Automator: update common-files@master in istio/api@master (#3538 )

Automator: update common-files@master in istio/api@master (#3536 )
Automator: update common-files@master in istio/api@master (#3533 )
2025-07-10 07:06:33 -04:00 · 2025-07-08 05:37:30 -04:00 · 2025-06-30 16:45:23 -04:00 · 2025-06-26 08:13:19 -04:00 · 2025-06-25 12:53:18 -04:00 · 2025-06-25 11:14:18 -04:00
243 changed files with 20433 additions and 63776 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,6 +1,6 @@
 {
  "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-3a1982fd09c72f345f85d394d5cce906b5484b76",
+  "image": "gcr.io/istio-testing/build-tools:master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a",
  "privileged": true,
  "remoteEnv": {
    "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
--- a/GUIDELINES.md
+++ b/GUIDELINES.md
@ -19,6 +19,7 @@ followed for Istio APIs.
 - [Proto Guidelines](#proto-guidelines)
    - [Style](#style)
    - [Basic Proto Versioning](#basic-proto-ersioning)
+- [Validation Guidelines](#validation-guidelines)
 - [CRD Guidelines](#crd-guidelines)
    - [Style](#crd-style)
    - [Basic CRD Versioning](#basic-crd-versioning)
@ -214,6 +215,75 @@ protos.

    - Loosening validation is permitted. As a result, it is recommended to err on the side of stricter validation.

+## Validation Guidelines
+
+All types should have as strict validation specified on it as possible to rule out invalid states.
+These are ultimately compiled to Kubernetes CustomResourceDefinitions, which use OpenAPI validation with some Kubernetes extras.
+This is handled by our own custom [protoc-gen-crd](https://github.com/istio/tools/tree/master/cmd/protoc-gen-crd) which compiles our
+protobuf definitions down to CRDs.
+
+There are a few types of validations:
+* Automatic ones, based on the protobuf type. For example, a UInt32Value automatically has a validation to check the number between `0` and `MaxUint32`
+* Protobuf `field_behavior`. Currently only `[(google.api.field_behavior) = REQUIRED]` is implemented.
+* Comment driven validations (see below).
+
+Most validation is driven by comments on fields and messages.
+All validations in [KubeBuilder](https://book.kubebuilder.io/reference/markers/crd-validation) are supported, as well as some extras:
+
+- `+protoc-gen-crd:map-value-validation`: apply the validation to each *value* in a map.
+  Note it's not possible to apply validations to each key. You can, however, validate the entire map together with a CEL rule.
+- `+protoc-gen-crd:list-value-validation`: apply the validation to each value in a list.
+- `+protoc-gen-crd:duration-validation:none`: exclude the default requirement that a duration field is non-zero.
+- `+protoc-gen-crd:validation:XIntOrString`: marks a field as accepting integers or strings.
+- `+protoc-gen-crd:validation:IgnoreSubValidation`: if referencing a message in a field, and that message has some validation on it already, exclude the listed validations.
+  This is uncommon, but can be used when referencing a message in a certain context has different rules than others.
+
+The most common validations are:
+- Sizes: `MaxLength` (strings), `MaxItems` (lists), `MaxProperties` (maps)
+- Regex: `Pattern`
+- CEL: `XValidation`
+
+### CEL
+
+[CEL](https://cel.dev/) is a small language that allows us to write expressions to represent validation logic.
+This comes with a lot of quirks!
+
+Useful tools and references:
+* [CEL playground](https://playcel.undistro.io/) allows an easy way to run CEL expressions against some types.
+* [Kubernetes CEL docs](https://kubernetes.io/docs/reference/using-api/cel/).
+* [CEL language definition](https://github.com/google/cel-spec/blob/master/doc/langdef.md).
+
+The biggest challenge with CEL is the complexity limit imposed by Kubernetes.
+This estimates the cost to run the function, and rejects it if it is too high.
+This takes into account the cost of a function and the cost of *potential* inputs.
+This makes it, typically, required to put maximum size bounds on items.
+
+Kubernetes changes version-to-version on how it estimates cost (usually getting more lenient) and what functions are available.
+We want to target the oldest version for compatibility purposes.
+Our tests do not currently cover this (a prototype of doing so can be found [here](https://github.com/istio/api/pull/3275)).
+A list of what features are in which versions can be found [here](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries).
+
+Istio has some custom macros that are expanded at compile time, driven by the [celpp](https://github.com/howardjohn/celpp) package.
+This extends CEL with these capabilities:
+* **default**. Usage: `default(self.x, 'DEF')`.
+* **oneof**. Usage: `oneof(self.x, self.y, self.z)`. This checks that 0 or 1 of these fields is set.
+* **index**. Usage: `self.index({}, x, z, b)`. This does `self.x.z.b` and returns `{}` if any of these is not set.
+
+Unlike typical Go usage, CEL does not have a concept of zero values for unset fields.
+As a result, an optional field needs special care.
+Do not write `self.fruit == 'apple'`, for instance, write `default(self.fruit, '') == 'apple'.
+
+### Testing
+
+As validation logic is really easy to get wrong, it's useful to write tests.
+This is done by adding YAML files under `tests/testdata`.
+Each type has a `valid` and `invalid` file to do positive and negative cases.
+
+Aside from explicitly testing these, these also form the seed corpus for fuzzing when these are pulled into `istio/istio`.
+This fuzz testing verifies the CRD validation has the same result as the webhook (Golang) validation code.
+Currently, this mostly serves to ensure we do not make something overly strict.
+In the future, it may show us that its safe to disable the webhook entirely, if CRD validation can cover the full validation surface.
+
 ## CRD Guidelines

 ### CRD Style
--- a/2
+++ b/2
@ -19,7 +19,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-SHELL := /bin/bash
+SHELL := /usr/bin/env bash

 # allow optional per-repo overrides
 -include Makefile.overrides.mk
--- a/analysis/v1alpha1/message.pb.go
+++ b/analysis/v1alpha1/message.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: analysis/v1alpha1/message.proto

@ -33,6 +33,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -99,11 +100,8 @@ func (AnalysisMessageBase_Level) EnumDescriptor() ([]byte, []int) {
 // AnalysisMessageBase describes some common information that is needed for all
 // messages. All information should be static with respect to the error code.
 type AnalysisMessageBase struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Type *AnalysisMessageBase_Type `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
+	state protoimpl.MessageState    `protogen:"open.v1"`
+	Type  *AnalysisMessageBase_Type `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
 	// Represents how severe a message is. Required.
 	Level AnalysisMessageBase_Level `protobuf:"varint,2,opt,name=level,proto3,enum=istio.analysis.v1alpha1.AnalysisMessageBase_Level" json:"level,omitempty"`
 	// A url pointing to the Istio documentation for this specific error type.
@ -111,15 +109,15 @@ type AnalysisMessageBase struct {
 	// `^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/`
 	// Required.
 	DocumentationUrl string `protobuf:"bytes,3,opt,name=documentation_url,json=documentationUrl,proto3" json:"documentation_url,omitempty"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }

 func (x *AnalysisMessageBase) Reset() {
 	*x = AnalysisMessageBase{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *AnalysisMessageBase) String() string {
@ -130,7 +128,7 @@ func (*AnalysisMessageBase) ProtoMessage() {}

 func (x *AnalysisMessageBase) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -171,10 +169,7 @@ func (x *AnalysisMessageBase) GetDocumentationUrl() string {
 // validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
 // sure that we don't allow committing underspecified types.
 type AnalysisMessageWeakSchema struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// A human readable description of what the error means. Required.
@ -184,16 +179,16 @@ type AnalysisMessageWeakSchema struct {
 	// Required.
 	Template string `protobuf:"bytes,3,opt,name=template,proto3" json:"template,omitempty"`
 	// A description of the arguments for a particular message type
-	Args []*AnalysisMessageWeakSchema_ArgType `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	Args          []*AnalysisMessageWeakSchema_ArgType `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageWeakSchema) Reset() {
 	*x = AnalysisMessageWeakSchema{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *AnalysisMessageWeakSchema) String() string {
@ -204,7 +199,7 @@ func (*AnalysisMessageWeakSchema) ProtoMessage() {}

