrics/slis` endpoint on Kubernetes components like
   kubelet, kube-scheduler, kube-proxy, kube-controller-manager, cloud-controller-manager
   allowing you to scrape health check metrics.
 - `ConsistentHTTPGetHandlers`: Normalize HTTP get URL and Header passing for lifecycle
   handlers with probers.
+- `ContainerCheckpoint`: Enables the kubelet `checkpoint` API.
+  See [Kubelet Checkpoint API](/docs/reference/node/kubelet-checkpoint-api/) for more details.
 - `ContextualLogging`: When you enable this feature gate, Kubernetes components that support
    contextual logging add extra detail to log output.
 - `CronJobTimeZone`: Allow the use of the `timeZone` optional field in [CronJobs](/docs/concepts/workloads/controllers/cron-jobs/)
@@ -505,9 +465,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `CustomResourceValidationExpressions`: Enable expression language validation in CRD
   which will validate customer resource based on validation rules written in
   the `x-kubernetes-validations` extension.
-- `DaemonSetUpdateSurge`: Enables the DaemonSet workloads to maintain
-  availability during update per node.
-  See [Perform a Rolling Update on a DaemonSet](/docs/tasks/manage-daemon/update-daemon-set/).
 - `DelegateFSGroupToCSIDriver`: If supported by the CSI driver, delegates the
   role of applying `fsGroup` from a Pod's `securityContext` to the driver by
   passing `fsGroup` through the NodeStageVolume and NodePublishVolume CSI calls.
@@ -534,9 +491,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
    condition fields.
 - `EfficientWatchResumption`: Allows for storage-originated bookmark (progress
   notify) events to be delivered to the users. This is only applied to watch operations.
-- `EphemeralContainers`: Enable the ability to add
-  {{< glossary_tooltip text="ephemeral containers" term_id="ephemeral-container" >}}
-  to running pods.
 - `EventedPLEG`: Enable support for the kubelet to receive container life cycle events from the
   {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} via
   an extension to {{}}.
@@ -576,6 +530,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `HPAScaleToZero`: Enables setting `minReplicas` to 0 for `HorizontalPodAutoscaler`
   resources when using custom or external metrics.
 - `IPTablesOwnershipCleanup`: This causes kubelet to no longer create legacy iptables rules.
+- `InPlacePodVerticalScaling`: Enables in-place Pod vertical scaling.
 - `InTreePluginAWSUnregister`: Stops registering the aws-ebs in-tree plugin in kubelet
   and volume controllers.
 - `InTreePluginAzureDiskUnregister`: Stops registering the azuredisk in-tree plugin in kubelet
@@ -632,10 +587,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
   [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens).
 - `LegacyServiceAccountTokenTracking`: Track usage of Secret-based
   [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens).
-- `LocalStorageCapacityIsolation`: Enable the consumption of
-  [local ephemeral storage](/docs/concepts/configuration/manage-resources-containers/)
-  and also the `sizeLimit` property of an
-  [emptyDir volume](/docs/concepts/storage/volumes/#emptydir).
 - `LocalStorageCapacityIsolationFSQuotaMonitoring`: When `LocalStorageCapacityIsolation`
   is enabled for
   [local ephemeral storage](/docs/concepts/configuration/manage-resources-containers/)
@@ -665,8 +616,6 @@ Each feature gate is designed for enabling/disabling a specific feature:
   Service instance.
 - `MultiCIDRRangeAllocator`: Enables the MultiCIDR range allocator.
 - `MultiCIDRServiceAllocator`: Track IP address allocations for Service cluster IPs using IPAddress objects.
-- `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects,
-  allowing the selection of a port range instead of a single port.
 - `NetworkPolicyStatus`: Enable the `status` subresource for NetworkPolicy objects.
 - `NewVolumeManagerReconstruction`: Enable improved discovery of mounted volumes during kubelet
   startup.
@@ -684,6 +633,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `NodeInclusionPolicyInPodTopologySpread`: Enable using `nodeAffinityPolicy` and `nodeTaintsPolicy` in
   [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/)
   when calculating pod topology spread skew.
+- `NodeLogQuery`: Enables querying logs of node services using the `/logs` endpoint.
 - `NodeOutOfServiceVolumeDetach`: When a Node is marked out-of-service using the
   `node.kubernetes.io/out-of-service` taint, Pods on the node will be forcefully deleted
    if they can not tolerate this taint, and the volume detach operations for Pods terminating
@@ -739,6 +689,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `SeccompDefault`: Enables the use of `RuntimeDefault` as the default seccomp profile
   for all workloads.
   The seccomp profile is specified in the `securityContext` of a Pod and/or a Container.
+- `SecurityContextDeny`: This gate signals that the `SecurityContextDeny` admission controller is deprecated.
 - `ServerSideApply`: Enables the [Sever Side Apply (SSA)](/docs/reference/using-api/server-side-apply/)
   feature on the API Server.
 - `ServerSideFieldValidation`: Enables server-side field validation. This means the validation
@@ -753,8 +704,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
   for more details.
 - `SizeMemoryBackedVolumes`: Enable kubelets to determine the size limit for
   memory-backed volumes (mainly `emptyDir` volumes).
-- `StatefulSetMinReadySeconds`: Allows `minReadySeconds` to be respected by
-  the StatefulSet controller.
+- `StableLoadBalancerNodeGet`: Enables less load balancer re-configurations by 
+  the service controller (KCCM) as an effect of changing node state.
 - `StatefulSetStartOrdinal`: Allow configuration of the start ordinal in a
   StatefulSet. See
   [Start ordinal](/docs/concepts/workloads/controllers/statefulset/#start-ordinal)

From 8095fdb540aec1a0400fe95a0a6db11dbbe87ccf Mon Sep 17 00:00:00 2001
From: mostafahanafi 
Date: Fri, 21 Apr 2023 05:46:57 +0100
Subject: [PATCH 251/272] changed selection color to kubernetes blue

---
 assets/scss/_base.scss | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/assets/scss/_base.scss b/assets/scss/_base.scss
index 8b2cc87b3ec..20025064d2b 100644
--- a/assets/scss/_base.scss
+++ b/assets/scss/_base.scss
@@ -102,6 +102,16 @@ main {
   }
 }
 
+::selection {
+  background: #326ce5;
+  color: white;
+}
+
+::-moz-selection {
+  background: #326ce5;
+  color: white;
+}
+
 // HEADER
 
 #hamburger {

From 8c9dab43d3e6c39f01fd533bf1631473c9eddb01 Mon Sep 17 00:00:00 2001
From: "xin.li" 
Date: Fri, 21 Apr 2023 23:20:48 +0800
Subject: [PATCH 252/272] [zh-cn] sync
 configure-liveness-readiness-startup-probes.md security-context.md and
 assign-memory-resource.md

Signed-off-by: xin.li 
---
 .../assign-memory-resource.md                 |  7 ++-
 ...igure-liveness-readiness-startup-probes.md | 57 ++++++++++++-------
 .../security-context.md                       | 45 ++++++++-------
 3 files changed, 67 insertions(+), 42 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
index 71ac184837d..15407495914 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
@@ -98,8 +98,8 @@ for the Pod:
 -->
 ## 指定内存请求和限制    {#specify-a-memory-request-and-a-memory-limit}
 
-要为容器指定内存请求,请在容器资源清单中包含 `resources:requests` 字段。
-同理,要指定内存限制,请包含 `resources:limits`。
+要为容器指定内存请求,请在容器资源清单中包含 `resources: requests` 字段。
+同理,要指定内存限制,请包含 `resources: limits`。
 
 在本练习中,你将创建一个拥有一个容器的 Pod。
 容器将会请求 100 MiB 内存,并且内存会被限制在 200 MiB 以内。
@@ -544,6 +544,8 @@ kubectl delete namespace mem-example
 * [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+
+* [Resize CPU and Memory Resources assigned to Containers](/docs/tasks/configure-pod-container/resize-container-resources/)
 -->
 ### 集群管理员扩展阅读    {#for-cluster-administrators}
 
@@ -554,4 +556,5 @@ kubectl delete namespace mem-example
 * [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
 * [配置命名空间下 Pod 总数](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 * [配置 API 对象配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
+* [调整分配给容器的 CPU 和内存资源的大小](/docs/tasks/configure-pod-container/resize-container-resources/)
 
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 6bb607d51a1..4ad57c2e29f 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -31,7 +31,6 @@ A common pattern for liveness probes is to use the same low-cost HTTP endpoint
 s for readiness probes, but with a higher failureThreshold. This ensures that the pod
 is observed as not-ready for some period of time before it is hard killed.
 -->
-
 存活探针的常见模式是为就绪探针使用相同的低成本 HTTP 端点,但具有更高的 failureThreshold。
 这样可以确保在硬性终止 Pod 之前,将观察到 Pod 在一段时间内处于非就绪状态。
 
@@ -75,8 +74,9 @@ scalable; and increased workload on remaining pods due to some failed pods.
 Understand the difference between readiness and liveness probes and when to apply them for your app.
 -->
 错误的存活探针可能会导致级联故障。
-这会导致在高负载下容器重启;例如由于应用程序无法扩展,导致客户端请求失败;以及由于某些 Pod 失败而导致剩余 Pod 的工作负载增加。
-了解就绪探针和存活探针之间的区别,以及何时为应用程序配置使用它们非常重要。
+这会导致在高负载下容器重启;例如由于应用程序无法扩展,导致客户端请求失败;以及由于某些
+Pod 失败而导致剩余 Pod 的工作负载增加。了解就绪探针和存活探针之间的区别,
+以及何时为应用程序配置使用它们非常重要。
 {{< /note >}}
 
 ## {{% heading "prerequisites" %}}
@@ -247,7 +247,7 @@ and restarts it.
 `periodSeconds` 字段指定了 kubelet 每隔 3 秒执行一次存活探测。
 `initialDelaySeconds` 字段告诉 kubelet 在执行第一次探测前应该等待 3 秒。
 kubelet 会向容器内运行的服务(服务在监听 8080 端口)发送一个 HTTP GET 请求来执行探测。
-如果服务器上 `/healthz`  路径下的处理程序返回成功代码,则 kubelet 认为容器是健康存活的。
+如果服务器上 `/healthz` 路径下的处理程序返回成功代码,则 kubelet 认为容器是健康存活的。
 如果处理程序返回失败代码,则 kubelet 会杀死这个容器并将其重启。
 
 
 返回大于或等于 200 并且小于 400 的任何代码都标示成功,其它返回代码都标示失败。
 
-你可以访问 [server.go](https://github.com/kubernetes/kubernetes/blob/master/test/images/agnhost/liveness/server.go)。
+你可以访问 [server.go](https://github.com/kubernetes/kubernetes/blob/master/test/images/agnhost/liveness/server.go)
 阅读服务的源码。
 容器存活期间的最开始 10 秒中,`/healthz` 处理程序返回 200 的状态码。
 之后处理程序返回 500 的状态码。
@@ -380,11 +380,9 @@ kubectl describe pod goproxy
 {{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
 
@@ -395,22 +393,40 @@ kubelet 可以配置为使用该协议来执行应用存活性检查。
 [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 才能配置依赖于 gRPC 的检查机制。
 
+这个例子展示了如何配置 Kubernetes 以将其用于应用程序的存活性检查。
+类似地,你可以配置就绪探针和启动探针。
+
 下面是一个示例清单:
 
 {{< codenew file="pods/probe/grpc-liveness.yaml" >}}
 
 
-要使用 gRPC 探针,必须配置 `port` 属性。如果健康状态端点配置在非默认服务之上,
-你还必须设置 `service` 属性。
+要使用 gRPC 探针,必须配置 `port` 属性。
+如果要区分不同类型的探针和不同功能的探针,可以使用 `service` 字段。
+你可以将 `service` 设置为 `liveness`,并使你的 gRPC
+健康检查端点对该请求的响应与将 `service` 设置为 `readiness` 时不同。
+这使你可以使用相同的端点进行不同类型的容器健康检查(而不需要在两个不同的端口上侦听)。
+如果你想指定自己的自定义服务名称并指定探测类型,Kubernetes
+项目建议你使用使用一个可以关联服务和探测类型的名称来命名。
+例如:`myservice-liveness`(使用 `-` 作为分隔符)。
 
 {{< note >}}
 
-与 HTTP 和 TCP 探针不同,gRPC 探测不能使用命名端口或定制主机。
+与 HTTP 和 TCP 探针不同,gRPC 探测不能使用按名称指定端口,
+也不能自定义主机名。
 {{< /note >}}
 
 
-存活探针 **不等待** 就绪性探针成功。
+存活探针**不等待**就绪性探针成功。
 如果要在执行存活探针之前等待,应该使用 `initialDelaySeconds` 或 `startupProbe`。
 {{< /caution >}}
 
@@ -751,8 +767,8 @@ in the range 1 to 65535.
 [HTTP Probes](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#httpgetaction-v1-core)
 允许针对 `httpGet` 配置额外的字段:
 
-* `host`:连接使用的主机名,默认是 Pod 的 IP。也可以在 HTTP 头中设置 “Host” 来代替。
-* `scheme` :用于设置连接主机的方式(HTTP 还是 HTTPS)。默认是 "HTTP"。
+* `host`:连接使用的主机名,默认是 Pod 的 IP。也可以在 HTTP 头中设置 "Host" 来代替。
+* `scheme`:用于设置连接主机的方式(HTTP 还是 HTTPS)。默认是 "HTTP"。
 * `path`:访问 HTTP 服务的路径。默认值为 "/"。
 * `httpHeaders`:请求中自定义的 HTTP 头。HTTP 头字段允许重复。
 * `port`:访问容器的端口号或者端口名。如果数字必须在 1~65535 之间。
@@ -840,7 +856,7 @@ to resolve it.
 -->
 ### 探针层面的 `terminationGracePeriodSeconds`
 
-{{< feature-state for_k8s_version="v1.25" state="beta" >}}
+{{< feature-state for_k8s_version="v1.27" state="stable" >}}
 
 
 {{< note >}}
 从 Kubernetes 1.25 开始,默认启用 `ProbeTerminationGracePeriod` 特性。
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
index fdd0c680447..3e2c7ca1172 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
@@ -710,7 +710,7 @@ To assign SELinux labels, the SELinux security module must be loaded on the host
 -->
 ### 高效重打 SELinux 卷标签
 