 func (x *AnalysisMessageWeakSchema) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -254,10 +249,7 @@ func (x *AnalysisMessageWeakSchema) GetArgs() []*AnalysisMessageWeakSchema_ArgTy
 // list of args at runtime. Developers can also create stronger-typed versions
 // of GenericAnalysisMessage for well-known and stable message types.
 type GenericAnalysisMessage struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// Any message-type specific arguments that need to get codified. Optional.
@ -269,15 +261,15 @@ type GenericAnalysisMessage struct {
 	// https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 	// At least one is required.
 	ResourcePaths []string `protobuf:"bytes,3,rep,name=resource_paths,json=resourcePaths,proto3" json:"resource_paths,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *GenericAnalysisMessage) Reset() {
 	*x = GenericAnalysisMessage{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GenericAnalysisMessage) String() string {
@ -288,7 +280,7 @@ func (*GenericAnalysisMessage) ProtoMessage() {}

 func (x *GenericAnalysisMessage) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -327,23 +319,20 @@ func (x *GenericAnalysisMessage) GetResourcePaths() []string {
 // InternalErrorAnalysisMessage is a strongly-typed message representing some
 // error in Istio code that prevented us from performing analysis at all.
 type InternalErrorAnalysisMessage struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// Any detail regarding specifics of the error. Should be human-readable.
-	Detail string `protobuf:"bytes,2,opt,name=detail,proto3" json:"detail,omitempty"`
+	Detail        string `protobuf:"bytes,2,opt,name=detail,proto3" json:"detail,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *InternalErrorAnalysisMessage) Reset() {
 	*x = InternalErrorAnalysisMessage{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *InternalErrorAnalysisMessage) String() string {
@ -354,7 +343,7 @@ func (*InternalErrorAnalysisMessage) ProtoMessage() {}

 func (x *InternalErrorAnalysisMessage) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -388,10 +377,7 @@ func (x *InternalErrorAnalysisMessage) GetDetail() string {
 // one-to-one mapping between name and code. (i.e. do not re-use names or
 // codes between message types.)
 type AnalysisMessageBase_Type struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A human-readable name for the message type. e.g. "InternalError",
 	// "PodMissingProxy". This should be the same for all messages of the same type.
 	// Required.
@ -399,16 +385,16 @@ type AnalysisMessageBase_Type struct {
 	// A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify
 	// the message type. (e.g. "IST0001" is mapped to the "InternalError" message
 	// type.) 0000-0100 are reserved. Required.
-	Code string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	Code          string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageBase_Type) Reset() {
 	*x = AnalysisMessageBase_Type{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *AnalysisMessageBase_Type) String() string {
@ -419,7 +405,7 @@ func (*AnalysisMessageBase_Type) ProtoMessage() {}

 func (x *AnalysisMessageBase_Type) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -449,26 +435,23 @@ func (x *AnalysisMessageBase_Type) GetCode() string {
 }

 type AnalysisMessageWeakSchema_ArgType struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// Required. Should be a golang type, used in code generation.
 	// Ideally this will change to a less language-pinned type before this gets
 	// out of alpha, but for compatibility with current istio/istio code it's
 	// go_type for now.
-	GoType string `protobuf:"bytes,2,opt,name=go_type,json=goType,proto3" json:"go_type,omitempty"`
+	GoType        string `protobuf:"bytes,2,opt,name=go_type,json=goType,proto3" json:"go_type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageWeakSchema_ArgType) Reset() {
 	*x = AnalysisMessageWeakSchema_ArgType{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_analysis_v1alpha1_message_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_analysis_v1alpha1_message_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *AnalysisMessageWeakSchema_ArgType) String() string {
@ -479,7 +462,7 @@ func (*AnalysisMessageWeakSchema_ArgType) ProtoMessage() {}

 func (x *AnalysisMessageWeakSchema_ArgType) ProtoReflect() protoreflect.Message {
 	mi := &file_analysis_v1alpha1_message_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -510,85 +493,45 @@ func (x *AnalysisMessageWeakSchema_ArgType) GetGoType() string {

 var File_analysis_v1alpha1_message_proto protoreflect.FileDescriptor

-var file_analysis_v1alpha1_message_proto_rawDesc = []byte{
-	0x0a, 0x1f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x17, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69,
-	0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75,
-	0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x02, 0x0a, 0x13, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65,
-	0x12, 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69,
-	0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x2e, 0x54, 0x79, 0x70,
-	0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x48, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61,
-	0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x42, 0x61, 0x73, 0x65, 0x2e, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x52, 0x05, 0x6c, 0x65, 0x76, 0x65,
-	0x6c, 0x12, 0x2b, 0x0a, 0x11, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x64, 0x6f,
-	0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x72, 0x6c, 0x1a, 0x2e,
-	0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f,
-	0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x36,
-	0x0a, 0x05, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f,
-	0x57, 0x4e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x12,
-	0x0b, 0x0a, 0x07, 0x57, 0x41, 0x52, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x08, 0x12, 0x08, 0x0a, 0x04,
-	0x49, 0x4e, 0x46, 0x4f, 0x10, 0x0c, 0x22, 0xb2, 0x02, 0x0a, 0x19, 0x41, 0x6e, 0x61, 0x6c, 0x79,
-	0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x57, 0x65, 0x61, 0x6b, 0x53, 0x63,
-	0x68, 0x65, 0x6d, 0x61, 0x12, 0x4f, 0x0a, 0x0c, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f,
-	0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63,
-	0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x74, 0x65, 0x12, 0x4e, 0x0a, 0x04, 0x61, 0x72, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x3a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73,
-	0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c,
-	0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x57, 0x65, 0x61, 0x6b, 0x53,
-	0x63, 0x68, 0x65, 0x6d, 0x61, 0x2e, 0x41, 0x72, 0x67, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x61,
-	0x72, 0x67, 0x73, 0x1a, 0x36, 0x0a, 0x07, 0x41, 0x72, 0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12,
-	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x67, 0x6f, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x67, 0x6f, 0x54, 0x79, 0x70, 0x65, 0x22, 0xbd, 0x01, 0x0a, 0x16,
-	0x47, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x4f, 0x0a, 0x0c, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x04, 0x61, 0x72, 0x67, 0x73, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x04,
-	0x61, 0x72, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x5f, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68, 0x73, 0x22, 0x87, 0x01, 0x0a, 0x1c,
-	0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x4f, 0x0a, 0x0c,
-	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79,
-	0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65,
-	0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x16, 0x0a,
-	0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
-	0x65, 0x74, 0x61, 0x69, 0x6c, 0x42, 0x20, 0x5a, 0x1e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69,
-	0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_analysis_v1alpha1_message_proto_rawDesc = "" +
+	"\n" +
+	"\x1fanalysis/v1alpha1/message.proto\x12\x17istio.analysis.v1alpha1\x1a\x1cgoogle/protobuf/struct.proto\"\xbb\x02\n" +
+	"\x13AnalysisMessageBase\x12E\n" +
+	"\x04type\x18\x01 \x01(\v21.istio.analysis.v1alpha1.AnalysisMessageBase.TypeR\x04type\x12H\n" +
+	"\x05level\x18\x02 \x01(\x0e22.istio.analysis.v1alpha1.AnalysisMessageBase.LevelR\x05level\x12+\n" +
+	"\x11documentation_url\x18\x03 \x01(\tR\x10documentationUrl\x1a.\n" +
+	"\x04Type\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x12\n" +
+	"\x04code\x18\x02 \x01(\tR\x04code\"6\n" +
+	"\x05Level\x12\v\n" +
+	"\aUNKNOWN\x10\x00\x12\t\n" +
+	"\x05ERROR\x10\x03\x12\v\n" +
+	"\aWARNING\x10\b\x12\b\n" +
+	"\x04INFO\x10\f\"\xb2\x02\n" +
+	"\x19AnalysisMessageWeakSchema\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12 \n" +
+	"\vdescription\x18\x02 \x01(\tR\vdescription\x12\x1a\n" +
+	"\btemplate\x18\x03 \x01(\tR\btemplate\x12N\n" +
+	"\x04args\x18\x04 \x03(\v2:.istio.analysis.v1alpha1.AnalysisMessageWeakSchema.ArgTypeR\x04args\x1a6\n" +
+	"\aArgType\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x17\n" +
+	"\ago_type\x18\x02 \x01(\tR\x06goType\"\xbd\x01\n" +
+	"\x16GenericAnalysisMessage\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12+\n" +
+	"\x04args\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x04args\x12%\n" +
+	"\x0eresource_paths\x18\x03 \x03(\tR\rresourcePaths\"\x87\x01\n" +
+	"\x1cInternalErrorAnalysisMessage\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12\x16\n" +
+	"\x06detail\x18\x02 \x01(\tR\x06detailB Z\x1eistio.io/api/analysis/v1alpha1b\x06proto3"