-{{< feature-state for_k8s_version="v1.25" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.27" state="beta" >}}
 
 
-* 必须启用 Alpha 特性门控 `ReadWriteOncePod` 和 `SELinuxMountReadWriteOncePod`。
+* 必须启用 `ReadWriteOncePod` 和 `SELinuxMountReadWriteOncePod`
+  [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 
 
-* 对应的 PersistentVolume 必须是使用 {< glossary_tooltip text="CSI" term_id="csi" >}}
-  驱动程序的卷,或者是传统的 `iscsi` 卷类型的卷。
-  * 如果使用基于 CSI 驱动程序的卷,CSI 驱动程序必须能够通过在 CSIDriver
-    实例中设置 `spec.seLinuxMount: true` 以支持 `-o context` 挂载。
+* 对应的 PersistentVolume 必须是:
+  * 使用传统树内(In-Tree) `iscsi`、`rbd` 或 `fs` 卷类型的卷。
+  * 或者是使用 {< glossary_tooltip text="CSI" term_id="csi" >}} 驱动程序的卷
+    CSI 驱动程序必须能够通过在 CSIDriver 实例中设置 `spec.seLinuxMount: true`
+    以支持 `-o context` 挂载。
 
 
 
-在 Kubernetes 1.25 中,kubelet 在重启后会丢失对卷标签的追踪记录。
-换言之,kubelet 可能会拒绝启动 Pod,原因类似于 “conflicting
-SELinux labels of volume”,
-但实际上 Pod 中并没有冲突的标签。在重启 kubelet
-之前确保节点已被[完全腾空](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)。
+如果你的 Kubernetes 版本是 v1.25,请参阅此任务页面的 v1.25 版本:
+[为 Pod 或 Container 配置安全上下文](https://v1-25.docs.kubernetes.io/docs/tasks/configure-pod-container/security-context/)(v1.25)。
+该文档中有一个重要的说明:kubelet 在重启后会丢失对卷标签的追踪记录。
+这个缺陷已经在 Kubernetes 1.26 中修复。
 {{< /note >}}
 
 
 * 一台兼容的 Linux 主机。Kubernetes 项目为基于 Debian 和 Red Hat 的 Linux
   发行版以及一些不提供包管理器的发行版提供通用的指令。
@@ -50,6 +51,8 @@ see the [Creating a cluster with kubeadm](/docs/setup/production-environment/too
 * 节点之中不可以有重复的主机名、MAC 地址或 product_uuid。请参见[这里](#verify-mac-address)了解更多详细信息。
 * 开启机器上的某些端口。请参见[这里](#check-required-ports)了解更多详细信息。
 * 禁用交换分区。为了保证 kubelet 正常工作,你**必须**禁用交换分区。
+  * 例如,`sudo swapoff -a` 将暂时禁用交换分区。要使此更改在重启后保持不变,请确保在如
+    `/etc/fstab`、`systemd.swap` 等配置文件中禁用交换分区,具体取决于你的系统如何配置。
 
 
 

From 6579d24eb1b38bc656ca69bc9dc9f7c4ba701dda Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Fri, 21 Apr 2023 17:16:59 +0800
Subject: [PATCH 254/272] [zh] sync /workload-resources/job-v1.md

---
 .../workload-resources/job-v1.md              | 135 +++++++++---------
 1 file changed, 68 insertions(+), 67 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1.md
index 03ba7fc8292..c847b050409 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1.md
@@ -8,7 +8,6 @@ description: "Job 表示单个任务的配置。"
 title: "Job"
 weight: 9
 ---
-
 
 - **metadata** (}}">ObjectMeta)
 
-  标准的对象元数据。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  标准的对象元数据。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
 
 - **spec** (}}">JobSpec)
 
-  任务的预期行为的规约。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  任务的预期行为的规约。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 
 - **status** (}}">JobStatus)
 
-  任务的当前状态。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-
+  任务的当前状态。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 
 ## JobSpec {#JobSpec}
 
@@ -80,7 +81,7 @@ JobSpec 描述了任务执行的情况。
 
 - **template** (}}">PodTemplateSpec), 必需
 
-  描述执行任务时将创建的 Pod。更多信息: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  描述执行任务时将创建的 Pod。template.spec.restartPolicy 可以取的值只能是
+  "Never" 或 "OnFailure"。更多信息:
+  https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 
 - **parallelism** (int32)
 
   指定任务应在任何给定时刻预期运行的 Pod 个数上限。
   当(.spec.completions - .status.successful) \< .spec.parallelism 时,
   即当剩余的工作小于最大并行度时,在稳定状态下运行的 Pod 的实际数量将小于此数量。
-  更多信息: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  更多信息:
+  https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 
 ### Lifecycle
 
 
 - **completions** (int32)
 
-  指定任务应该运行并预期成功完成的 Pod 个数。设置为 nil 意味着任何 Pod 的成功都标识着所有 Pod 的成功,
+  指定任务应该运行并预期成功完成的 Pod 个数。设置为空意味着任何 Pod 的成功都标识着所有 Pod 的成功,
   并允许 parallelism 设置为任何正值。设置为 1 意味着并行性被限制为 1,并且该 Pod 的成功标志着任务的成功。更多信息:
   https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 
 
 - **completionMode** (string)
 
-  completionMode 指定如何跟踪 Pod 完成情况。它可以是 `NonIndexed` (默认) 或者 `Indexed`。
+  completionMode 指定如何跟踪 Pod 完成情况。它可以是 `NonIndexed`(默认)或者 `Indexed`。
 
   `NonIndexed` 表示当有 `.spec.completions` 个成功完成的 Pod 时,认为 Job 完成。每个 Pod 完成都是彼此同源的。
 
@@ -175,7 +179,7 @@ JobSpec 描述了任务执行的情况。
 
 - **suspend** (boolean)
 
@@ -205,9 +209,9 @@ JobSpec 描述了任务执行的情况。
   manualSelector 控制 Pod 标签和 Pod 选择器的生成。除非你确定你在做什么,否则不要设置 `manualSelector`。
   当此字段为 false 或未设置时,系统会选择此 Pod 唯一的标签并将这些标签附加到 Pod 模板。
   当此字段为 true 时,用户负责选择唯一标签并指定选择器。
-  未能选择唯一标签可能会导致此任务和其他任务无法正常运行。
-  但是,你可能会在使用旧的 `extensions/v1beta1` API 创建的任务中看到 `manualSelector=true`。
-  更多信息: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
+  未能选择唯一标签可能会导致此任务和其他任务无法正常运行。但是,你可能会在使用旧的 `extensions/v1beta1` API
+  创建的任务中看到 `manualSelector=true`。更多信息:
+  https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
 
 
-### Alpha 级别
+### Alpha 级别   {#alpha-level}
 
 - **podFailurePolicy** (PodFailurePolicy)
 
@@ -254,12 +258,12 @@ JobSpec 描述了任务执行的情况。
 
     
 
     
     **PodFailurePolicyRule 描述当满足要求时如何处理一个 Pod 失效。
-    在每个规则中可以使用 OnExitCodes 和 onPodConditions 之一,但不能同时使用二者。**
+    在每个规则中可以使用 onExitCodes 和 onPodConditions 之一,但不能同时使用二者。**
 
     
 - **completedIndexes** (string)
 
@@ -516,11 +522,11 @@ JobStatus 表示 Job 的当前状态。
 
   - **conditions.status** (string), 必需
 
-    状况的状态,True、False、Unknown 之一。
+    状况的状态:True、False、Unknown 之一。
 
   - **conditions.type** (string), 必需
 
-    任务状况的类型,Completed 或 Failed。
+    任务状况的类型:Completed 或 Failed。
 
   - **conditions.lastProbeTime** (Time)
 
@@ -531,6 +537,7 @@ JobStatus 表示 Job 的当前状态。
     *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
     -->
     
+    
     **Time 是对 time.Time 的封装,支持正确编码为 YAML 和 JSON。我们为 time 包提供的许多工厂方法提供了封装器。**
 
   
 
+    
     **Time 是 time.Time 的包装器,支持正确编码为 YAML 和 JSON。time 包提供的许多工厂方法都提供了包装器。**
 
   
-
 - **uncountedTerminatedPods** (UncountedTerminatedPods)
 
   UncountedTerminatedPods 保存已终止但尚未被任务控制器纳入状态计数器中的 Pod 的 UID 的集合。
 
   任务控制器所创建 Pod 带有终结器。当 Pod 终止(成功或失败)时,控制器将执行三个步骤以在任务状态中对其进行说明:
-  (1)将 Pod UID 添加到此字段的列表中。(2)去掉 Pod 中的终结器。(3)从数组中删除 Pod UID,同时为相应的计数器加一。
+
+  1. 将 Pod UID 添加到此字段的列表中。
+  2. 去掉 Pod 中的终结器。
+  3. 从数组中删除 Pod UID,同时为相应的计数器加一。
 
   
 
   - **uncountedTerminatedPods.failed** ([]string)
@@ -613,8 +625,8 @@ JobStatus 表示 Job 的当前状态。
   - **uncountedTerminatedPods.succeeded** ([]string)
 
     *Set: unique values will be kept during a merge*
-
-    Succeeded holds UIDs of succeeded Pods.
+    
+    succeeded holds UIDs of succeeded Pods.
   -->
 
   - **uncountedTerminatedPods.succeeded** ([]string)
@@ -626,7 +638,7 @@ JobStatus 表示 Job 的当前状态。
 
-### Beta 级别
+### Beta 级别   {#beta-level}
 
 
-
 - **ready** (int32)
 
   状况为 Ready 的 Pod 数量。
@@ -667,7 +678,8 @@ JobList 是 Job 的集合。
 
 - **metadata** (}}">ListMeta)
 
-  标准列表元数据。更多信息: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  标准列表元数据。更多信息:
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
 - **items** ([]}}">Job), required
 
@@ -676,7 +688,6 @@ JobList 是 Job 的集合。
 
-
 ## 操作 {#Operations}
 
 
    
@@ -824,7 +835,6 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">continue
 -->
-
 - **allowWatchBookmarks** (**查询参数**): boolean
 
   }}">allowWatchBookmarks
@@ -842,7 +852,6 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">labelSelector
 -->
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
@@ -860,7 +869,6 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">pretty
 -->
-
 - **limit** (**查询参数**): integer
 
   }}">limit
@@ -878,7 +886,6 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">resourceVersionMatch
 -->
-
 - **resourceVersion** (**查询参数**): string
 
   }}">resourceVersion
@@ -888,6 +895,10 @@ GET /apis/batch/v1/namespaces/{namespace}/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
@@ -943,7 +957,6 @@ GET /apis/batch/v1/jobs
 
   }}">continue
 -->
-
 - **allowWatchBookmarks** (**查询参数**): boolean
 
   }}">allowWatchBookmarks
@@ -961,7 +974,6 @@ GET /apis/batch/v1/jobs
 
   }}">labelSelector
 -->
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
@@ -979,7 +991,6 @@ GET /apis/batch/v1/jobs
 
   }}">pretty
 -->
-
 - **limit** (**查询参数**): integer
 
   }}">limit
@@ -997,7 +1008,6 @@ GET /apis/batch/v1/jobs
 
   }}">resourceVersionMatch
 -->
-
 - **resourceVersion** (**查询参数**): string
 
   }}">resourceVersion
@@ -1007,6 +1017,10 @@ GET /apis/batch/v1/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
@@ -1074,7 +1091,6 @@ POST /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">fieldManager
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1092,7 +1108,6 @@ POST /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">pretty
 -->
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -1149,7 +1164,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
 - **body**: }}">Job, required
 -->
-
 - **name** (**路径参数**): string, 必需
 
   Job 的名称。
@@ -1169,7 +1183,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">fieldManager
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1187,7 +1200,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">pretty
 -->
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -1240,7 +1252,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
 - **body**: }}">Job, required
 -->
-
 - **name** (**路径参数**): string, 必需
 
   Job 的名称。
@@ -1260,7 +1271,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
   }}">fieldManager
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1278,7 +1288,6 @@ PUT /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
   }}">pretty
 -->
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -1350,7 +1359,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">fieldManager
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1368,7 +1376,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">force
 -->
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -1382,7 +1389,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">pretty
 -->
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
@@ -1431,7 +1437,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
 - **body**: }}">Patch, required
 -->
-
 - **name** (**路径参数**): string, 必需
 
   Job 的名称。
@@ -1451,7 +1456,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
   }}">fieldManager
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1469,7 +1473,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
   }}">force
 -->
-
 - **fieldValidation** (**查询参数**): string
 
   }}">fieldValidation
@@ -1483,7 +1486,6 @@ PATCH /apis/batch/v1/namespaces/{namespace}/jobs/{name}/status
 
   }}">pretty
 -->
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
@@ -1546,7 +1548,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">gracePeriodSeconds
 -->
-
 - **dryRun** (**查询参数**): string
 
   }}">dryRun
@@ -1564,7 +1565,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs/{name}
 
   }}">propagationPolicy
 -->
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
@@ -1623,7 +1623,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">dryRun
 -->
-
 - **continue** (**查询参数**): string
 
   }}">continue
@@ -1641,7 +1640,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">gracePeriodSeconds
 -->
-
 - **fieldSelector** (**查询参数**): string
 
   }}">fieldSelector
@@ -1659,7 +1657,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">limit
 -->
-
 - **labelSelector** (**查询参数**): string
 
   }}">labelSelector
@@ -1677,7 +1674,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">propagationPolicy
 -->
-
 - **pretty** (**查询参数**): string
 
   }}">pretty
@@ -1695,7 +1691,6 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 
   }}">resourceVersionMatch
 -->
-
 - **resourceVersion** (**查询参数**): string
 
   }}">resourceVersion
@@ -1705,10 +1700,17 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
   }}">resourceVersionMatch
 
 
+- **sendInitialEvents** (**查询参数**): boolean
+
+  }}">sendInitialEvents
 
 - **timeoutSeconds** (**查询参数**): integer
 
@@ -1726,4 +1728,3 @@ DELETE /apis/batch/v1/namespaces/{namespace}/jobs
 200 (}}">Status): OK
 
 401: Unauthorized
-

From 64a06fd595f33442cab9969e1fcb191369812358 Mon Sep 17 00:00:00 2001
From: windsonsea 
Date: Sun, 23 Apr 2023 11:01:45 +0800
Subject: [PATCH 255/272] tweak line wrappings in declarative-config.md

---
 .../declarative-config.md                     | 119 +++++++++++-------
 1 file changed, 74 insertions(+), 45 deletions(-)

diff --git a/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md b/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
index ef51d18fc6d..cc06edbede9 100644
--- a/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
+++ b/content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
@@ -12,16 +12,12 @@ retains writes made to live objects without merging the changes
 back into the object configuration files. `kubectl diff` also gives you a
 preview of what changes `apply` will make.
 