 var (
 	file_analysis_v1alpha1_message_proto_rawDescOnce sync.Once
-	file_analysis_v1alpha1_message_proto_rawDescData = file_analysis_v1alpha1_message_proto_rawDesc
+	file_analysis_v1alpha1_message_proto_rawDescData []byte
 )

 func file_analysis_v1alpha1_message_proto_rawDescGZIP() []byte {
 	file_analysis_v1alpha1_message_proto_rawDescOnce.Do(func() {
-		file_analysis_v1alpha1_message_proto_rawDescData = protoimpl.X.CompressGZIP(file_analysis_v1alpha1_message_proto_rawDescData)
+		file_analysis_v1alpha1_message_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_analysis_v1alpha1_message_proto_rawDesc), len(file_analysis_v1alpha1_message_proto_rawDesc)))
 	})
 	return file_analysis_v1alpha1_message_proto_rawDescData
 }
@ -625,85 +568,11 @@ func file_analysis_v1alpha1_message_proto_init() {
 	if File_analysis_v1alpha1_message_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_analysis_v1alpha1_message_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*AnalysisMessageBase); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_analysis_v1alpha1_message_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*AnalysisMessageWeakSchema); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_analysis_v1alpha1_message_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*GenericAnalysisMessage); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_analysis_v1alpha1_message_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*InternalErrorAnalysisMessage); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_analysis_v1alpha1_message_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*AnalysisMessageBase_Type); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_analysis_v1alpha1_message_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*AnalysisMessageWeakSchema_ArgType); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_analysis_v1alpha1_message_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_analysis_v1alpha1_message_proto_rawDesc), len(file_analysis_v1alpha1_message_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -715,7 +584,6 @@ func file_analysis_v1alpha1_message_proto_init() {
 		MessageInfos:      file_analysis_v1alpha1_message_proto_msgTypes,
 	}.Build()
 	File_analysis_v1alpha1_message_proto = out.File
-	file_analysis_v1alpha1_message_proto_rawDesc = nil
 	file_analysis_v1alpha1_message_proto_goTypes = nil
 	file_analysis_v1alpha1_message_proto_depIdxs = nil
 }
--- a/analysis/v1alpha1/message.pb.html
+++ b/analysis/v1alpha1/message.pb.html
@ -18,35 +18,30 @@ messages. All information should be static with respect to the error code.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="AnalysisMessageBase-type">
-<td><code>type</code></td>
-<td><code><a href="#AnalysisMessageBase-Type">Type</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-type">type</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase-Type">Type</a></div>
+</div></td>
 <td>
 </td>
-<td>
-No
-</td>
 </tr>
 <tr id="AnalysisMessageBase-level">
-<td><code>level</code></td>
-<td><code><a href="#AnalysisMessageBase-Level">Level</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-level">level</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase-Level">Level</a></div>
+</div></td>
 <td>
 <p>Represents how severe a message is. Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageBase-documentation_url">
-<td><code>documentationUrl</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A url pointing to the Istio documentation for this specific error type.
 Should be of the form
@ -54,8 +49,83 @@ Should be of the form
 Required.</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageBase-Type">Type</h3>
+<section>
+<p>A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
+codes between message types.)</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageBase-Type-name">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
+&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
+Required.</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Type-code">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-code">code</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
+the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
+type.) 0000-0100 are reserved. Required.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageBase-Level">Level</h3>
+<section>
+<p>The values here are chosen so that more severe messages get sorted higher,
+as well as leaving space in between to add more later</p>
+
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageBase-Level-UNKNOWN">
+<td><code><a href="#AnalysisMessageBase-Level-UNKNOWN">UNKNOWN</a></code></td>
+<td>
+<p>invalid, but included for proto compatibility for 0 values</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-ERROR">
+<td><code><a href="#AnalysisMessageBase-Level-ERROR">ERROR</a></code></td>
+<td>
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-WARNING">
+<td><code><a href="#AnalysisMessageBase-Level-WARNING">WARNING</a></code></td>
+<td>
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-INFO">
+<td><code><a href="#AnalysisMessageBase-Level-INFO">INFO</a></code></td>
 <td>
-No
 </td>
 </tr>
 </tbody>
@ -72,56 +142,80 @@ sure that we don&rsquo;t allow committing underspecified types.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="AnalysisMessageWeakSchema-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-description">
-<td><code>description</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A human readable description of what the error means. Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-template">
-<td><code>template</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
 defining how to combine the args for a  particular message into a log line.
 Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-args">
-<td><code>args</code></td>
-<td><code><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></div>
+<div class="type"><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></div>
+</div></td>
 <td>
 <p>A description of the arguments for a particular message type</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageWeakSchema-ArgType">ArgType</h3>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageWeakSchema-ArgType-name">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
-No
+<p>Required</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it&rsquo;s
+go_type for now.</p>
+
 </td>
 </tr>
 </tbody>
@ -140,37 +234,32 @@ of GenericAnalysisMessage for well-known and stable message types.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="GenericAnalysisMessage-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="GenericAnalysisMessage-args">
-<td><code>args</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-args">args</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
+</div></td>
 <td>
 <p>Any message-type specific arguments that need to get codified. Optional.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="GenericAnalysisMessage-resource_paths">
-<td><code>resourcePaths</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>A list of strings specifying the resource identifiers that were the cause
 of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
@ -179,9 +268,6 @@ be a single concept for this, but this is intuitively taken from
 <a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
 At least one is required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -196,156 +282,26 @@ error in Istio code that prevented us from performing analysis at all.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="InternalErrorAnalysisMessage-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="InternalErrorAnalysisMessage-detail">
-<td><code>detail</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Any detail regarding specifics of the error. Should be human-readable.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageBase-Type">AnalysisMessageBase.Type</h2>
-<section>
-<p>A unique identifier for the type of message. Name is intended to be
-human-readable, code is intended to be machine readable. There should be a
-one-to-one mapping between name and code. (i.e. do not re-use names or
-codes between message types.)</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageBase-Type-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
-&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
-Required.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Type-code">
-<td><code>code</code></td>
-<td><code>string</code></td>
-<td>
-<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
-the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
-type.) 0000-0100 are reserved. Required.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageWeakSchema-ArgType">AnalysisMessageWeakSchema.ArgType</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageWeakSchema-ArgType-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>Required</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
-<td><code>goType</code></td>
-<td><code>string</code></td>
-<td>
-<p>Required. Should be a golang type, used in code generation.
-Ideally this will change to a less language-pinned type before this gets
-out of alpha, but for compatibility with current istio/istio code it&rsquo;s
-go_type for now.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageBase-Level">AnalysisMessageBase.Level</h2>
-<section>
-<p>The values here are chosen so that more severe messages get sorted higher,
-as well as leaving space in between to add more later</p>
-
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageBase-Level-UNKNOWN">
-<td><code>UNKNOWN</code></td>
-<td>
-<p>invalid, but included for proto compatibility for 0 values</p>
-
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-ERROR">
-<td><code>ERROR</code></td>
-<td>
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-WARNING">
-<td><code>WARNING</code></td>
-<td>
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-INFO">
-<td><code>INFO</code></td>
-<td>
 </td>
 </tr>
 </tbody>
--- a/analysis/v1alpha1/message.proto
+++ b/analysis/v1alpha1/message.proto
@ -24,7 +24,7 @@ package istio.analysis.v1alpha1;

 import "google/protobuf/struct.proto";