-
 ## {{% heading "prerequisites" %}}
 
-
 Install [`kubectl`](/docs/tasks/tools/).
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
-
-
 
 
 ## Trade-offs
@@ -52,7 +48,7 @@ Following are definitions for terms used in this document:
 - *live object configuration / live configuration*: The live configuration
   values of an object, as observed by the Kubernetes cluster. These are kept in the Kubernetes
   cluster storage, typically etcd.
-- *declarative configuration writer /  declarative writer*: A person or software component
+- *declarative configuration writer / declarative writer*: A person or software component
   that makes updates to a live object. The live writers referred to in this topic make changes
   to object configuration files and run `kubectl apply` to write the changes.
 
@@ -62,7 +58,7 @@ Use `kubectl apply` to create all objects, except those that already exist,
 defined by configuration files in a specified directory:
 
 ```shell
-kubectl apply -f /
+kubectl apply -f 
 ```
 
 This sets the `kubectl.kubernetes.io/last-applied-configuration: '{...}'`
@@ -157,8 +153,8 @@ if those objects already exist. This approach accomplishes the following:
 2. Clears fields removed from the configuration file in the live configuration.
 
 ```shell
-kubectl diff -f /
-kubectl apply -f /
+kubectl diff -f 
+kubectl apply -f 
 ```
 
 {{< note >}}
@@ -371,14 +367,19 @@ to result in the user deleting something unintentionally:
 kubectl delete -f 
 ```
 
-### Alternative: `kubectl apply -f  --prune`
+### Alternative: `kubectl apply -f  --prune`
 
 As an alternative to `kubectl delete`, you can use `kubectl apply` to identify objects to be deleted after
 their manifests have been removed from a directory in the local filesystem.
 
 In Kubernetes {{< skew currentVersion >}}, there are two pruning modes available in kubectl apply:
-- Allowlist-based pruning: This mode has existed since kubectl v1.5 but is still in alpha due to usability, correctness and performance issues with its design. The ApplySet-based mode is designed to replace it.
-- ApplySet-based pruning: An _apply set_ is a server-side object (by default, a Secret) that kubectl can use to accurately and efficiently track set membership across **apply** operations. This mode was introduced in alpha in kubectl v1.27 as a replacement for allowlist-based pruning.
+
+- Allowlist-based pruning: This mode has existed since kubectl v1.5 but is still
+  in alpha due to usability, correctness and performance issues with its design.
+  The ApplySet-based mode is designed to replace it.
+- ApplySet-based pruning: An _apply set_ is a server-side object (by default, a Secret)
+  that kubectl can use to accurately and efficiently track set membership across **apply**
+  operations. This mode was introduced in alpha in kubectl v1.27 as a replacement for allowlist-based pruning.
 
 {{< tabs name="kubectl_apply_prune" >}}
 {{% tab name="Allow list" %}}
@@ -386,23 +387,31 @@ In Kubernetes {{< skew currentVersion >}}, there are two pruning modes available
 {{< feature-state for_k8s_version="v1.5" state="alpha" >}}
 
 {{< warning >}}
-Take care when using `--prune` with `kubectl apply` in allow list mode. Which objects are pruned depends on the values of the `--prune-allowlist`, `--selector` and `--namespace` flags, and relies on dynamic discovery of the objects in scope. Especially if flag values are changed between invocations, this can lead to objects being unexpectedly deleted or retained.
+Take care when using `--prune` with `kubectl apply` in allow list mode. Which
+objects are pruned depends on the values of the `--prune-allowlist`, `--selector`
+and `--namespace` flags, and relies on dynamic discovery of the objects in scope.
+Especially if flag values are changed between invocations, this can lead to objects
+being unexpectedly deleted or retained.
 {{< /warning >}}
 
 To use allowlist-based pruning, add the following flags to your `kubectl apply` invocation:
+
 - `--prune`: Delete previously applied objects that are not in the set passed to the current invocation.
-- `--prune-allowlist`: A list of group-version-kinds (GVKs) to consider for pruning. This flag is optional but strongly encouraged, as its default value is a partial list of both namespaced and cluster-scoped types, which can lead to surprising results.
-- `--selector/-l`: Use a label selector to constrain the set of objects selected for pruning. This flag is optional but strongly encouraged.
-- `--all`: use instead of `--selector/-l` to explicitly select all previously applied objects of the allowlisted types.
+- `--prune-allowlist`: A list of group-version-kinds (GVKs) to consider for pruning.
+  This flag is optional but strongly encouraged, as its default value is a partial
+  list of both namespaced and cluster-scoped types, which can lead to surprising results.
+- `--selector/-l`: Use a label selector to constrain the set of objects selected
+  for pruning. This flag is optional but strongly encouraged.
+- `--all`: use instead of `--selector/-l` to explicitly select all previously
+  applied objects of the allowlisted types.
 
 Allowlist-based pruning queries the API server for all objects of the allowlisted GVKs that match the given labels (if any), and attempts to match the returned live object configurations against the object
 manifest files. If an object matches the query, and it does not have a
 manifest in the directory, and it has a `kubectl.kubernetes.io/last-applied-configuration` annotation,
 it is deleted.
 
-
 ```shell
-kubectl apply -f  --prune -l  --prune-allowlist=
+kubectl apply -f  --prune -l  --prune-allowlist=
 ```
 
 {{< warning >}}
@@ -423,30 +432,49 @@ have the labels given (if any), and do not appear in the subdirectory.
 changes might be introduced in subsequent releases.
 {{< /caution >}}
 
-To use ApplySet-based pruning, set the `KUBECTL_APPLYSET=true` environment variable, and add the following flags to your `kubectl apply` invocation:
-- `--prune`: Delete previously applied objects that are not in the set passed to the current invocation.
-- `--applyset`: The name of an object that kubectl can use to accurately and efficiently track set membership across `apply` operations.
+To use ApplySet-based pruning, set the `KUBECTL_APPLYSET=true` environment variable,
+and add the following flags to your `kubectl apply` invocation:
+- `--prune`: Delete previously applied objects that are not in the set passed
+  to the current invocation.
+- `--applyset`: The name of an object that kubectl can use to accurately and
+  efficiently track set membership across `apply` operations.
 
 ```shell
-KUBECTL_APPLYSET=true kubectl apply -f  --prune --applyset=
+KUBECTL_APPLYSET=true kubectl apply -f  --prune --applyset=
 ```
 
-By default, the type of the ApplySet parent object used is a Secret. However, ConfigMaps can also be used in the format: `--applyset=configmaps/`. When using a Secret or ConfigMap, kubectl will create the object if it does not already exist.
+By default, the type of the ApplySet parent object used is a Secret. However,
+ConfigMaps can also be used in the format: `--applyset=configmaps/`.
+When using a Secret or ConfigMap, kubectl will create the object if it does not already exist.
 
-It is also possible to use custom resources as ApplySet parent objects. To enable this, label the Custom Resource Definition (CRD) that defines the resource you want to use with the following: `applyset.kubernetes.io/is-parent-type: true`. Then, create the object you want to use as an ApplySet parent (kubectl does not do this automatically for custom resources). Finally, refer to that object in the applyset flag as follows: `--applyset=./` (for example, `widgets.custom.example.com/widget-name`).
+It is also possible to use custom resources as ApplySet parent objects. To enable
+this, label the Custom Resource Definition (CRD) that defines the resource you want
+to use with the following: `applyset.kubernetes.io/is-parent-type: true`. Then, create
+the object you want to use as an ApplySet parent (kubectl does not do this automatically
+for custom resources). Finally, refer to that object in the applyset flag as follows:
+`--applyset=./` (for example, `widgets.custom.example.com/widget-name`).
 
-With ApplySet-based pruning, kubectl adds the `applyset.kubernetes.io/part-of=` label to each object in the set before they are sent to the server. For performance reasons, it also collects the list of resource types and namespaces that the set contains and adds these in annotations on the live parent object. Finally, at the end of the apply operation, it queries the API server for objects of those types in those namespaces (or in the cluster scope, as applicable) that belong to the set, as defined by the `applyset.kubernetes.io/part-of=` label.
+With ApplySet-based pruning, kubectl adds the `applyset.kubernetes.io/part-of=`
+label to each object in the set before they are sent to the server. For performance reasons,
+it also collects the list of resource types and namespaces that the set contains and adds
+these in annotations on the live parent object. Finally, at the end of the apply operation,
+it queries the API server for objects of those types in those namespaces
+(or in the cluster scope, as applicable) that belong to the set, as defined by the
+`applyset.kubernetes.io/part-of=` label.
 
 Caveats and restrictions:
+
 - Each object may be a member of at most one set.
-- The `--namespace` flag is required when using any namespaced parent, including the default Secret.  This means that ApplySets spanning multiple namespaces must use a cluster-scoped custom resource as the parent object.
-- To safely use ApplySet-based pruning with multiple directories, use a unique ApplySet name for each.
+- The `--namespace` flag is required when using any namespaced parent, including
+  the default Secret.  This means that ApplySets spanning multiple namespaces must
+  use a cluster-scoped custom resource as the parent object.
+- To safely use ApplySet-based pruning with multiple directories,
+  use a unique ApplySet name for each.
 
 {{% /tab %}}
 
 {{< /tabs >}}
 
-
 ## How to view an object
 
 You can use `kubectl get` with `-o yaml` to view the configuration of a live object:
@@ -478,8 +506,10 @@ is used to identify fields that have been removed from the configuration
 file and need to be cleared from the live configuration. Here are the steps used
 to calculate which fields should be deleted or set:
 
-1. Calculate the fields to delete. These are the fields present in `last-applied-configuration` and missing from the configuration file.
-2. Calculate the fields to add or set. These are the fields present in the configuration file whose values don't match the live configuration.
+1. Calculate the fields to delete. These are the fields present in
+   `last-applied-configuration` and missing from the configuration file.
+2. Calculate the fields to add or set. These are the fields present in
+   the configuration file whose values don't match the live configuration.
 
 Here's an example. Suppose this is the configuration file for a Deployment object:
 
@@ -534,11 +564,11 @@ Here are the merge calculations that would be performed by `kubectl apply`:
    regardless of whether they appear in the `last-applied-configuration`.
    In this example, `minReadySeconds` appears in the
    `last-applied-configuration` annotation, but does not appear in the configuration file.
-    **Action:** Clear `minReadySeconds` from the live configuration.
+   **Action:** Clear `minReadySeconds` from the live configuration.
 2. Calculate the fields to set by reading values from the configuration
    file and comparing them to values in the live configuration. In this example,
    the value of `image` in the configuration file does not match
-    the value in the live configuration. **Action:** Set the value of `image` in the live configuration.
+   the value in the live configuration. **Action:** Set the value of `image` in the live configuration.
 3. Set the `last-applied-configuration` annotation to match the value
    of the configuration file.
 4. Merge the results from 1, 2, 3 into a single patch request to the API server.
@@ -984,22 +1014,22 @@ configuration involves several manual steps:
 
 1. Export the live object to a local configuration file:
 
-     ```shell
-     kubectl get / -o yaml > _.yaml
-     ```
+   ```shell
+   kubectl get / -o yaml > _.yaml
+   ```
 
 1. Manually remove the `status` field from the configuration file.
 
-    {{< note >}}
-    This step is optional, as `kubectl apply` does not update the status field
-    even if it is present in the configuration file.
-    {{< /note >}}
+   {{< note >}}
+   This step is optional, as `kubectl apply` does not update the status field
+   even if it is present in the configuration file.
+   {{< /note >}}
 
 1. Set the `kubectl.kubernetes.io/last-applied-configuration` annotation on the object:
 
-    ```shell
-    kubectl replace --save-config -f _.yaml
-    ```
+   ```shell
+   kubectl replace --save-config -f _.yaml
+   ```
 
 1. Change processes to use `kubectl apply` for managing the object exclusively.
 
@@ -1011,9 +1041,9 @@ TODO(pwittrock): Why doesn't export remove the status field?  Seems like it shou
 
 1. Set the `kubectl.kubernetes.io/last-applied-configuration` annotation on the object:
 
-    ```shell
-    kubectl replace --save-config -f _.yaml
-    ```
+   ```shell
+   kubectl replace --save-config -f _.yaml
+   ```
 
 1. Change processes to use `kubectl apply` for managing the object exclusively.
 
@@ -1040,7 +1070,6 @@ template:
 
 ## {{% heading "whatsnext" %}}
 
-
 * [Managing Kubernetes Objects Using Imperative Commands](/docs/tasks/manage-kubernetes-objects/imperative-command/)
 * [Imperative Management of Kubernetes Objects Using Configuration Files](/docs/tasks/manage-kubernetes-objects/imperative-config/)
 * [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl-commands/)

From 2259666d4848a5dfd10c9d985c77588fc472a8e3 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Sun, 23 Apr 2023 11:16:05 +0800
Subject: [PATCH 256/272] sync etcd.md

sync etcd.md
---
 content/zh-cn/docs/reference/glossary/etcd.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/reference/glossary/etcd.md b/content/zh-cn/docs/reference/glossary/etcd.md
index 24498005e8a..34e410bfebd 100644
--- a/content/zh-cn/docs/reference/glossary/etcd.md
+++ b/content/zh-cn/docs/reference/glossary/etcd.md
@@ -35,7 +35,7 @@ tags:
 	
 如果你的 Kubernetes 集群使用 etcd 作为其后台数据库,
 请确保你针对这些数据有一份

From ffc1c917a9dfcc00ef292edc95213b52fe69c2f8 Mon Sep 17 00:00:00 2001
From: Zhuzhenghao 
Date: Thu, 13 Apr 2023 17:39:14 +0800
Subject: [PATCH 257/272] [zh] sync 1.27 custom-resource-definitions

---
 .../custom-resource-definitions.md            | 123 ++++++++++++++----
 1 file changed, 96 insertions(+), 27 deletions(-)

diff --git a/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
index 3418cde1cf4..62041dac59a 100644
--- a/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
@@ -505,7 +505,8 @@ anyOf:
 ```
 
 
 如果违反了结构化模式规则,CustomResourceDefinition 的 `NonStructural`
 状况中会包含报告信息。
@@ -1195,7 +1196,7 @@ For example:
         required:
           - minReplicas
           - replicas
-          - maxReplicas 
+          - maxReplicas
 ```
 
 
 当 CRD 被创建/更新时,验证规则被编译。
@@ -1256,7 +1257,7 @@ Compilation process includes type checking as well.
 The compilation failure:
 
 - `no_matching_overload`: this function has no overload for the types of the arguments.
- 
+
   For example, a rule like `self == true` against a field of integer type will get error:
 -->
 编译失败:
@@ -1269,9 +1270,9 @@ The compilation failure:
   Invalid value: apiextensions.ValidationRule{Rule:"self == true", Message:""}: compilation failed: ERROR: \:1:6: found no matching overload for '_==_' applied to '(int, bool)'
   ```
 
-
@@ -1285,7 +1286,7 @@ The compilation failure:
 
 
 - `invalid argument`:对宏的无效参数。
@@ -1633,6 +1634,64 @@ xref: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#
 [OpenAPI 类型](https://swagger.io/specification/#data-types)、
 [Kubernetes 结构化模式](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema)。
 
+
+#### `messageExpression` 字段  {#the-messageExpression-field}
+
+
+`message` 字段定义因验证规则失败时提示的字符串,与它类似,
+`messageExpression` 允许你使用 CEL 表达式构造消息字符串。
+这使你可以在验证失败消息中插入更详细的信息。`messageExpression`
+必须计算为字符串,并且可以使用在 `rule` 字段中可用的变量。
+例如:
+
+```yaml
+x-kubernetes-validations:
+- rule: "self.x <= self.maxLimit"
+  messageExpression: '"x exceeded max limit of " + string(self.maxLimit)'
+```
+
+
+请记住,CEL 字符串连接(`+` 运算符)不会自动转换为字符串。
+如果你有一个非字符串标量,请使用 `string()` 函数将标量转换为字符串,如上例所示。
+
+
+`messageExpression` 必须计算为一个字符串,并且在编写 CRD 时进行检查。
+请注意,可以在同一个规则上设置 `message` 和 `messageExpression`,如果两者都存在,则将使用 `messageExpression`。
+但是,如果 `messageExpression` 计算出错,则将使用 `message` 中定义的字符串,而 `messageExpression` 的错误将被打印到日志。
+如果在 `messageExpression` 中定义的 CEL 表达式产生一个空字符串或包含换行符的字符串,也会发生这种回退。
+
+
+如果满足上述条件之一且未设置 `message` 字段,则将使用默认的检查失败消息。
+
+
+`messageExpression` 是一个 CEL 表达式,因此[验证函数的资源使用](#resource-use-by-validation-functions)中列出的限制也适用于它。
+如果在 `messageExpression` 执行期间由于资源限制而导致计算停止,则不会执行进一步的检查规则。
+
 
@@ -1749,7 +1808,7 @@ Here are some examples for transition rules:
 
-#### 验证函数的资源使用
+#### 验证函数的资源使用  {#resource-use-by-validation-functions}
 
 
 运行时也使用类似的系统来观察解释器的行动。如果解释器执行了太多的指令,规则的执行将被停止,并且会产生一个错误。
 
 每个 CustomResourceDefinition 也被允许有一定数量的资源来完成其所有验证规则的执行。
@@ -1798,7 +1857,7 @@ given, and this will happen for anything that can be iterated over (lists, maps,
 如果没有给出 `foo` 的长度限制,成本系统总是假设最坏的情况,这将发生在任何可以被迭代的事物上(list、map 等)。
 
 
@@ -1823,8 +1882,8 @@ then the API server rejects this rule on validation budget grounds with error:
 API 服务器以验证预算为由拒绝该规则,并显示错误:
 
 ```
-spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden: 
-CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and 
+spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden:
+CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and
 maxLength where arrays, maps, and strings are used)
 ```
 