-option go_package="istio.io/api/analysis/v1alpha1";
+option go_package = "istio.io/api/analysis/v1alpha1";

 // There are four messages described in this file. One of them is a struct
 // common to the other three: AnalysisMessageBase. Using this, we can construct
@ -78,7 +78,6 @@ message AnalysisMessageBase {
  // `^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/`
  // Required.
  string documentation_url = 3;
-
 }

 // AnalysisMessageWeakSchema is the set of information that's needed to define a
--- a/annotation/annotations.gen.go
+++ b/annotation/annotations.gen.go
@ -29,10 +29,13 @@ const (
 	Unknown ResourceTypes = iota
    Any
    AuthorizationPolicy
+    Gateway
+    GatewayClass
    Ingress
    Namespace
    Pod
    Service
+    ServiceEntry
    WorkloadEntry
 )

@ -43,14 +46,20 @@ func (r ResourceTypes) String() string {
 	case 2:
 		return "AuthorizationPolicy"
 	case 3:
-		return "Ingress"
+		return "Gateway"
 	case 4:
-		return "Namespace"
+		return "GatewayClass"
 	case 5:
-		return "Pod"
+		return "Ingress"
 	case 6:
-		return "Service"
+		return "Namespace"
 	case 7:
+		return "Pod"
+	case 8:
+		return "Service"
+	case 9:
+		return "ServiceEntry"
+	case 10:
 		return "WorkloadEntry"
 	}
 	return "Unknown"
@ -91,17 +100,6 @@ var (
 		},
 	}

-	AlphaIdentity = Instance {
-		Name:          "alpha.istio.io/identity",
-		Description:   "Identity for the workload.",
-		FeatureStatus: Alpha,
-		Hidden:        true,
-		Deprecated:    true,
-		Resources: []ResourceTypes{
-			Pod,
-		},
-	}
-
 	AlphaKubernetesServiceAccounts = Instance {
 		Name:          "alpha.istio.io/kubernetes-serviceaccounts",
 		Description:   "Specifies the Kubernetes service accounts that are "+
@ -114,6 +112,61 @@ var (
 		},
 	}

+	AmbientBypassInboundCapture = Instance {
+		Name:          "ambient.istio.io/bypass-inbound-capture",
+		Description:   `When specified on a "Pod" enrolled in ambient mesh, only outbound traffic will be captured.
+This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
+	AmbientDnsCapture = Instance {
+		Name:          "ambient.istio.io/dns-capture",
+		Description:   `When specified on a "Pod" enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient.
+Note that setting this to "false" will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
+	AmbientRedirection = Instance {
+		Name:          "ambient.istio.io/redirection",
+		Description:   `Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode.
+This shows the actual state; to specify intent that a workload should be in ambient mode, see "istio.io/dataplane-mode".
+User should not manually modify this annotation.`,
+		FeatureStatus: Beta,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
+	AmbientWaypointInboundBinding = Instance {
+		Name:          "ambient.istio.io/waypoint-inbound-binding",
+		Description:   `When set on a waypoint (either by its specific "Gateway", or for the entire collection on the "GatewayClass"),
+indicates how traffic should be sent to the waypoint. If unset, traffic will be sent to the waypoint as HBONE directly.
+
+This takes the format: "<protocol>" or "<protocol>/<port>".
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			GatewayClass,
+			Gateway,
+		},
+	}
+
 	GalleyAnalyzeSuppress = Instance {
 		Name:          "galley.istio.io/analyze-suppress",
 		Description:   "A comma separated list of configuration analysis message "+
@ -144,6 +197,30 @@ var (
 		},
 	}

+	GatewayNameOverride = Instance {
+		Name:          "gateway.istio.io/name-override",
+		Description:   `Overrides the name of the generated "Deployment" and "Service" resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Gateway,
+		},
+	}
+
+	GatewayServiceAccount = Instance {
+		Name:          "gateway.istio.io/service-account",
+		Description:   `Overrides the name of the generated "ServiceAccount" resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Gateway,
+		},
+	}
+
 	InjectTemplates = Instance {
 		Name:          "inject.istio.io/templates",
 		Description:   "The name of the inject template(s) to use, as a comma "+
@ -158,41 +235,6 @@ var (
 		},
 	}

-	OperatorInstallChartOwner = Instance {
-		Name:          "install.operator.istio.io/chart-owner",
-		Description:   "Represents the name of the chart used to create this "+
-                        "resource.",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    false,
-		Resources: []ResourceTypes{
-			Any,
-		},
-	}
-
-	OperatorInstallOwnerGeneration = Instance {
-		Name:          "install.operator.istio.io/owner-generation",
-		Description:   "Represents the generation to which the resource was last "+
-                        "reconciled.",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    false,
-		Resources: []ResourceTypes{
-			Any,
-		},
-	}
-
-	OperatorInstallVersion = Instance {
-		Name:          "install.operator.istio.io/version",
-		Description:   "Represents the Istio version associated with the resource",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    false,
-		Resources: []ResourceTypes{
-			Any,
-		},
-	}
-
 	IoIstioAutoRegistrationGroup = Instance {
 		Name:          "istio.io/autoRegistrationGroup",
 		Description:   "On a WorkloadEntry stores the associated WorkloadGroup.",
@ -243,6 +285,19 @@ var (
 		},
 	}

+	IoIstioRerouteVirtualInterfaces = Instance {
+		Name:          "istio.io/reroute-virtual-interfaces",
+		Description:   `A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+Note: When using docker-in-docker container, the default bridge interface name is typically "docker0". However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option "com.docker.network.bridge.name" with a fixed value and use that name in the annotation.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	IoIstioRev = Instance {
 		Name:          "istio.io/rev",
 		Description:   "Specifies a control plane revision to which a given proxy "+
@ -285,9 +340,11 @@ var (
 	NetworkingExportTo = Instance {
 		Name:          "networking.istio.io/exportTo",
 		Description:   "Specifies the namespaces to which this service should be "+
-                        "exported to. A value of '*' indicates it is reachable "+
-                        "within the mesh '.' indicates it is reachable within its "+
-                        "namespace.",
+                        "exported to. A value of `*` indicates it is reachable "+
+                        "within the mesh. `.` indicates it is reachable within its "+
+                        "namespace. '~' indicates it is hidden and exported to no "+
+                        "namespaces. Additionally, a list of comma separated "+
+                        "namespace names can be specified.",
 		FeatureStatus: Alpha,
 		Hidden:        false,
 		Deprecated:    false,
@ -296,6 +353,41 @@ var (
 		},
 	}

+	NetworkingServiceType = Instance {
+		Name:          "networking.istio.io/service-type",
+		Description:   `Overrides the type of the generated "Service" resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Gateway,
+		},
+	}
+
+	NetworkingTrafficDistribution = Instance {
+		Name:          "networking.istio.io/traffic-distribution",
+		Description:   `Controls how traffic is distributed across the set of available endpoints.
+
+At this time, this annotation only impacts routing done by Ztunnel.
+
+Accepted values:
+* "PreferClose": endpoints will be categorized by how "close" they are, consider network, region, zone, and subzone.
+  Traffic will be prioritized to the closest healthy endpoints.
+  For example, if I have a Service with "PreferClose" set, with endpoints in zones "us-west,us-west,us-east". When 
+  sending traffic from a client in zone "us-west", all traffic will go to the two "us-west" backends.
+  If one those backends become unhealthy, all traffic will go to the remaining endpoint in "us-west".
+  If that backend becomes unhealthy, traffic will sent to "us-east".
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Service,
+			ServiceEntry,
+		},
+	}
+
 	PrometheusMergeMetrics = Instance {
 		Name:          "prometheus.istio.io/merge-metrics",
 		Description:   "Specifies if application Prometheus metric will be merged "+
@ -417,20 +509,6 @@ var (
 		},
 	}

-	SidecarControlPlaneAuthPolicy = Instance {
-		Name:          "sidecar.istio.io/controlPlaneAuthPolicy",
-		Description:   "Specifies the auth policy used by the Istio control "+
-                        "plane. If NONE, traffic will not be encrypted. If "+
-                        "MUTUAL_TLS, traffic between Envoy sidecar will be wrapped "+
-                        "into mutual TLS connections.",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    true,
-		Resources: []ResourceTypes{
-			Pod,
-		},
-	}
-
 	SidecarDiscoveryAddress = Instance {
 		Name:          "sidecar.istio.io/discoveryAddress",
 		Description:   "Specifies the XDS discovery address to be used by the "+
@ -443,18 +521,6 @@ var (
 		},
 	}

-	SidecarEnableCoreDump = Instance {
-		Name:          "sidecar.istio.io/enableCoreDump",
-		Description:   "Specifies whether or not an Envoy sidecar should enable "+
-                        "core dump.",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    false,
-		Resources: []ResourceTypes{
-			Pod,
-		},
-	}
-
 	SidecarExtraStatTags = Instance {
 		Name:          "sidecar.istio.io/extraStatTags",
 		Description:   "An additional list of tags to extract from the in-proxy "+
@ -471,8 +537,10 @@ var (
 	SidecarInject = Instance {
 		Name:          "sidecar.istio.io/inject",
 		Description:   "Specifies whether or not an Envoy sidecar should be "+
-                        "automatically injected into the workload. Deprecated in "+
-                        "favor of `sidecar.istio.io/inject` label.",
+                        "automatically injected into the workload. This annotation "+
+                        "has been deprecated in favor of the "+
+                        "`sidecar.istio.io/inject` label documented "+
+                        "[here](/docs/reference/config/labels/#SidecarInject).",
 		FeatureStatus: Beta,
 		Hidden:        false,
 		Deprecated:    true,
@ -504,6 +572,19 @@ var (
 		},
 	}

+	SidecarNativeSidecar = Instance {
+		Name:          "sidecar.istio.io/nativeSidecar",
+		Description:   "Specifies if the istio-proxy sidecar should be injected "+
+                        "as a native sidecar or not. Takes precedence over the "+
+                        "ENABLE_NATIVE_SIDECARS environment variable.",
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	SidecarProxyCPU = Instance {
 		Name:          "sidecar.istio.io/proxyCPU",
 		Description:   "Specifies the requested CPU setting for the Envoy "+
@ -587,6 +668,19 @@ var (
 		},
 	}

+	SidecarStatsCompression = Instance {
+		Name:          "sidecar.istio.io/statsCompression",
+		Description:   `Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+Supported values are "brotli", "gzip", and "zstd".
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	SidecarStatsHistogramBuckets = Instance {
 		Name:          "sidecar.istio.io/statsHistogramBuckets",
 		Description:   "Specifies the custom histogram buckets with a prefix "+
@ -813,10 +907,12 @@ var (
 	SidecarTrafficKubevirtInterfaces = Instance {
 		Name:          "traffic.sidecar.istio.io/kubevirtInterfaces",
 		Description:   "A comma separated list of virtual interfaces whose "+
-                        "inbound traffic (from VM) will be treated as outbound.",
+                        "inbound traffic (from VM) will be treated as outbound. "+
+                        "Deprecated in favor of "+
+                        "`istio.io/redirect-virtual-interfaces`",
 		FeatureStatus: Alpha,
 		Hidden:        false,
-		Deprecated:    false,
+		Deprecated:    true,
 		Resources: []ResourceTypes{
 			Pod,
 		},
@ -827,22 +923,27 @@ var (
 func AllResourceAnnotations() []*Instance {
 	return []*Instance {
 		&AlphaCanonicalServiceAccounts,
-		&AlphaIdentity,
 		&AlphaKubernetesServiceAccounts,
+		&AmbientBypassInboundCapture,
+		&AmbientDnsCapture,
+		&AmbientRedirection,
+		&AmbientWaypointInboundBinding,
 		&GalleyAnalyzeSuppress,
 		&GatewayControllerVersion,
+		&GatewayNameOverride,
+		&GatewayServiceAccount,
 		&InjectTemplates,
-		&OperatorInstallChartOwner,
-		&OperatorInstallOwnerGeneration,
-		&OperatorInstallVersion,
 		&IoIstioAutoRegistrationGroup,
 		&IoIstioConnectedAt,
 		&IoIstioDisconnectedAt,
 		&IoIstioDryRun,
+		&IoIstioRerouteVirtualInterfaces,
 		&IoIstioRev,
 		&IoIstioWorkloadController,
 		&IoKubernetesIngressClass,
 		&NetworkingExportTo,
+		&NetworkingServiceType,
+		&NetworkingTrafficDistribution,
 		&PrometheusMergeMetrics,
 		&ProxyConfig,
 		&ProxyOverrides,
@ -853,13 +954,12 @@ func AllResourceAnnotations() []*Instance {
 		&SidecarAgentLogLevel,
 		&SidecarBootstrapOverride,
 		&SidecarComponentLogLevel,
-		&SidecarControlPlaneAuthPolicy,
 		&SidecarDiscoveryAddress,
-		&SidecarEnableCoreDump,
 		&SidecarExtraStatTags,
 		&SidecarInject,
 		&SidecarInterceptionMode,
 		&SidecarLogLevel,
+		&SidecarNativeSidecar,
 		&SidecarProxyCPU,
 		&SidecarProxyCPULimit,
 		&SidecarProxyImage,
@ -867,6 +967,7 @@ func AllResourceAnnotations() []*Instance {
 		&SidecarProxyMemory,
 		&SidecarProxyMemoryLimit,
 		&SidecarRewriteAppHTTPProbers,
+		&SidecarStatsCompression,
 		&SidecarStatsHistogramBuckets,
 		&SidecarStatsInclusionPrefixes,
 		&SidecarStatsInclusionRegexps,
@ -892,10 +993,13 @@ func AllResourceTypes() []string {
 	return []string {
 		"Any",
 		"AuthorizationPolicy",
+		"Gateway",
+		"GatewayClass",
 		"Ingress",
 		"Namespace",
 		"Pod",
 		"Service",
+		"ServiceEntry",
 		"WorkloadEntry",
 	}
 }
--- a/annotation/annotations.pb.html
+++ b/annotation/annotations.pb.html
@ -9,6 +9,30 @@ weight: 60
 This page presents the various resource <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/">annotations</a> that
 Istio supports to control its behavior.
 </p>
+<h2 id="AmbientRedirection">ambient.istio.io/redirection</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>ambient.istio.io/redirection</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Beta</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode.
+This shows the actual state; to specify intent that a workload should be in ambient mode, see <code>istio.io/dataplane-mode</code>.
+User should not manually modify this annotation.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="GalleyAnalyzeSuppress">galley.istio.io/analyze-suppress</h2>
 <table class="annotations">
  <tbody>
@ -53,72 +77,6 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
-<h2 id="OperatorInstallChartOwner">install.operator.istio.io/chart-owner</h2>
-<table class="annotations">
-  <tbody>
-    <tr>
-      <th>Name</th>
-      <td><code>install.operator.istio.io/chart-owner</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Alpha</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Any]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Represents the name of the chart used to create this resource.</p>
-</td>
-    </tr>
-  </tbody>
-</table>
-<h2 id="OperatorInstallOwnerGeneration">install.operator.istio.io/owner-generation</h2>
-<table class="annotations">
-  <tbody>
-    <tr>
-      <th>Name</th>
-      <td><code>install.operator.istio.io/owner-generation</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Alpha</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Any]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Represents the generation to which the resource was last reconciled.</p>
-</td>
-    </tr>
-  </tbody>
-</table>
-<h2 id="OperatorInstallVersion">install.operator.istio.io/version</h2>
-<table class="annotations">
-  <tbody>
-    <tr>
-      <th>Name</th>
-      <td><code>install.operator.istio.io/version</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Alpha</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Any]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Represents the Istio version associated with the resource</p>
-</td>
-    </tr>
-  </tbody>
-</table>
 <h2 id="IoIstioDryRun">istio.io/dry-run</h2>
 <table class="annotations">
  <tbody>
@ -141,6 +99,29 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
+<h2 id="IoIstioRerouteVirtualInterfaces">istio.io/reroute-virtual-interfaces</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>istio.io/reroute-virtual-interfaces</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+Note: When using docker-in-docker container, the default bridge interface name is typically <code>docker0</code>. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option <code>com.docker.network.bridge.name</code> with a fixed value and use that name in the annotation.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="IoIstioRev">istio.io/rev</h2>
 <table class="annotations">
  <tbody>
@ -202,7 +183,42 @@ Istio supports to control its behavior.
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>Specifies the namespaces to which this service should be exported to. A value of &lsquo;*&rsquo; indicates it is reachable within the mesh &lsquo;.&rsquo; indicates it is reachable within its namespace.</p>
+      <td><p>Specifies the namespaces to which this service should be exported to. A value of <code>*</code> indicates it is reachable within the mesh. <code>.</code> indicates it is reachable within its namespace. &lsquo;~&rsquo; indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
+<h2 id="NetworkingTrafficDistribution">networking.istio.io/traffic-distribution</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>networking.istio.io/traffic-distribution</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Service ServiceEntry]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>Controls how traffic is distributed across the set of available endpoints.</p>
+
+<p>At this time, this annotation only impacts routing done by Ztunnel.</p>
+
+<p>Accepted values:</p>
+
+<ul>
+<li><code>PreferClose</code>: endpoints will be categorized by how &ldquo;close&rdquo; they are, consider network, region, zone, and subzone.
+Traffic will be prioritized to the closest healthy endpoints.
+For example, if I have a Service with <code>PreferClose</code> set, with endpoints in zones <code>us-west,us-west,us-east</code>. When
+sending traffic from a client in zone <code>us-west</code>, all traffic will go to the two <code>us-west</code> backends.
+If one those backends become unhealthy, all traffic will go to the remaining endpoint in <code>us-west</code>.
+If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</li>
+</ul>
 </td>
    </tr>
  </tbody>
@ -405,28 +421,6 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
-<h2 id="SidecarControlPlaneAuthPolicy">sidecar.istio.io/controlPlaneAuthPolicy</h2>
-<table class="annotations">
-  <tbody>
-    <tr class="deprecated">
-      <th>Name</th>
-      <td><code>sidecar.istio.io/controlPlaneAuthPolicy</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Deprecated</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Pod]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.</p>
-</td>
-    </tr>
-  </tbody>
-</table>
 <h2 id="SidecarDiscoveryAddress">sidecar.istio.io/discoveryAddress</h2>
 <table class="annotations">
  <tbody>
@ -449,28 +443,6 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
-<h2 id="SidecarEnableCoreDump">sidecar.istio.io/enableCoreDump</h2>
-<table class="annotations">
-  <tbody>
-    <tr>
-      <th>Name</th>
-      <td><code>sidecar.istio.io/enableCoreDump</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Alpha</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Pod]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Specifies whether or not an Envoy sidecar should enable core dump.</p>
-</td>
-    </tr>
-  </tbody>
-</table>
 <h2 id="SidecarExtraStatTags">sidecar.istio.io/extraStatTags</h2>
 <table class="annotations">
  <tbody>
@ -510,7 +482,7 @@ Istio supports to control its behavior.
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of <code>sidecar.istio.io/inject</code> label.</p>
+      <td><p>Specifies whether or not an Envoy sidecar should be automatically injected into the workload. This annotation has been deprecated in favor of the <code>sidecar.istio.io/inject</code> label documented <a href="/docs/reference/config/labels/#SidecarInject">here</a>.</p>
 </td>
    </tr>
  </tbody>
@ -559,6 +531,28 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
+<h2 id="SidecarNativeSidecar">sidecar.istio.io/nativeSidecar</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>sidecar.istio.io/nativeSidecar</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>Specifies if the istio-proxy sidecar should be injected as a native sidecar or not. Takes precedence over the ENABLE_NATIVE_SIDECARS environment variable.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="SidecarProxyCPU">sidecar.istio.io/proxyCPU</h2>
 <table class="annotations">
  <tbody>
@ -713,6 +707,29 @@ Istio supports to control its behavior.
    </tr>
  </tbody>
 </table>
+<h2 id="SidecarStatsCompression">sidecar.istio.io/statsCompression</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>sidecar.istio.io/statsCompression</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+Supported values are <code>brotli</code>, <code>gzip</code>, and <code>zstd</code>.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="SidecarStatsHistogramBuckets">sidecar.istio.io/statsHistogramBuckets</h2>
 <table class="annotations">
  <tbody>
@ -1090,13 +1107,13 @@ Istio supports to control its behavior.
 <h2 id="SidecarTrafficKubevirtInterfaces">traffic.sidecar.istio.io/kubevirtInterfaces</h2>
 <table class="annotations">
  <tbody>
-    <tr>
+    <tr class="deprecated">
      <th>Name</th>
      <td><code>traffic.sidecar.istio.io/kubevirtInterfaces</code></td>
    </tr>
    <tr>
      <th>Feature Status</th>
-      <td>Alpha</td>
+      <td>Deprecated</td>
    </tr>
    <tr>
      <th>Resource Types</th>
@ -1104,7 +1121,7 @@ Istio supports to control its behavior.
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.</p>
+      <td><p>A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. Deprecated in favor of <code>istio.io/redirect-virtual-interfaces</code></p>
 </td>
    </tr>
  </tbody>
--- a/annotation/annotations.yaml
+++ b/annotation/annotations.yaml
@ -43,19 +43,11 @@ annotations:
    resources:
      - Service