@@ -1880,7 +1939,7 @@ openAPIV3Schema:
 ```
 
 
-### 以 OpenAPI v2 形式发布合法性检查模式      {#publish-validation-schema-in-openapi-v2}
+### 以 OpenAPI 形式发布合法性检查模式  {#publish-validation-schema-in-openapi}
 
 CustomResourceDefinition 的[结构化的](#specifying-a-structural-schema)、
 [启用了剪裁的](#field-pruning) [OpenAPI v3 合法性检查模式](#validation)会在
 Kubernetes API 服务器上作为
-[OpenAPI v2 规约](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)的一部分发布出来。
+[OpenAPI 3](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
+和 OpenAPI v2 发布出来。建议使用 OpenAPI v3 文档,因为它是 CustomResourceDefinition OpenAPI v3
+验证模式的无损表示,而 OpenAPI v2 表示有损转换。
 
 [kubectl](/zh-cn/docs/reference/kubectl/) 命令行工具会基于所发布的模式定义来执行客户端的合法性检查
 (`kubectl create` 和 `kubectl apply`),为定制资源的模式定义提供解释(`kubectl explain`)。
 所发布的模式还可被用于其他目的,例如生成客户端或者生成文档。
 
 
+#### Compatibility with OpenAPI V2
+
+为了与 OpenAPI V2 兼容,OpenAPI v3 验证模式会对 OpenAPI v2 模式进行有损转换。
+该模式显示在 [OpenAPI v2 规范](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)中的
+`definitions` 和` paths` 字段中。
 OpenAPI v3 合法性检查模式定义会被转换为 OpenAPI v2 模式定义,并出现在
 [OpenAPI v2 规范](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)的
 `definitions` 和 `paths` 字段中。
@@ -2156,16 +2227,14 @@ OpenAPI v3 合法性检查模式定义会被转换为 OpenAPI v2 模式定义,
 API 服务器中的[合法性检查](#validation)。
 
 
-1. 以下字段会被移除,因为它们在 OpenAPI v2 中不支持(在将来版本中将使用 OpenAPI v3,
-   因而不会有这些限制)
+1. 以下字段会被移除,因为它们在 OpenAPI v2 中不支持。
 
    - 字段 `allOf`、`anyOf`、`oneOf` 和 `not` 会被删除
 

From 3ba3ac3927729560bb80043d66bb825c1fec4fe4 Mon Sep 17 00:00:00 2001
From: Zhuzhenghao 
Date: Thu, 13 Apr 2023 16:36:43 +0800
Subject: [PATCH 258/272] [zh] sync 1.27 extensible-admission-controllers

---
 .../extensible-admission-controllers.md       | 145 ++++++++++++++++++
 1 file changed, 145 insertions(+)

diff --git a/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
index af84e467523..7b29c76a347 100644
--- a/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
@@ -1059,6 +1059,151 @@ The `matchPolicy` for an admission webhooks defaults to `Equivalent`.
 -->
 准入 Webhook 所用的 `matchPolicy` 默认为 `Equivalent`。
 
+
+### 匹配请求:`matchConditions`  {#matching-requests-matchConditions}
+
+{{< feature-state state="alpha" for_k8s_version="v1.27" >}}
+
+{{< note >}}
+
+使用 `matchConditions` 需要先在 kube-apiserver
+上明确启用[功能门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
+`AdmissionWebhookMatchConditions`,然后才能使用此功能。
+{{< /note >}}
+
+
+如果你需要细粒度地过滤请求,你可以为 Webhook 定义**匹配条件**。
+如果你发现匹配规则、`objectSelectors` 和 `namespaceSelectors` 仍然不能提供你想要的何时进行 HTTP
+调用的过滤条件,那么添加这些条件会很有用。
+匹配条件是 [CEL 表达式](/docs/reference/using-api/cel/)。
+所有匹配条件都必须为 true 才能调用 Webhook。
+
+
+以下是一个例子,说明了匹配条件的几种不同用法:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # 失败时继续处理请求但跳过 Webhook (可选值)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: ''
+    matchConditions:
+      - name: 'exclude-leases' # 每个匹配条件必须有唯一的名称
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # 匹配非租约资源
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # 匹配非节点用户发出的请求
+      - name: 'rbac' # 跳过 RBAC 请求,该请求将由第二个 Webhook 处理
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+
+  # 这个示例演示了如何使用 “authorizer”。
+  # 授权检查比简单的表达式更复杂,因此在这个示例中,使用第二个 Webhook 来针对 RBAC 请求进行处理。
+  # 两个 Webhook 都可以由同一个端点提供服务。
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # 失败时拒绝请求 (默认值)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: ''
+    matchConditions:
+      - name: 'breakglass'
+        # 跳过由授权给 “breakglass” 的用户在这个 Webhook 上发起的请求。
+        # “breakglass” API 不需要在这个检查之外存在。
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
+```
+
+
+匹配条件可以访问以下 CEL 变量:
+
+
+- `object` - 来自传入请求的对象。对于 DELETE 请求,该值为 null。
+  该对象版本可能根据 [matchPolicy](#matching-requests-matchpolicy) 进行转换。
+
+- `oldObject` - 现有对象。对于 CREATE 请求,该值为 null。
+
+- `request` - [AdmissionReview](#request) 的请求部分,不包括 object 和 oldObject。
+
+- `authorizer` - 一个 CEL 鉴权组件。可用于对请求的主体(经过身份认证的用户)执行鉴权检查。
+  更多详细信息,请参阅 Kubernetes CEL 库文档中的
+  [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)。
+
+- `authorizer.requestResource` - 对配置的请求资源(组、资源、(子资源)、名字空间、名称)进行授权检查的快捷方式。
+
+
+了解有关 CEL 表达式的更多信息,请参阅
+[Kubernetes 参考文档中的通用表达式语言](/zh-cn/docs/reference/using-api/cel/)。
+
+
+如果在对匹配条件求值时出现错误,则不会调用 Webhook。根据以下方式确定是否拒绝请求:
+
+
+1. 如果**任何一个**匹配条件求值结果为 `false`(不管其他错误),API 服务器将跳过 Webhook。
+
+1. 否则:
+   - 对于 [`failurePolicy: Fail`](#failure-policy),拒绝请求(不调用 Webhook)。
+   - 对于 [`failurePolicy: Ignore`](#failure-policy),继续处理请求但跳过 Webhook。
+
 

From 4787efefeecb9de2610b3dbcf7439e126ef9b980 Mon Sep 17 00:00:00 2001
From: Ricardo Katz 
Date: Sun, 23 Apr 2023 17:16:32 -0300
Subject: [PATCH 259/272] rkatz stepping down from pt approvers

---
 OWNERS_ALIASES | 2 --
 1 file changed, 2 deletions(-)

diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index 05fe413e085..64d68b7737c 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -167,7 +167,6 @@ aliases:
     - edsoncelio
     - femrtnz
     - jcjesus
-    - rikatz
     - stormqueen1990
     - yagonobre
   sig-docs-pt-reviews: # PR reviews for Portugese content
@@ -176,7 +175,6 @@ aliases:
     - femrtnz
     - jcjesus
     - mrerlison
-    - rikatz
     - stormqueen1990
     - yagonobre
   sig-docs-vi-owners: # Admins for Vietnamese content

From 6b54e95127f9e5472fff86f3b944fff64713693a Mon Sep 17 00:00:00 2001
From: Arhell 
Date: Mon, 24 Apr 2023 00:23:26 +0300
Subject: [PATCH 260/272] [ru] update curl command

---
 content/ru/docs/tasks/administer-cluster/certificates.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ru/docs/tasks/administer-cluster/certificates.md b/content/ru/docs/tasks/administer-cluster/certificates.md
index dfb94c44c8e..3170f5b4120 100644
--- a/content/ru/docs/tasks/administer-cluster/certificates.md
+++ b/content/ru/docs/tasks/administer-cluster/certificates.md
@@ -17,7 +17,7 @@ weight: 20
 1. Скачайте, распакуйте и инициализируйте пропатченную версию `easyrsa3`.
 
    ```shell
-   curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
+   curl -LO curl -LO https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz
    tar xzf easy-rsa.tar.gz
    cd easy-rsa-master/easyrsa3
    ./easyrsa init-pki

From c7f1fdf50c85197a997e99421b40ffbff26baece Mon Sep 17 00:00:00 2001
From: Benjamin Wang 
Date: Mon, 24 Apr 2023 07:00:50 +0800
Subject: [PATCH 261/272] update the minimum recommended etcd versions to
 3.4.22+ and 3.5.6+

3.3 is end of life.

There is also a data inconsistency issue in 3.4.21 and 3.5.5,
so 3.4.22+ and 3.5.6+ are the minimum recommended versions.
Please read https://groups.google.com/g/etcd-dev/c/8S7u6NqW6C4.

Signed-off-by: Benjamin Wang 
---
 .../en/docs/tasks/administer-cluster/configure-upgrade-etcd.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md b/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
index 542a3a57c29..6df175e93c1 100644
--- a/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
+++ b/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
@@ -38,7 +38,7 @@ weight: 270
   clusters. Therefore, run etcd clusters on dedicated machines or isolated
   environments for [guaranteed resource requirements](https://etcd.io/docs/current/op-guide/hardware/).
 
-* The minimum recommended version of etcd to run in production is `3.2.10+`.
+* The minimum recommended etcd versions to run in production are `3.4.22+` and `3.5.6+`.
 
 ## Resource requirements
 

From 428cd59d66f9522324c16d04ef59956877af6e5c Mon Sep 17 00:00:00 2001
From: Tim Bannister 
Date: Mon, 24 Apr 2023 03:03:06 +0100
Subject: [PATCH 262/272] Fix article title

---
 .../en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md b/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md
index 1bd1295f975..79546bec2ce 100644
--- a/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md
+++ b/content/en/blog/_posts/2023-04-24-openapi-v3-field-validation-ga.md
@@ -1,6 +1,6 @@
 ---
 layout: blog
-title: "Server Side Field Validation and OpenAPI V3 move to GA"
+title: "Kubernetes 1.27: Server Side Field Validation and OpenAPI V3 move to GA"
 date: 2023-04-24
 slug: openapi-v3-field-validation-ga
 ---

From 6cf09b449d2cbceca986f56667f4b08117ed826a Mon Sep 17 00:00:00 2001
From: Kirill Kononovich <41591254+kirkonru@users.noreply.github.com>
Date: Wed, 31 Aug 2022 15:37:55 +0300
Subject: [PATCH 263/272] Add a RU localization for the networking.md file

Apply suggestions from code review

Co-authored-by: Dmitry Shurupov 

Removed the plugins section in line with EN page
---
 .../cluster-administration/networking.md      | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 content/ru/docs/concepts/cluster-administration/networking.md

diff --git a/content/ru/docs/concepts/cluster-administration/networking.md b/content/ru/docs/concepts/cluster-administration/networking.md
new file mode 100644
index 00000000000..3fc6964aac0
--- /dev/null
+++ b/content/ru/docs/concepts/cluster-administration/networking.md
@@ -0,0 +1,32 @@
+---
+reviewers:
+title: Сеть в кластере
+content_type: concept
+weight: 50
+---
+
+
+Сеть — важная часть Kubernetes, но понять, как именно она работает, бывает непросто. Существует 4 уникальных сетевых проблемы, которые требуют внимнаия:
+
+1. Высокосвязанные коммуникации между контейнерами: решается организацией коммуникации между {{< glossary_tooltip text="Pod'ами" term_id="pod" >}} и `localhost`.
+2. Связь Pod'ов друг с другом (Pod-to-Pod): именно ей уделяется основное внимание в этом документе.
+3. Связь Pod'ов с сервисами (Pod-to-Service): подробнее об этом можно почитать в разделе [Сервисы](/docs/concepts/services-networking/service/).
+4. Связь внешних систем с сервисами (External-to-Service): информация о данных коммуникациях также приведена в разделе [Сервисы](/docs/concepts/services-networking/service/).
+
+
+
+Суть Kubernetes — в организации совместного использования хостов приложениями. Обычно совместное использование подразумевает, что два приложения не могут задействовать одни и те же порты. Создать единую глобальную схему использования портов очень сложно. В результате пользователи рискуют получить сложноустранимые проблемы на уровне кластера.
+
+Динамическое распределение портов значительно усложняет систему: каждое приложение должно уметь принимать порты в виде флагов-параметров, серверы API должны уметь вставлять динамические номера портов в конфигурационные блоки, сервисы должны знать, как найти друг друга и т.п. Вместо того чтобы пытаться разобраться со всем этим, Kubernetes использует иной подход.
+
+Больше узнать о сетевой модели Kubernetes можно в [соответствующем разделе](/docs/concepts/services-networking/).
+
+## Реализация сетевой модели Kubernetes
+
+Сетевая модель реализуется средой исполнения для контейнеров на узлах. Наиболее распространенные среды исполнения используют плагины [Container Network Interface](https://github.com/containernetworking/cni) (CNI) для управления сетью и обеспечения безопаснояти коммуникаций. Существует множество различных плагинов CNI от разных разработчиков. Некоторые из них предлагают только базовые функции, такие как добавление и удаление сетевых интерфейсов. Другие позволяют проводить интеграцию с различныеми системами оркестрации контейнеров, поддерживают запуск нескольких CNI-плагинов/расширенные функции IPAM и т.д.
+
+Неполный список сетевых аддонов, поддерживаемых Kubernetes, приведен [на соответствующей странице в разделе "Сеть и сетевая политика"](/docs/concepts/cluster-administration/addons/#networking-and-network-policy).
+
+## {{% heading "whatsnext" %}}
+
+Подробнее о разработке сетевой модели, принципах, лежащих в ее основе, и некоторых планах на будущее можно узнать из соответствующего [документа](https://git.k8s.io/design-proposals-archive/network/networking.md).

From eda71187b0971e6e0ea4a583a8f3cbbdd1ee343d Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Mon, 24 Apr 2023 19:45:10 +0800
Subject: [PATCH 264/272] sync client-authentication.v1beta1.md

sync client-authentication.v1beta1.md
---
 .../docs/reference/config-api/client-authentication.v1beta1.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md b/content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md
index 6c005e2c2b2..b3524fc2b3b 100644
--- a/content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md
+++ b/content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md
@@ -290,7 +290,7 @@ exec 插件本身至少应通过文件访问许可来实施保护。
    
 
   
 expirationTimestamp
    
-meta/v1.Time
+meta/v1.Time
 
 
    

From b00b0af5cadb0954b36da64f404886619e4c8425 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Mon, 24 Apr 2023 19:58:45 +0800
Subject: [PATCH 265/272] sync self-subject-review-v1alpha1.md

sync self-subject-review-v1alpha1.md
---
 .../authorization-resources/self-subject-review-v1alpha1.md    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
index ecf6c758650..b98fc96aa56 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-review-v1alpha1.md
@@ -27,10 +27,11 @@ auto_generated: true
 ## SelfSubjectReview {#SelfSubjectReview}
 
 
 SelfSubjectReview 包含 kube-apiserver 所拥有的与发出此请求的用户有关的用户信息。
 使用伪装时,用户将收到被伪装用户的用户信息。
+如果使用了伪装或请求头认证,任何额外的键将忽略其大小写并以小写形式返回。
 
 
    
 

From c76cbc8ffeba31673a454e1c229df161bd76e6fe Mon Sep 17 00:00:00 2001
From: Zhuzhenghao 
Date: Sun, 23 Apr 2023 17:44:59 +0800
Subject: [PATCH 266/272] [zh] sync 1.2 kube-apiserver

---
 .../kube-apiserver.md                         | 184 +++++++++++-------
 1 file changed, 111 insertions(+), 73 deletions(-)

diff --git a/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
index e3ac50b7ccf..355c93ce8a7 100644
--- a/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
@@ -782,9 +782,9 @@ CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks
 
 
 
-如果启用了性能分析,则启用锁争用性能分析。
+如果启用了性能分析,则启用阻塞分析。
 
 
 
@@ -793,17 +793,33 @@ Enable lock contention profiling, if profiling is enabled
 
 
 
+
    
 
 CORS 允许的来源清单,以逗号分隔。
 允许的来源可以是支持子域匹配的正则表达式。
 如果此列表为空,则不会启用 CORS。
+请确保每个表达式与整个主机名相匹配,方法是用'^'锚定开始或包括'//'前缀,同时用'$'锚定结束或包括':'端口分隔符后缀。
+有效表达式的例子是'//example.com(:|$)'和'^https://example.com(:|$)'。
+
    
 
 
 
+
+--debug-socket-path string
+
+
+
    
+
+使用位于给定路径的、未受保护的(无身份认证或鉴权的)UNIX 域套接字执行性能分析。
+
    
+
+
 
 --default-not-ready-toleration-seconds int     默认值:300
 
@@ -853,13 +869,11 @@ Number of workers spawned for DeleteCollection call. These are used to speed up
 
 
 
 
    
-尽管位于默认启用的插件列表中,仍须被禁用的准入插件(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota)。
-取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。
+尽管位于默认启用的插件列表中,仍须被禁用的准入插件(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、ClusterTrustBundleAttest、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota)。
+取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、ClusterTrustBundleAttest、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。
 该标志中插件的顺序无关紧要。
 
    
 
@@ -900,11 +914,11 @@ File with apiserver egress selector configuration.
 
 
 
 
    
-除了默认启用的插件(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota)之外要启用的准入插件。
-取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。该标志中插件的顺序无关紧要。
+除了默认启用的插件(NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、ClusterTrustBundleAttest、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota)之外要启用的准入插件。
+取值为逗号分隔的准入插件列表:AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、ClusterTrustBundleAttest、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。该标志中插件的顺序无关紧要。
 
    
 
 
@@ -1185,16 +1199,16 @@ comma-separated 'key=True|False' pairs
 
 
 
-
+
    
 
-
    
 一组 key=value 对,用来描述测试性/试验性功能的特性门控。可选项有:
    
 APIListChunking=true|false (BETA - 默认值=true)
    
 APIPriorityAndFairness=true|false (BETA - 默认值=true)
    
 APIResponseCompression=true|false (BETA - 默认值=true)
    
-APISelfSubjectReview=true|false (ALPHA - 默认值=false)
    
+APISelfSubjectReview=true|false (BETA - 默认值=true)
    
 APIServerIdentity=true|false (BETA - 默认值=true)
    
-APIServerTracing=true|false (ALPHA - 默认值=false)
    
-AggregatedDiscoveryEndpoint=true|false (ALPHA - 默认值=false)
    
+APIServerTracing=true|false (BETA - 默认值=true)
    
+AdmissionWebhookMatchConditions=true|false (ALPHA - 默认值=false)
    
+AggregatedDiscoveryEndpoint=true|false (BETA - 默认值=true)
    
 AllAlpha=true|false (ALPHA - 默认值=false)
    
 AllBeta=true|false (BETA - 默认值=false)
    
 AnyVolumeDataSource=true|false (BETA - 默认值=true)
    
@@ -1314,29 +1334,31 @@ CPUManagerPolicyBetaOptions=true|false (BETA - 默认值=true)
    
 CPUManagerPolicyOptions=true|false (BETA - 默认值=true)
    
 CSIMigrationPortworx=true|false (BETA - 默认值=false)
    
 CSIMigrationRBD=true|false (ALPHA - 默认值=false)
    
-CSINodeExpandSecret=true|false (ALPHA - 默认值=false)
    
+CSINodeExpandSecret=true|false (BETA - 默认值=true)
    
 CSIVolumeHealth=true|false (ALPHA - 默认值=false)
    
-ComponentSLIs=true|false (ALPHA - 默认值=false)
    
+CloudControllerManagerWebhook=true|false (ALPHA - 默认值=false)
    
+CloudDualStackNodeIPs=true|false (ALPHA - 默认值=false)
    
+ClusterTrustBundle=true|false (ALPHA - 默认值=false)
    
+ComponentSLIs=true|false (BETA - 默认值=true)
    
 ContainerCheckpoint=true|false (ALPHA - 默认值=false)
    
 ContextualLogging=true|false (ALPHA - 默认值=false)
    
-CronJobTimeZone=true|false (BETA - 默认值=true)
    
 CrossNamespaceVolumeDataSource=true|false (ALPHA - 默认值=false)
    
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)
    
 CustomResourceValidationExpressions=true|false (BETA - 默认值=true)
    
 DisableCloudProviders=true|false (ALPHA - 默认值=false)
    
 DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值=false)
    
-DownwardAPIHugePages=true|false (BETA - 默认值=true)
    
 DynamicResourceAllocation=true|false (ALPHA - 默认值=false)
    
-EventedPLEG=true|false (ALPHA - 默认值=false)
    
+ElasticIndexedJob=true|false (BETA - 默认值=true)
    
+EventedPLEG=true|false (BETA - 默认值=false)
    
 ExpandedDNSConfig=true|false (BETA - 默认值=true)
    
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)
    
-GRPCContainerProbe=true|false (BETA - 默认值=true)
    
-GracefulNodeShutdown=true|false (BETA - 默认值=true)
+GracefulNodeShutdown=true|false (BETA - 默认值=true)
    
 GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值=true)
    
-HPAContainerMetrics=true|false (ALPHA - 默认值=false)
    
+HPAContainerMetrics=true|false (BETA - 默认值=true)
    
 HPAScaleToZero=true|false (ALPHA - 默认值=false)
    
 HonorPVReclaimPolicy=true|false (ALPHA - 默认值=false)
    
-IPTablesOwnershipCleanup=true|false (ALPHA - 默认值=false)
    
+IPTablesOwnershipCleanup=true|false (BETA - 默认值=true)
    
+InPlacePodVerticalScaling=true|false (ALPHA - 默认值=false)
    
 InTreePluginAWSUnregister=true|false (ALPHA - 默认值=false)
    
 InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值=false)
    
 InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)
    
@@ -1345,63 +1367,67 @@ InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值=false)
    
 InTreePluginPortworxUnregister=true|false (ALPHA - 默认值=false)
    
 InTreePluginRBDUnregister=true|false (ALPHA - 默认值=false)
    
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)
    
-JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值=true)
    
 JobPodFailurePolicy=true|false (BETA - 默认值=true)
    
 JobReadyPods=true|false (BETA - 默认值=true)
    
-KMSv2=true|false (ALPHA - 默认值=false)
    
+KMSv2=true|false (BETA - 默认值=true)
    
 KubeletInUserNamespace=true|false (ALPHA - 默认值=false)
    
 KubeletPodResources=true|false (BETA - 默认值=true)
    
+KubeletPodResourcesDynamicResources=true|false (ALPHA - 默认值=false)
    
+KubeletPodResourcesGet=true|false (ALPHA - 默认值=false)
    
 KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值=true)
    
-KubeletTracing=true|false (ALPHA - 默认值=false)
    
-LegacyServiceAccountTokenTracking=true|false (ALPHA - 默认值=false)
    
+KubeletTracing=true|false (BETA - 默认值=true)
    
+LegacyServiceAccountTokenTracking=true|false (BETA - 默认值=true)
    
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)
    
 LogarithmicScaleDown=true|false (BETA - 默认值=true)
    
 LoggingAlphaOptions=true|false (ALPHA - 默认值=false)
    
 LoggingBetaOptions=true|false (BETA - 默认值=true)
    
-MatchLabelKeysInPodTopologySpread=true|false (ALPHA - 默认值=false)
    
+MatchLabelKeysInPodTopologySpread=true|false (BETA - 默认值=true)
    
 MaxUnavailableStatefulSet=true|false (ALPHA - 默认值=false)
    
 MemoryManager=true|false (BETA - 默认值=true)
    
 MemoryQoS=true|false (ALPHA - 默认值=false)
    
-MinDomainsInPodTopologySpread=true|false (BETA - 默认值=false)
    
-MinimizeIPTablesRestore=true|false (ALPHA - 默认值=false)
    
+MinDomainsInPodTopologySpread=true|false (BETA - 默认值=true)
    
+MinimizeIPTablesRestore=true|false (BETA - 默认值=true)
    
 MultiCIDRRangeAllocator=true|false (ALPHA - 默认值=false)
    
+MultiCIDRServiceAllocator=true|false (ALPHA - 默认值=false)
    
 NetworkPolicyStatus=true|false (ALPHA - 默认值=false)
    
+NewVolumeManagerReconstruction=true|false (BETA - 默认值=true)
    
 NodeInclusionPolicyInPodTopologySpread=true|false (BETA - 默认值=true)
    
+NodeLogQuery=true|false (ALPHA - 默认值=false)
    
 NodeOutOfServiceVolumeDetach=true|false (BETA - 默认值=true)
    
 NodeSwap=true|false (ALPHA - 默认值=false)
    
 OpenAPIEnums=true|false (BETA - 默认值=true)
    
-OpenAPIV3=true|false (BETA - 默认值=true)
    
-PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - 默认值=false)
    
+PDBUnhealthyPodEvictionPolicy=true|false (BETA - 默认值=true)
    
 PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值=false)
    
 PodDeletionCost=true|false (BETA - 默认值=true)
    
 PodDisruptionConditions=true|false (BETA - 默认值=true)
    
 PodHasNetworkCondition=true|false (ALPHA - 默认值=false)
    
-PodSchedulingReadiness=true|false (ALPHA - 默认值=false)
    
+PodSchedulingReadiness=true|false (BETA - 默认值=true)
    
 ProbeTerminationGracePeriod=true|false (BETA - 默认值=true)
    
 ProcMountType=true|false (ALPHA - 默认值=false)
    
 ProxyTerminatingEndpoints=true|false (BETA - 默认值=true)
    
 QOSReserved=true|false (ALPHA - 默认值=false)
    
-ReadWriteOncePod=true|false (ALPHA - 默认值=false)
    
+ReadWriteOncePod=true|false (BETA - 默认值=true)
    
 RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值=false)
    
 RemainingItemCount=true|false (BETA - 默认值=true)
    
 RetroactiveDefaultStorageClass=true|false (BETA - 默认值=true)
    
 RotateKubeletServerCertificate=true|false (BETA - 默认值=true)
    
-SELinuxMountReadWriteOncePod=true|false (ALPHA - 默认值=false)
    
-SeccompDefault=true|false (BETA - 默认值=true)
    
-ServerSideFieldValidation=true|false (BETA - 默认值=true)
    
+SELinuxMountReadWriteOncePod=true|false (BETA - 默认值=true)
    
+SecurityContextDeny=true|false (ALPHA - 默认值=false)
    
+ServiceNodePortStaticSubrange=true|false (ALPHA - 默认值=false)
    
 SizeMemoryBackedVolumes=true|false (BETA - 默认值=true)
    
-StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值=false)
    
-StatefulSetStartOrdinal=true|false (ALPHA - 默认值=false)
    
+StableLoadBalancerNodeSet=true|false (BETA - 默认值=true)
    
+StatefulSetAutoDeletePVC=true|false (BETA - 默认值=true)
    
+StatefulSetStartOrdinal=true|false (BETA - 默认值=true)
    
 StorageVersionAPI=true|false (ALPHA - 默认值=false)
    
 StorageVersionHash=true|false (BETA - 默认值=true)
    
 TopologyAwareHints=true|false (BETA - 默认值=true)
    
-TopologyManager=true|false (BETA - 默认值=true)
    
 TopologyManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)
    
 TopologyManagerPolicyBetaOptions=true|false (BETA - 默认值=false)
    
 TopologyManagerPolicyOptions=true|false (ALPHA - 默认值=false)
    
 UserNamespacesStatelessPodsSupport=true|false (ALPHA - 默认值=false)
    
 ValidatingAdmissionPolicy=true|false (ALPHA - 默认值=false)
    
 VolumeCapacityPriority=true|false (ALPHA - 默认值=false)
    
+WatchList=true|false (ALPHA - 默认值=false)
    
 WinDSR=true|false (ALPHA - 默认值=false)
    
 WinOverlay=true|false (BETA - 默认值=true)
    
 WindowsHostNetwork=true|false (ALPHA - 默认值=true)
@@ -2214,6 +2240,18 @@ in addition 'Connection: close' response header is set in order to tear down the
 
 
 
+
+--shutdown-watch-termination-grace-period duration
+
+
+
    
+
+此选项如果被设置了,则表示 API 服务器体面关闭服务器窗口内,等待活跃的监听请求耗尽的最长宽限期。
+
    
+
+
 
 --storage-backend string
 

From b672cea482f2546ccaadb13ab01ff4ae9eeeedd7 Mon Sep 17 00:00:00 2001
From: Zhuzhenghao 
Date: Thu, 13 Apr 2023 15:27:13 +0800
Subject: [PATCH 267/272] [zh] resync page extensible-admission-controllers

---
 .../extensible-admission-controllers.md       | 424 ++++++++++--------
 1 file changed, 233 insertions(+), 191 deletions(-)

diff --git a/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
index 7b29c76a347..7beaa90ee91 100644
--- a/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
@@ -3,8 +3,14 @@ title: 动态准入控制
 content_type: concept
 weight: 40
 ---
-
 
+
 
@@ -29,16 +36,16 @@ This page describes how to build, configure, use, and monitor admission webhooks
 
 准入 Webhook 是一种用于接收准入请求并对其进行处理的 HTTP 回调机制。
 可以定义两种类型的准入 webhook,即
 [验证性质的准入 Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) 和
 [修改性质的准入 Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook)。
-修改性质的准入 Webhook 会先被调用。它们可以更改发送到 API 
+修改性质的准入 Webhook 会先被调用。它们可以更改发送到 API
 服务器的对象以执行自定义的设置默认值操作。
 
 
-{{< note >}}
 如果准入 Webhook 需要保证它们所看到的是对象的最终状态以实施某种策略。
 则应使用验证性质的准入 Webhook,因为对象被修改性质 Webhook 看到之后仍然可能被修改。
 {{< /note >}}
 
 
-### 尝试准入 Webhook {#experimenting-with-admission-webhooks}
+## 尝试准入 Webhook {#experimenting-with-admission-webhooks}
 
 准入 Webhook 本质上是集群控制平面的一部分。你应该非常谨慎地编写和部署它们。
 如果你打算编写或者部署生产级准入 webhook,请阅读[用户指南](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#write-an-admission-webhook-server)以获取相关说明。
@@ -101,19 +109,19 @@ that is validated in a Kubernetes e2e test. The webhook handles the
 as an `AdmissionReview` object in the same version it received.
 -->
 请参阅 Kubernetes e2e 测试中的
-[admission webhook 服务器](https://github.com/kubernetes/kubernetes/blob/release-1.21/test/images/agnhost/webhook/main.go)
+[Admission Webhook 服务器](https://github.com/kubernetes/kubernetes/blob/release-1.21/test/images/agnhost/webhook/main.go)
 的实现。webhook 处理由 API 服务器发送的 `AdmissionReview` 请求,并且将其决定
 作为 `AdmissionReview` 对象以相同版本发送回去。
 
 
-有关发送到 webhook 的数据的详细信息,请参阅 [webhook 请求](#request)。
+有关发送到 Webhook 的数据的详细信息,请参阅 [Webhook 请求](#request)。
 
 
-要获取来自 webhook 的预期数据,请参阅 [webhook 响应](#response)。
+要获取来自 Webhook 的预期数据,请参阅 [Webhook 响应](#response)。
 
 
 示例准入 Webhook 服务器置 `ClientAuth` 字段为
 [空](https://github.com/kubernetes/kubernetes/blob/v1.22.0/test/images/agnhost/webhook/config.go#L38-L39),
-默认为 `NoClientCert` 。这意味着 webhook 服务器不会验证客户端的身份,认为其是 apiservers。
+默认为 `NoClientCert` 。这意味着 Webhook 服务器不会验证客户端的身份,认为其是 apiservers。
 如果你需要双向 TLS 或其他方式来验证客户端,请参阅
 如何[对 apiservers 进行身份认证](#authenticate-apiservers)。
 
@@ -141,18 +149,18 @@ The test also creates a [service](/docs/reference/generated/kubernetes-api/{{< p
 as the front-end of the webhook server. See
 [code](https://github.com/kubernetes/kubernetes/blob/v1.22.0/test/e2e/apimachinery/webhook.go#L748).
 -->
-e2e 测试中的 webhook 服务器通过
+e2e 测试中的 Webhook 服务器通过
 [deployment API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#deployment-v1-apps)
 部署在 Kubernetes 集群中。该测试还将创建一个
 [service](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core)
-作为 webhook 服务器的前端。参见
+作为 Webhook 服务器的前端。参见
 [相关代码](https://github.com/kubernetes/kubernetes/blob/v1.22.0/test/e2e/apimachinery/webhook.go#L748)。
 
 
-你也可以在集群外部署 webhook。这样做需要相应地更新你的 webhook 配置。
+你也可以在集群外部署 Webhook。这样做需要相应地更新你的 Webhook 配置。
 
 
-你可以通过 
+你可以通过
 [ValidatingWebhookConfiguration](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io)
-或者 
+或者
 [MutatingWebhookConfiguration](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#mutatingwebhookconfiguration-v1-admissionregistration-k8s-io) 动态配置哪些资源要被哪些准入 Webhook 处理。
+
 
-以下是一个 `ValidatingWebhookConfiguration` 示例,mutating webhook 配置与此类似。有关每个配置字段的详细信息,请参阅 [webhook 配置](#webhook-configuration) 部分。
+以下是一个 `ValidatingWebhookConfiguration` 示例,Mutating Webhook 配置与此类似。有关每个配置字段的详细信息,请参阅 [Webhook 配置](#webhook-configuration) 部分。
 