-  - name: alpha.istio.io/identity
-    featureStatus: Alpha
-    description: Identity for the workload.
-    deprecated: true
-    hidden: true
-    resources:
-      - Pod
-
  - name: networking.istio.io/exportTo
    featureStatus: Alpha
    description: Specifies the namespaces to which this service should be exported to.
-      A value of '*' indicates it is reachable within the mesh '.' indicates it is
-      reachable within its namespace.
+      A value of `*` indicates it is reachable within the mesh. `.` indicates it is
+      reachable within its namespace. '~' indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.
    deprecated: false
    hidden: false
    resources:
@ -64,7 +56,8 @@ annotations:
  - name: sidecar.istio.io/inject
    featureStatus: Beta
    description: Specifies whether or not an Envoy sidecar should be automatically
-      injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label.
+      injected into the workload. This annotation has been deprecated in favor of the
+      `sidecar.istio.io/inject` label documented [here](/docs/reference/config/labels/#SidecarInject).
    deprecated: true
    hidden: false
    resources:
@ -89,15 +82,6 @@ annotations:
    resources:
      - Pod

-  - name: sidecar.istio.io/controlPlaneAuthPolicy
-    description: Specifies the auth policy used by the Istio control plane. If NONE,
-      traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar
-      will be wrapped into mutual TLS connections.
-    deprecated: true
-    hidden: false
-    resources:
-      - Pod
-
  - name: sidecar.istio.io/discoveryAddress
    featureStatus: Alpha
    description: Specifies the XDS discovery address to be used by the Envoy
@ -224,14 +208,6 @@ annotations:
    resources:
      - Pod

-  - name: sidecar.istio.io/enableCoreDump
-    featureStatus: Alpha
-    description: Specifies whether or not an Envoy sidecar should enable core dump.
-    deprecated: false
-    hidden: false
-    resources:
-      - Pod
-
  - name: status.sidecar.istio.io/port
    featureStatus: Alpha
    description: Specifies the HTTP status Port for the Envoy sidecar. If zero, the
@ -265,6 +241,16 @@ annotations:
    resources:
      - Pod

+  - name: sidecar.istio.io/nativeSidecar
+    featureStatus: Alpha
+    description: Specifies if the istio-proxy sidecar should be injected as a
+      native sidecar or not. Takes precedence over the ENABLE_NATIVE_SIDECARS
+      environment variable.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
+
  - name: readiness.status.sidecar.istio.io/initialDelaySeconds
    featureStatus: Alpha
    description: Specifies the initial delay (in seconds) for the Envoy sidecar readiness
@ -377,8 +363,8 @@ annotations:
  - name: traffic.sidecar.istio.io/kubevirtInterfaces
    featureStatus: Alpha
    description: A comma separated list of virtual interfaces whose inbound traffic
-      (from VM) will be treated as outbound.
-    deprecated: false
+      (from VM) will be treated as outbound. Deprecated in favor of `istio.io/redirect-virtual-interfaces`
+    deprecated: true
    hidden: false
    resources:
      - Pod
@ -391,30 +377,6 @@ annotations:
    resources:
      - Ingress

-  - name: install.operator.istio.io/chart-owner
-    featureStatus: Alpha
-    description: Represents the name of the chart used to create this resource.
-    deprecated: false
-    hidden: false
-    resources:
-      - Any
-
-  - name: install.operator.istio.io/owner-generation
-    featureStatus: Alpha
-    description: Represents the generation to which the resource was last reconciled.
-    deprecated: false
-    hidden: false
-    resources:
-      - Any
-
-  - name: install.operator.istio.io/version
-    featureStatus: Alpha
-    description: Represents the Istio version associated with the resource
-    deprecated: false
-    hidden: false
-    resources:
-      - Any
-
  - name: galley.istio.io/analyze-suppress
    featureStatus: Alpha
    description: A comma separated list of configuration analysis message codes
@ -529,4 +491,115 @@ annotations:
    deprecated: false
    hidden: true
    resources:
-      - Any
+      - Any
+
+  - name: ambient.istio.io/redirection
+    featureStatus: Beta
+    description: |-
+      Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode.
+      This shows the actual state; to specify intent that a workload should be in ambient mode, see `istio.io/dataplane-mode`.
+      User should not manually modify this annotation.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
+
+  - name: ambient.istio.io/waypoint-inbound-binding
+    featureStatus: Alpha
+    description: |
+      When set on a waypoint (either by its specific `Gateway`, or for the entire collection on the `GatewayClass`),
+      indicates how traffic should be sent to the waypoint. If unset, traffic will be sent to the waypoint as HBONE directly.
+
+      This takes the format: `<protocol>` or `<protocol>/<port>`.
+    deprecated: false
+    hidden: true
+    resources:
+      - GatewayClass
+      - Gateway
+
+  - name: gateway.istio.io/service-account
+    featureStatus: Alpha
+    description: |
+      Overrides the name of the generated `ServiceAccount` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+    deprecated: false
+    hidden: true
+    resources:
+      - Gateway
+
+  - name: gateway.istio.io/name-override
+    featureStatus: Alpha
+    description: |
+      Overrides the name of the generated `Deployment` and `Service` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+    deprecated: false
+    hidden: true
+    resources:
+      - Gateway
+
+  - name: networking.istio.io/service-type
+    featureStatus: Alpha
+    description: |
+      Overrides the type of the generated `Service` resource when using [Gateway auto-deployment](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment)
+    deprecated: false
+    hidden: true
+    resources:
+      - Gateway
+
+  - name: networking.istio.io/traffic-distribution
+    featureStatus: Alpha
+    description: |
+      Controls how traffic is distributed across the set of available endpoints.
+      
+      At this time, this annotation only impacts routing done by Ztunnel.
+      
+      Accepted values:
+      * `PreferClose`: endpoints will be categorized by how "close" they are, consider network, region, zone, and subzone.
+        Traffic will be prioritized to the closest healthy endpoints.
+        For example, if I have a Service with `PreferClose` set, with endpoints in zones `us-west,us-west,us-east`. When 
+        sending traffic from a client in zone `us-west`, all traffic will go to the two `us-west` backends.
+        If one those backends become unhealthy, all traffic will go to the remaining endpoint in `us-west`.
+        If that backend becomes unhealthy, traffic will sent to `us-east`.
+    deprecated: false
+    hidden: false
+    resources:
+      - Service
+      - ServiceEntry
+
+  - name: ambient.istio.io/bypass-inbound-capture
+    featureStatus: Alpha
+    description: |
+      When specified on a `Pod` enrolled in ambient mesh, only outbound traffic will be captured.
+      This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.
+    deprecated: false
+    hidden: true
+    resources:
+      - Pod
+
+  - name: istio.io/reroute-virtual-interfaces
+    featureStatus: Alpha
+    description: |
+      A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+      Note: When using docker-in-docker container, the default bridge interface name is typically `docker0`. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option `com.docker.network.bridge.name` with a fixed value and use that name in the annotation.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
+
+  - name: ambient.istio.io/dns-capture
+    featureStatus: Alpha
+    description: |
+      When specified on a `Pod` enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient.
+      Note that setting this to `false` will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.
+    deprecated: false
+    hidden: true
+    resources:
+      - Pod
+
+  - name: sidecar.istio.io/statsCompression
+    featureStatus: Alpha
+    description: |
+      Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+      Supported values are `brotli`, `gzip`, and `zstd`.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
--- a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html
+++ b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html
@ -1,9 +0,0 @@
---
-title: istio.authentication.v1alpha1
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-schema: istio.authentication.v1alpha1.Policy
-number_of_entries: 0
---
-<p>This package defines user-facing authentication policy.</p>
-
--- a/authentication/v1alpha1/policy.pb.go
+++ b/authentication/v1alpha1/policy.pb.go
--- a/authentication/v1alpha1/policy.proto
+++ b/authentication/v1alpha1/policy.proto
@ -1,432 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-syntax = "proto3";
-
-// $schema: istio.authentication.v1alpha1.Policy
-// $mode: package
-
-// This package defines user-facing authentication policy.
-package istio.authentication.v1alpha1;
-
-import "google/api/field_behavior.proto";
-
-option go_package = "istio.io/api/authentication/v1alpha1";
-
-// $hide_from_docs
-// Describes how to match a given string. Match is case-sensitive.
-message StringMatch {
-  oneof match_type {
-    // exact string match.
-    string exact = 1;
-
-    // prefix-based match.
-    string prefix = 2;
-
-    // suffix-based match.
-    string suffix = 3;
-
-    // RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
-    string regex = 4;
-  }
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-// TLS authentication params.
-message MutualTls {
-  // $hide_from_docs
-  // Defines the acceptable connection TLS mode.
-  enum Mode {
-    // Client cert must be presented, connection is in TLS.
-    STRICT = 0;
-
-    // Connection can be either plaintext or TLS with Client cert.
-    PERMISSIVE = 1;
-  };
-
-  // Deprecated. Please use mode = PERMISSIVE instead.
-  // If set, will translate to `TLS_PERMISSIVE` mode.
-  // Set this flag to true to allow regular TLS (i.e without client x509
-  // certificate). If request carries client certificate, identity will be
-  // extracted and used (set to peer identity). Otherwise, peer identity will
-  // be left unset.
-  // When the flag is false (default), request must have client certificate.
-  bool allow_tls = 1 [deprecated=true];
-
-  // Defines the mode of mTLS authentication.
-  Mode mode = 2;
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-// JSON Web Token (JWT) token format for authentication as defined by
-// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
-// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
-// authentication flow.
-//
-// For example:
-//
-// A JWT for any requests:
-//
-// ```yaml
-// issuer: https://example.com
-// audiences:
-// - bookstore_android.apps.googleusercontent.com
-//   bookstore_web.apps.googleusercontent.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// ```
-//
-// A JWT for all requests except request at path `/health_check` and path with
-// prefix `/status/`. This is useful to expose some paths for public access but
-// keep others JWT validated.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - excludedPaths:
-//   - exact: /health_check
-//   - prefix: /status/
-// ```
-//
-// A JWT only for requests at path `/admin`. This is useful to only require JWT
-// validation on a specific set of paths but keep others public accessible.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - includedPaths:
-//   - prefix: /admin
-// ```
-//
-// A JWT only for requests at path of prefix `/status/` but except the path of
-// `/status/version`. This means for any request path with prefix `/status/` except
-// `/status/version` will require a valid JWT to proceed.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - excludedPaths:
-//   - exact: /status/version
-//   includedPaths:
-//   - prefix: /status/
-// ```
-message Jwt {
-  // Identifies the issuer that issued the JWT. See
-  // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
-  // Usually a URL or an email address.
-  //
-  // Example: https://securetoken.google.com
-  // Example: 1234567-compute@developer.gserviceaccount.com
-  string issuer = 1;
-
-  // The list of JWT
-  // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
-  // that are allowed to access. A JWT containing any of these