 ```yaml
 apiVersion: admissionregistration.k8s.io/v1
@@ -184,11 +193,11 @@ metadata:
 webhooks:
 - name: "pod-policy.example.com"
   rules:
-  - apiGroups:   [""]
+  - apiGroups: [""]
     apiVersions: ["v1"]
-    operations:  ["CREATE"]
-    resources:   ["pods"]
-    scope:       "Namespaced"
+    operations: ["CREATE"]
+    resources: ["pods"]
+    scope: "Namespaced"
   clientConfig:
     service:
       namespace: "example-namespace"
@@ -198,6 +207,7 @@ webhooks:
   sideEffects: None
   timeoutSeconds: 5
 ```
+
 {{< note >}}
 
 `scope` 字段指定是仅集群范围的资源(Cluster)还是名字空间范围的资源资源(Namespaced)将与此规则匹配。
 `*` 表示没有范围限制。
 
+{{< note >}}
 
-{{< note >}}
 当使用 `clientConfig.service` 时,服务器证书必须对 `..svc` 有效。
 {{< /note >}}
 
+{{< note >}}
 
-{{< note >}}
-Webhook 调用的默认超时是 10 秒,你可以设置 `timeout` 并建议对 webhook 设置较短的超时时间。
-如果 webhook 调用超时,则根据 webhook 的失败策略处理请求。
+Webhook 调用的默认超时是 10 秒,你可以设置 `timeout` 并建议对 Webhook 设置较短的超时时间。
+如果 Webhook 调用超时,则根据 Webhook 的失败策略处理请求。
 {{< /note >}}
 
 
 当一个 API 服务器收到与 `rules` 相匹配的请求时,
-该 API 服务器将按照 `clientConfig` 中指定的方式向 webhook 发送一个 `admissionReview` 请求。
+该 API 服务器将按照 `clientConfig` 中指定的方式向 Webhook 发送一个 `admissionReview` 请求。
 
 创建 Webhook 配置后,系统将花费几秒钟使新配置生效。
 
 
 ### 对 API 服务器进行身份认证 {#authenticate-apiservers}
 
@@ -322,71 +332,74 @@ For more information about `AdmissionConfiguration`, see the
 [AdmissionConfiguration (v1) reference](/docs/reference/config-api/apiserver-webhookadmission.v1/).
 See the [webhook configuration](#webhook-configuration) section for details about each config field.
 
-* In the kubeConfig file, provide the credentials:
+In the kubeConfig file, provide the credentials:
 -->
 有关 `AdmissionConfiguration` 的更多信息,请参见
 [AdmissionConfiguration (v1) reference](/docs/reference/config-api/apiserver-webhookadmission.v1/)。
-有关每个配置字段的详细信息,请参见 [webhook 配置](#webhook-配置)部分。
+有关每个配置字段的详细信息,请参见 [Webhook 配置](#webhook-配置)部分。
 
-* 在 kubeConfig 文件中,提供证书凭据:
+在 kubeConfig 文件中,提供证书凭据:
+
+```yaml
+apiVersion: v1
+kind: Config
+users:
+# 名称应设置为服务的 DNS 名称或配置了 Webhook 的 URL 的主机名(包括端口)。
+# 如果将非 443 端口用于服务,则在配置 1.16+ API 服务器时,该端口必须包含在名称中。
+#
+# 对于配置在默认端口(443)上与服务对话的 Webhook,请指定服务的 DNS 名称:
+# - name: webhook1.ns1.svc
+#   user: ...
+#
+# 对于配置在非默认端口(例如 8443)上与服务对话的 Webhook,请在 1.16+ 中指定服务的 DNS 名称和端口:
+# - name: webhook1.ns1.svc:8443
+#   user: ...
+# 并可以选择仅使用服务的 DNS 名称来创建第二节,以与 1.15 API 服务器版本兼容:
+# - name: webhook1.ns1.svc
+#   user: ...
+#
+# 对于配置为使用 URL 的 webhook,请匹配在 webhook 的 URL 中指定的主机(和端口)。
+# 带有 `url: https://www.example.com` 的 webhook:
+# - name: www.example.com
+#   user: ...
+#
+# 带有 `url: https://www.example.com:443` 的 webhook:
+# - name: www.example.com:443
+#   user: ...
+#
+# 带有 `url: https://www.example.com:8443` 的 webhook:
+# - name: www.example.com:8443
+#   user: ...
+#
+- name: 'webhook1.ns1.svc'
+  user:
+    client-certificate-data: ""
+    client-key-data: ""
+# `name` 支持使用 * 通配符匹配前缀段。
+- name: '*.webhook-company.org'
+  user:
+    password: ""
+    username: ""
+# '*' 是默认匹配项。
+- name: '*'
+  user:
+    token: ""
+```
 
-    ```yaml
-    apiVersion: v1
-    kind: Config
-    users:
-    # 名称应设置为服务的 DNS 名称或配置了 Webhook 的 URL 的主机名(包括端口)。
-    # 如果将非 443 端口用于服务,则在配置 1.16+ API 服务器时,该端口必须包含在名称中。
-    #
-    # 对于配置在默认端口(443)上与服务对话的 Webhook,请指定服务的 DNS 名称:
-    # - name: webhook1.ns1.svc
-    #   user: ...
-    #
-    # 对于配置在非默认端口(例如 8443)上与服务对话的 Webhook,请在 1.16+ 中指定服务的 DNS 名称和端口:
-    # - name: webhook1.ns1.svc:8443
-    #   user: ...
-    # 并可以选择仅使用服务的 DNS 名称来创建第二节,以与 1.15 API 服务器版本兼容:
-    # - name: webhook1.ns1.svc
-    #   user: ...
-    #
-    # 对于配置为使用 URL 的 webhook,请匹配在 webhook 的 URL 中指定的主机(和端口)。
-    # 带有 `url: https://www.example.com` 的 webhook:
-    # - name: www.example.com
-    #   user: ...
-    #
-    # 带有 `url: https://www.example.com:443` 的 webhook:
-    # - name: www.example.com:443
-    #   user: ...
-    #
-    # 带有 `url: https://www.example.com:8443` 的 webhook:
-    # - name: www.example.com:8443
-    #   user: ...
-    #
-    - name: 'webhook1.ns1.svc'
-      user:
-        client-certificate-data: ""
-        client-key-data: ""
-    # `name` 支持使用 * 通配符匹配前缀段。
-    - name: '*.webhook-company.org'
-      user:
-        password: ""
-        username: ""
-    # '*' 是默认匹配项。
-    - name: '*'
-      user:
-        token: ""
-    ```
 
 当然,你需要设置 Webhook 服务器来处理这些身份验证请求。
 
-
+
 ## Webhook 请求与响应 {#webhook-request-and-response}
 
 
-创建 webhook 配置时,`admissionReviewVersions` 是必填字段。
+创建 Webhook 配置时,`admissionReviewVersions` 是必填字段。
 Webhook 必须支持至少一个当前和以前的 API 服务器都可以解析的 `AdmissionReview` 版本。
 
 
 当拒绝请求时,Webhook 可以使用 `status` 字段自定义 http 响应码和返回给用户的消息。
@@ -624,7 +639,8 @@ For `patchType: JSONPatch`, the `patch` field contains a base64-encoded array of
 对于 `patchType: JSONPatch`,`patch` 字段包含一个以 base64 编码的 JSON patch 操作数组。
 
 
@@ -652,18 +668,19 @@ So a webhook response to add that label would be:
 }
 ```
 
-
 准入 Webhook 可以选择性地返回在 HTTP `Warning` 头中返回给请求客户端的警告消息,警告代码为 299。
 警告可以与允许或拒绝的准入响应一起发送。
 
-
 如果你正在实现返回一条警告的 webhook,则:
 
@@ -674,7 +691,7 @@ If you're implementing a webhook that returns a warning:
 {{< caution >}}
 
 超过 256 个字符的单条警告消息在返回给客户之前可能会被 API 服务器截断。
 如果超过 4096 个字符的警告消息(来自所有来源),则额外的警告消息会被忽略。
@@ -731,37 +748,44 @@ Webhook,则应为每个 Webhook 赋予一个唯一的名称。
 Each webhook must specify a list of rules used to determine if a request to the API server should be sent to the webhook.
 Each rule specifies one or more operations, apiGroups, apiVersions, and resources, and a resource scope:
 -->
-每个 webhook 必须指定用于确定是否应将对 apiserver 的请求发送到 webhook 的规则列表。
+每个 Webhook 必须指定用于确定是否应将对 apiserver 的请求发送到 webhook 的规则列表。
 每个规则都指定一个或多个 operations、apiGroups、apiVersions 和 resources 以及资源的 scope:
 
 
 * `operations` 列出一个或多个要匹配的操作。
   可以是 `CREATE`、`UPDATE`、`DELETE`、`CONNECT` 或 `*` 以匹配所有内容。
 * `apiGroups` 列出了一个或多个要匹配的 API 组。`""` 是核心 API 组。`"*"` 匹配所有 API 组。
 * `apiVersions` 列出了一个或多个要匹配的 API 版本。`"*"` 匹配所有 API 版本。
 * `resources` 列出了一个或多个要匹配的资源。
-    * `"*"` 匹配所有资源,但不包括子资源。
-    * `"*/*"` 匹配所有资源,包括子资源。
-    * `"pods/*"` 匹配 pod 的所有子资源。
-    * `"*/status"` 匹配所有 status 子资源。
+
+  * `"*"` 匹配所有资源,但不包括子资源。
+  * `"*/*"` 匹配所有资源,包括子资源。
+  * `"pods/*"` 匹配 pod 的所有子资源。
+  * `"*/status"` 匹配所有 status 子资源。
 * `scope` 指定要匹配的范围。有效值为 `"Cluster"`、`"Namespaced"` 和 `"*"`。
   子资源匹配其父资源的范围。默认值为 `"*"`。
-    * `"Cluster"` 表示只有集群作用域的资源才能匹配此规则(API 对象 Namespace 是集群作用域的)。
-    * `"Namespaced"` 意味着仅具有名字空间的资源才符合此规则。
-    * `"*"` 表示没有作用域限制。
+
+  * `"Cluster"` 表示只有集群作用域的资源才能匹配此规则(API 对象 Namespace 是集群作用域的)。
+  * `"Namespaced"` 意味着仅具有名字空间的资源才符合此规则。
+  * `"*"` 表示没有作用域限制。
 
 
-仅当选择使用 webhook 时才使用对象选择器,因为最终用户可以通过设置标签来
+仅当选择使用 Webhook 时才使用对象选择器,因为最终用户可以通过设置标签来
 跳过准入 Webhook。
 
 
 此示例显示了一个验证性质的 Webhook,它将匹配到对某名字空间中的任何具名字空间的资源的
 `CREATE` 请求,前提是该名字空间具有值为 "prod" 或 "staging" 的 "environment" 标签:
@@ -951,7 +976,7 @@ webhooks:
       matchExpressions:
         - key: environment
           operator: In
-          values: ["prod","staging"]
+          values: ["prod", "staging"]
     rules:
       - operations: ["CREATE"]
         apiGroups: ["*"]
@@ -983,7 +1008,7 @@ For example, if a webhook only specified a rule for some API groups/versions
 and a request was made to modify the resource via another API group/version (like `extensions/v1beta1`),
 the request would not be sent to the webhook.
 -->
-例如,如果一个 webhook 仅为某些 API 组/版本指定了规则(例如
+例如,如果一个 Webhook 仅为某些 API 组/版本指定了规则(例如
 `apiGroups:["apps"], apiVersions:["v1","v1beta1"]`),而修改资源的请求是通过另一个
 API 组/版本(例如 `extensions/v1beta1`)发出的,该请求将不会被发送到 Webhook。
 
@@ -991,25 +1016,28 @@ API 组/版本(例如 `extensions/v1beta1`)发出的,该请求将不会被
 The `matchPolicy` lets a webhook define how its `rules` are used to match incoming requests.
 Allowed values are `Exact` or `Equivalent`.
 -->
-`matchPolicy` 允许 webhook 定义如何使用其 `rules` 匹配传入的请求。
+`matchPolicy` 允许 Webhook 定义如何使用其 `rules` 匹配传入的请求。
 允许的值为 `Exact` 或 `Equivalent`。
 
 
 * `Exact` 表示仅当请求与指定规则完全匹配时才应拦截该请求。
 * `Equivalent` 表示如果某个请求意在修改 `rules` 中列出的资源,
   即使该请求是通过其他 API 组或版本发起,也应拦截该请求。
 
-在上面给出的示例中,仅为 `apps/v1` 注册的 webhook 可以使用 `matchPolicy`:
+在上面给出的示例中,仅为 `apps/v1` 注册的 Webhook 可以使用 `matchPolicy`:
 * `matchPolicy: Exact` 表示不会将 `extensions/v1beta1` 请求发送到 Webhook
-* `matchPolicy:Equivalent` 表示将 `extensions/v1beta1` 请求发送到 webhook
-  (将对象转换为 webhook 指定的版本:`apps/v1`)
+* `matchPolicy:Equivalent` 表示将 `extensions/v1beta1` 请求发送到 Webhook
+  (将对象转换为 Webhook 指定的版本:`apps/v1`)
 
 
 准入 Webhook 所用的 `matchPolicy` 默认为 `Equivalent`。
 
@@ -1144,7 +1173,7 @@ webhooks:
         expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
 ```
 
-
 匹配条件可以访问以下 CEL 变量:
@@ -1217,8 +1246,8 @@ stanza of the webhook configuration.
 Webhooks can either be called via a URL or a service reference,
 and can optionally include a custom CA bundle to use to verify the TLS connection.
 -->
-API 服务器确定请求应发送到 webhook 后,它需要知道如何调用 webhook。
-此信息在 webhook 配置的 `clientConfig` 节中指定。
+API 服务器确定请求应发送到 Webhook 后,它需要知道如何调用 webhook。
+此信息在 Webhook 配置的 `clientConfig` 节中指定。
 
 Webhook 可以通过 URL 或服务引用来调用,并且可以选择包含自定义 CA 包,以用于验证 TLS 连接。
 
@@ -1231,7 +1260,7 @@ Webhook 可以通过 URL 或服务引用来调用,并且可以选择包含自
 `url` gives the location of the webhook, in standard URL form
 (`scheme://host:port/path`).
 -->
-`url` 以标准 URL 形式给出 webhook 的位置(`scheme://host:port/path`)。
+`url` 以标准 URL 形式给出 Webhook 的位置(`scheme://host:port/path`)。
 
 
 请注意,将 `localhost` 或 `127.0.0.1` 用作 `host` 是有风险的,
-除非你非常小心地在所有运行 apiserver 的、可能需要对此 webhook 
+除非你非常小心地在所有运行 apiserver 的、可能需要对此 Webhook
 进行调用的主机上运行。这样的安装方式可能不具有可移植性,即很难在新集群中启用。
 
 
 使用用户或基本身份验证(例如:"user:password@")是不允许的。
 使用片段("#...")和查询参数("?...")也是不允许的。
@@ -1321,14 +1350,16 @@ webhooks:
       path: /my-path
       port: 1234
 ```
+
 {{< note >}}
 
 你必须在以上示例中将 `` 替换为一个有效的 VA 证书包,
 这是一个用 PEM 编码的 CA 证书包,用于校验 Webhook 的服务器证书。
 {{< /note >}}
+
 
@@ -1342,7 +1373,7 @@ Webhook 通常仅对发送给他们的 `AdmissionReview` 内容进行操作。
 但是,某些 Webhook 在处理 admission 请求时会进行带外更改。
 
 
-Webhook 使用 webhook 配置中的 `sideEffects` 字段显示它们是否有副作用:
+Webhook 使用 Webhook 配置中的 `sideEffects` 字段显示它们是否有副作用:
 
-* `None`:调用 webhook 没有副作用。
-* `NoneOnDryRun`:调用 webhook 可能会有副作用,但是如果将带有 `dryRun: true`
-  属性的请求发送到 webhook,则 webhook 将抑制副作用(该 webhook 可识别 `dryRun`)。
+* `None`:调用 Webhook 没有副作用。
+* `NoneOnDryRun`:调用 Webhook 可能会有副作用,但是如果将带有 `dryRun: true`
+  属性的请求发送到 webhook,则 Webhook 将抑制副作用(该 Webhook 可识别 `dryRun`)。
 
 
-这是一个 validating webhook 的示例,表明它对 `dryRun: true` 请求没有副作用:
+这是一个 validating Webhook 的示例,表明它对 `dryRun: true` 请求没有副作用:
 
 ```yaml
 apiVersion: admissionregistration.k8s.io/v1
@@ -1427,8 +1458,8 @@ webhooks:
     timeoutSeconds: 2
 ```
 
-
 准入 Webhook 所用的超时时间默认为 10 秒。
 
@@ -1464,9 +1495,9 @@ and mutating webhooks can specify a `reinvocationPolicy` to control whether they
 可以将 `reinvocationPolicy` 设置为 `Never` 或 `IfNeeded`。 默认为 `Never`。
 
 
 * `Never`: 在一次准入测试中,不得多次调用 Webhook。
 * `IfNeeded`: 如果在最初的 Webhook 调用之后被其他对象的插件修改了被接纳的对象,
@@ -1479,9 +1510,11 @@ The important elements to note are:
 
 
 * 不能保证附加调用的次数恰好是一。
 * 如果其他调用导致对该对象的进一步修改,则不能保证再次调用 Webhook。
@@ -1490,7 +1523,8 @@ The important elements to note are:
   (推荐用于有副作用的 Webhook)。
 
 
 这是一个修改性质的 Webhook 的示例,该 Webhook 在以后的准入插件修改对象时被重新调用:
 
@@ -1510,7 +1544,7 @@ in an object could already exist in the user-provided object, but it is essentia
 修改性质的 Webhook 必须具有[幂等](#idempotence)性,并且能够成功处理
 已被接纳并可能被修改的对象的修改性质的 Webhook。
 对于所有修改性质的准入 Webhook 都是如此,因为它们可以在对象中进行的
-任何更改可能已经存在于用户提供的对象中,但是对于选择重新调用的 webhook
+任何更改可能已经存在于用户提供的对象中,但是对于选择重新调用的 Webhook
 来说是必不可少的。
 
 
-`failurePolicy` 定义了如何处理准入 webhook 中无法识别的错误和超时错误。允许的值为 `Ignore` 或 `Fail`。
+`failurePolicy` 定义了如何处理准入 Webhook 中无法识别的错误和超时错误。允许的值为 `Ignore` 或 `Fail`。
 
-* `Ignore` 表示调用 webhook 的错误将被忽略并且允许 API 请求继续。
-* `Fail` 表示调用 webhook 的错误导致准入失败并且 API 请求被拒绝。
+* `Ignore` 表示调用 Webhook 的错误将被忽略并且允许 API 请求继续。
+* `Fail` 表示调用 Webhook 的错误导致准入失败并且 API 请求被拒绝。
 
 这是一个修改性质的 webhook,配置为在调用准入 Webhook 遇到错误时拒绝 API 请求:
 
@@ -1542,8 +1576,8 @@ webhooks:
   failurePolicy: Fail
 ```
 
-
 准入 Webhook 所用的默认 `failurePolicy` 是 `Fail`。
 
@@ -1560,14 +1594,13 @@ monitoring mechanisms help cluster admins to answer questions like:
 
 2. What change did the mutating webhook applied to the object?
 
-3. Which webhooks are frequently rejecting API requests? What's the reason for a
-   rejection?
+3. Which webhooks are frequently rejecting API requests? What's the reason for a rejection?
 -->
 API 服务器提供了监视准入 Webhook 行为的方法。这些监视机制可帮助集群管理员回答以下问题:
 
-1. 哪个修改性质的 webhook 改变了 API 请求中的对象?
+1. 哪个修改性质的 Webhook 改变了 API 请求中的对象?
 2. 修改性质的 Webhook 对对象做了哪些更改?
-3. 哪些 webhook 经常拒绝 API 请求?是什么原因拒绝?
+3. 哪些 Webhook 经常拒绝 API 请求?是什么原因拒绝?
 
 
 - 在 `Metadata` 或更高审计级别上,将使用 JSON 负载记录带有键名
-`mutation.webhook.admission.k8s.io/round_{round idx}_index_{order idx}` 的注解,
-该注解表示针对给定请求调用了 Webhook,以及该 Webhook 是否更改了对象。
+  `mutation.webhook.admission.k8s.io/round_{round idx}_index_{order idx}` 的注解,
+  该注解表示针对给定请求调用了 Webhook,以及该 Webhook 是否更改了对象。
 
   
 有时,了解哪些准入 Webhook 经常拒绝 API 请求以及拒绝的原因是很有用的。
@@ -1757,20 +1791,22 @@ metrics are labelled to identify the causes of webhook rejection(s):
 - `type`: the admission webhook type, can be one of `admit` and `validating`.
 - `error_type`: identifies if an error occurred during the webhook invocation
   that caused the rejection. Its value can be one of:
-   - `calling_webhook_error`: unrecognized errors or timeout errors from the admission webhook happened and the
-   webhook's [Failure policy](#failure-policy) is set to `Fail`.
-   - `no_error`: no error occurred. The webhook rejected the request with `allowed: false` in the admission
-   response. The metrics label `rejection_code` records the `.status.code` set in the admission response.
-   - `apiserver_internal_error`: an API server internal error happened.
+
+  - `calling_webhook_error`: unrecognized errors or timeout errors from the admission webhook happened and the
+    webhook's [Failure policy](#failure-policy) is set to `Fail`.
+  - `no_error`: no error occurred. The webhook rejected the request with `allowed: false` in the admission
+    response. The metrics label `rejection_code` records the `.status.code` set in the admission response.
+  - `apiserver_internal_error`: an API server internal error happened.
+
 - `rejection_code`: the HTTP status code set in the admission response when a
   webhook rejected a request.
 -->
 - `name`:拒绝请求 Webhook 的名称。
 - `operation`:请求的操作类型可以是 `CREATE`、`UPDATE`、`DELETE` 和 `CONNECT` 其中之一。
-- `type`:Admission webhook 类型,可以是 `admit` 和 `validating` 其中之一。
-- `error_type`:标识在 webhook 调用期间是否发生了错误并且导致了拒绝。其值可以是以下之一:
+- `type`:Admission Webhook 类型,可以是 `admit` 和 `validating` 其中之一。
+- `error_type`:标识在 Webhook 调用期间是否发生了错误并且导致了拒绝。其值可以是以下之一:
   - `calling_webhook_error`:发生了来自准入 Webhook 的无法识别的错误或超时错误,
-    并且 webhook 的 [失败策略](#failure-policy) 设置为 `Fail`。
+    并且 Webhook 的 [失败策略](#failure-policy) 设置为 `Fail`。
   - `no_error`:未发生错误。Webhook 在准入响应中以 `allowed: false` 值拒绝了请求。
     度量标签 `rejection_code` 记录了在准入响应中设置的 `.status.code`。
   - `apiserver_internal_error`:apiserver 发生内部错误。
@@ -1815,7 +1851,8 @@ the initial application.
 2. For a `CREATE` pod request, if the field `.spec.containers[].resources.limits`
    of a container is not set, set default resource limits.
 
-3. For a `CREATE` pod request, inject a sidecar container with name `foo-sidecar` if no container with the name `foo-sidecar` already exists.
+3. For a `CREATE` pod request, inject a sidecar container with name `foo-sidecar` if no container
+   with the name `foo-sidecar` already exists.
 
 In the cases above, the webhook can be safely reinvoked, or admit an object that already has the fields set.
 -->
@@ -1891,16 +1928,18 @@ versions. See [Matching requests: matchPolicy](#matching-requests-matchpolicy) f
 
 ### 可用性   {#availability}
 
-建议准入 webhook 尽快完成执行(时长通常是毫秒级),因为它们会增加 API 请求的延迟。
+建议准入 Webhook 尽快完成执行(时长通常是毫秒级),因为它们会增加 API 请求的延迟。
 建议对 Webhook 使用较小的超时值。有关更多详细信息,请参见[超时](#timeouts)。
 
 建议 Admission Webhook 应该采用某种形式的负载均衡机制,以提供高可用性和高性能。
@@ -1912,9 +1951,11 @@ to leverage the load-balancing that service supports.
 Admission webhooks that need to guarantee they see the final state of the object in order to enforce policy
 should use a validating admission webhook, since objects can be modified after being seen by mutating webhooks.
 
-For example, a mutating admission webhook is configured to inject a sidecar container with name "foo-sidecar" on every
-`CREATE` pod request. If the sidecar *must* be present, a validating admisson webhook should also be configured to intercept `CREATE` pod requests, and validate
-that a container with name "foo-sidecar" with the expected configuration exists in the to-be-created object.
+For example, a mutating admission webhook is configured to inject a sidecar container with name
+"foo-sidecar" on every `CREATE` pod request. If the sidecar *must* be present, a validating
+admisson webhook should also be configured to intercept `CREATE` pod requests, and validate that a
+container with name "foo-sidecar" with the expected configuration exists in the to-be-created
+object.
 -->
 
 ### 确保看到对象的最终状态 {#guaranteeing-the-final-state-of-the-object-is-seen}
@@ -1923,7 +1964,7 @@ that a container with name "foo-sidecar" with the expected configuration exists
 则应该使用一个验证性质的 webhook,
 因为可以通过 mutating Webhook 看到对象后对其进行修改。
 
-例如,一个修改性质的准入Webhook 被配置为在每个 `CREATE` Pod 请求中
+例如,一个修改性质的准入 Webhook 被配置为在每个 `CREATE` Pod 请求中
 注入一个名称为 "foo-sidecar" 的 sidecar 容器。
 
 如果*必须*存在边车容器,则还应配置一个验证性质的准入 Webhook 以拦截
@@ -1942,7 +1983,8 @@ When a node that runs the webhook server pods
 becomes unhealthy, the webhook deployment will try to reschedule the pods to another node. However the requests will
 get rejected by the existing webhook server since the `"env"` label is unset, and the migration cannot happen.
 
-It is recommended to exclude the namespace where your webhook is running with a [namespaceSelector](#matching-requests-namespaceselector).
+It is recommended to exclude the namespace where your webhook is running with a
+[namespaceSelector](#matching-requests-namespaceselector).
 -->
 ### 避免自托管的 Webhooks 中出现死锁 {#avoiding-deadlocks-in-self-hosted-webhooks}
 
@@ -1971,7 +2013,7 @@ set to `NoneOnDryRun`. See [Side effects](#side-effects) for more detail.
 -->
 ### 副作用  {#side-effects}
 
-建议准入 Webhook 应尽可能避免副作用,这意味着该准入 webhook 仅对发送给他们的
+建议准入 Webhook 应尽可能避免副作用,这意味着该准入 Webhook 仅对发送给他们的
 `AdmissionReview` 的内容起作用,并且不要进行额外更改。
 如果 Webhook 没有任何副作用,则 `.webhooks[].sideEffects` 字段应设置为
 `None`。

From 0111d739b6272e27c6289c768c0f11e0197a9a99 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Tue, 25 Apr 2023 21:48:06 +0800
Subject: [PATCH 268/272] sync status.md

sync status.md
---
 .../reference/kubernetes-api/common-definitions/status.md     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
index 0d3a6de1b6f..3b1a2be574e 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
@@ -158,10 +158,10 @@ guide. You can file document formatting bugs against the
 
     
     资源的 UID(当有单个可以描述的资源时)。
-    更多信息: http://kubernetes.io/docs/user-guide/identifiers#uids
+    更多信息: https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names#uids
 
 - **kind** (string)
 

From fe878980eb28071af2c20be75c165a4d1f475f19 Mon Sep 17 00:00:00 2001
From: Kensei Nakada 
Date: Wed, 26 Apr 2023 07:58:00 +0900
Subject: [PATCH 269/272] Add the deprecation notice of
 KubeSchedulerConfiguration v1beta3

---
 content/en/docs/reference/scheduling/config.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/en/docs/reference/scheduling/config.md b/content/en/docs/reference/scheduling/config.md
index 86391158266..d1ba65585a9 100644
--- a/content/en/docs/reference/scheduling/config.md
+++ b/content/en/docs/reference/scheduling/config.md
@@ -20,8 +20,7 @@ by implementing one or more of these extension points.
 
 You can specify scheduling profiles by running `kube-scheduler --config `,
 using the
-KubeSchedulerConfiguration ([v1beta3](/docs/reference/config-api/kube-scheduler-config.v1beta3/)
-or [v1](/docs/reference/config-api/kube-scheduler-config.v1/))
+KubeSchedulerConfiguration [v1](/docs/reference/config-api/kube-scheduler-config.v1/)
 struct.
 
 A minimal configuration looks as follows:
@@ -35,9 +34,10 @@ clientConnection:
 
   {{< note >}}
   KubeSchedulerConfiguration [v1beta2](/docs/reference/config-api/kube-scheduler-config.v1beta2/)
-  is deprecated in v1.25 and will be removed in v1.26. Please migrate KubeSchedulerConfiguration to
-  [v1beta3](/docs/reference/config-api/kube-scheduler-config.v1beta3/) or [v1](/docs/reference/config-api/kube-scheduler-config.v1/)
-  before upgrading Kubernetes to v1.25.
+  is deprecated in v1.25 and will be removed in v1.28. 
+  KubeSchedulerConfiguration [v1beta3](/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+  is deprecated in v1.26 and will be removed in v1.29.
+  Please migrate KubeSchedulerConfiguration to [v1](/docs/reference/config-api/kube-scheduler-config.v1/).
   {{< /note >}}
 ## Profiles
 

From 136bdad0d4a00c296da6ca72baa09731aba729c7 Mon Sep 17 00:00:00 2001
From: Niranjan Darshan 
Date: Wed, 26 Apr 2023 08:30:16 +0530
Subject: [PATCH 270/272] Fixed broken link blog 2022 (#40663)

* Fixed broken link blog 2022

* added correct link
---
 content/en/blog/_posts/2022-12-27-cpumanager-goes-GA.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2022-12-27-cpumanager-goes-GA.md b/content/en/blog/_posts/2022-12-27-cpumanager-goes-GA.md
index d1edc4575b0..d7ced81802d 100644
--- a/content/en/blog/_posts/2022-12-27-cpumanager-goes-GA.md
+++ b/content/en/blog/_posts/2022-12-27-cpumanager-goes-GA.md
@@ -40,7 +40,7 @@ compatible behavior when disabled, and to document how to interact with each oth
 
 This enabled the Kubernetes project to graduate to GA the CPU Manager core component and core CPU allocation algorithms to GA,
 while also enabling a new age of experimentation in this area.
-In Kubernetes v1.26, the CPU Manager supports [three different policy options](/docs/tasks/administer-cluster/cpu-management-policies.md#static-policy-options):
+In Kubernetes v1.26, the CPU Manager supports [three different policy options](/docs/tasks/administer-cluster/cpu-management-policies#static-policy-options):
 
 `full-pcpus-only`
 : restrict the CPU Manager core allocation algorithm to full physical cores only, reducing noisy neighbor issues from hardware technologies that allow sharing cores.

From 235c5be1b773135ebfc510ba966ad3751684aef2 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Tue, 25 Apr 2023 21:54:13 +0800
Subject: [PATCH 271/272] sync service-topology.md

sync service-topology.md
---
 .../docs/concepts/services-networking/service-topology.md     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/concepts/services-networking/service-topology.md b/content/zh-cn/docs/concepts/services-networking/service-topology.md
index f605350272e..b9a3f188a05 100644
--- a/content/zh-cn/docs/concepts/services-networking/service-topology.md
+++ b/content/zh-cn/docs/concepts/services-networking/service-topology.md
@@ -20,12 +20,12 @@ weight: 150
 
 此功能特性,尤其是 Alpha 阶段的 `topologyKeys` API,在 Kubernetes v1.21
 版本中已被废弃。Kubernetes v1.21 版本中引入的
-[拓扑感知的提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/),
+[拓扑感知路由](/zh-cn/docs/concepts/services-networking/topology-aware-routing/),
 提供类似的功能。
 {{}}
 

From d5a5370ba2614f0fe38b2e1275b0be349898cc46 Mon Sep 17 00:00:00 2001
From: ydFu 
Date: Wed, 26 Apr 2023 16:25:41 +0800
Subject: [PATCH 272/272] [zh] sync
 blog\_posts\2022-12-27-cpumanager-goes-GA.md

Signed-off-by: ydFu 
---
 content/zh-cn/blog/_posts/2022-12-27-cpumanager-goes-GA.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/blog/_posts/2022-12-27-cpumanager-goes-GA.md b/content/zh-cn/blog/_posts/2022-12-27-cpumanager-goes-GA.md
index 9e7b876d103..48f66608bb9 100644
--- a/content/zh-cn/blog/_posts/2022-12-27-cpumanager-goes-GA.md
+++ b/content/zh-cn/blog/_posts/2022-12-27-cpumanager-goes-GA.md
@@ -88,11 +88,11 @@ compatible behavior when disabled, and to document how to interact with each oth
 
 这使得 Kubernetes 项目能够将 CPU 管理器核心组件和核心 CPU 分配算法进阶至 GA,同时也开启了该领域新的实验时代。
 在 Kubernetes v1.26 中,CPU
-管理器支持[三个不同的策略选项](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies.md#static-policy-options):
+管理器支持[三个不同的策略选项](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies#static-policy-options):