-  // audiences will be accepted.
-  //
-  // The service name will be accepted if audiences is empty.
-  //
-  // Example:
-  //
-  // ```yaml
-  // audiences:
-  // - bookstore_android.apps.googleusercontent.com
-  //   bookstore_web.apps.googleusercontent.com
-  // ```
-  repeated string audiences = 2;
-
-  // URL of the provider's public key set to validate signature of the
-  // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-  //
-  // Optional if the key set document can either (a) be retrieved from
-  // [OpenID
-  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
-  // the issuer or (b) inferred from the email domain of the issuer (e.g. a
-  // Google service account).
-  //
-  // Example: `https://www.googleapis.com/oauth2/v1/certs`
-  //
-  // Note: Only one of jwks_uri and jwks should be used.
-  string jwks_uri = 3;
-
-  // JSON Web Key Set of public keys to validate signature of the JWT.
-  // See https://auth0.com/docs/jwks.
-  //
-  // Note: Only one of jwks_uri and jwks should be used.
-  string jwks = 10;
-
-  // Two fields below define where to extract the JWT from an HTTP request.
-  //
-  // If no explicit location is specified the following default
-  // locations are tried in order:
-  //
-  //     1) The Authorization header using the Bearer schema,
-  //        e.g. Authorization: Bearer <token>. (see
-  //        [Authorization Request Header
-  //        Field](https://tools.ietf.org/html/rfc6750#section-2.1))
-  //
-  //     2) `access_token` query parameter (see
-  //     [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))
-
-  // JWT is sent in a request header. `header` represents the
-  // header name.
-  //
-  // For example, if `header=x-goog-iap-jwt-assertion`, the header
-  // format will be `x-goog-iap-jwt-assertion: <JWT>`.
-  repeated string jwt_headers = 6;
-
-  // JWT is sent in a query parameter. `query` represents the
-  // query parameter name.
-  //
-  // For example, `query=jwt_token`.
-  repeated string jwt_params = 7;
-
-  // $hide_from_docs
-  // Trigger rule to match against a request. The trigger rule is satisfied if
-  // and only if both rules, excluded_paths and include_paths are satisfied.
-  message TriggerRule {
-    // List of paths to be excluded from the request. The rule is satisfied if
-    // request path does not match to any of the path in this list.
-    repeated StringMatch excluded_paths = 1;
-
-    // List of paths that the request must include. If the list is not empty, the
-    // rule is satisfied if request path matches at least one of the path in the list.
-    // If the list is empty, the rule is ignored, in other words the rule is always satisfied.
-    repeated StringMatch included_paths = 2;
-  }
-
-  // List of trigger rules to decide if this JWT should be used to validate the
-  // request. The JWT validation happens if any one of the rules matched.
-  // If the list is not empty and none of the rules matched, authentication will
-  // skip the JWT validation.
-  // Leave this empty to always trigger the JWT validation.
-  repeated TriggerRule trigger_rules = 9;
-
-  // $hide_from_docs
-  // Next available field number: 11
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
-// at the moment.
-// The type can be progammatically determine by checking the type of the
-// "params" field.
-message PeerAuthenticationMethod {
-  // $hide_from_docs
-  oneof params {
-    // Set if mTLS is used.
-    MutualTls mtls = 1;
-
-    // $hide_from_docs
-    // Deprecated.
-    // Set if JWT is used. This option was never available.
-    Jwt jwt = 2 [deprecated=true];
-  }
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-// OriginAuthenticationMethod defines authentication method/params for origin
-// authentication. Origin could be end-user, device, delegate service etc.
-// Currently, only JWT is supported for origin authentication.
-message OriginAuthenticationMethod {
-  // Jwt params for the method.
-  Jwt jwt = 1;
-}
-
-// $hide_from_docs
-// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always
-// comes from request authentication (i.e JWT).
-// Associates authentication with request principal.
-enum PrincipalBinding {
-  // Principal will be set to the identity from peer authentication.
-  USE_PEER = 0;
-
-  // Principal will be set to the identity from origin authentication.
-  USE_ORIGIN = 1;
-}
-
-// $hide_from_docs
-// Policy defines what authentication methods can be accepted on workload(s),
-// and if authenticated, which method/certificate will set the request principal
-// (i.e request.auth.principal attribute).
-//
-// Authentication policy is composed of 2-part authentication:
-// - peer: verify caller service credentials. This part will set source.user
-// (peer identity).
-// - origin: verify the origin credentials. This part will set request.auth.user
-// (origin identity), as well as other attributes like request.auth.presenter,
-// request.auth.audiences and raw claims. Note that the identity could be
-// end-user, service account, device etc.
-//
-// Last but not least, the principal binding rule defines which identity (peer
-// or origin) should be used as principal. By default, it uses peer.
-//
-// Examples:
-//
-// Policy to enable mTLS for all services in namespace frod. The policy name must be
-// `default`, and it contains no rule for `targets`.
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: default
-//   namespace: frod
-// spec:
-//   peers:
-//   - mtls:
-// ```
-// Policy to disable mTLS for "productpage" service
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: productpage-mTLS-disable
-//   namespace: frod
-// spec:
-//   targets:
-//   - name: productpage
-// ```
-// Policy to require mTLS for peer authentication, and JWT for origin authentication
-// for productpage:9000 except the path '/health_check' . Principal is set from origin identity.
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: productpage-mTLS-with-JWT
-//   namespace: frod
-// spec:
-//   targets:
-//   - name: productpage
-//     ports:
-//     - number: 9000
-//   peers:
-//   - mtls:
-//   origins:
-//   - jwt:
-//       issuer: "https://securetoken.google.com"
-//       audiences:
-//       - "productpage"
-//       jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
-//       jwtHeaders:
-//       - "x-goog-iap-jwt-assertion"
-//       triggerRules:
-//       - excludedPaths:
-//         - exact: /health_check
-//   principalBinding: USE_ORIGIN
-// ```
-message Policy {
-  // Deprecated. Only mesh-level and namespace-level policies are supported.
-  // List rules to select workloads that the policy should be applied on.
-  // If empty, policy will be used on all workloads in the same namespace.
-  repeated TargetSelector targets = 1 [deprecated=true];
-
-  // $hide_from_docs
-  // Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-  // List of authentication methods that can be used for peer authentication.
-  // They will be evaluated in order; the first validate one will be used to
-  // set peer identity (source.user) and other peer attributes. If none of
-  // these methods pass, request will be rejected with authentication failed error (401).
-  // Leave the list empty if peer authentication is not required
-  repeated PeerAuthenticationMethod peers = 2;
-
-  // Deprecated. Should set mTLS to PERMISSIVE instead.
-  // Set this flag to true to accept request (for peer authentication perspective),
-  // even when none of the peer authentication methods defined above satisfied.
-  // Typically, this is used to delay the rejection decision to next layer (e.g
-  // authorization).
-  // This flag is ignored if no authentication defined for peer (peers field is empty).
-  bool peer_is_optional = 3 [deprecated=true];
-
-  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-  // List of authentication methods that can be used for origin authentication.
-  // Similar to peers, these will be evaluated in order; the first validate one
-  // will be used to set origin identity and attributes (i.e request.auth.user,
-  // request.auth.issuer etc). If none of these methods pass, request will be
-  // rejected with authentication failed error (401).
-  // A method may be skipped, depends on its trigger rule. If all of these methods
-  // are skipped, origin authentication will be ignored, as if it is not defined.
-  // Leave the list empty if origin authentication is not required.
-  repeated OriginAuthenticationMethod origins = 4 [deprecated=true];
-
-  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-  // Set this flag to true to accept request (for origin authentication perspective),
-  // even when none of the origin authentication methods defined above satisfied.
-  // Typically, this is used to delay the rejection decision to next layer (e.g
-  // authorization).
-  // This flag is ignored if no authentication defined for origin (origins field is empty).
-  bool origin_is_optional = 5 [deprecated=true];
-
-  // Deprecated. Source principal is always from peer, and request principal is always from
-  // RequestAuthentication.
-  // Define whether peer or origin identity should be use for principal. Default
-  // value is USE_PEER.
-  // If peer (or origin) identity is not available, either because of peer/origin
-  // authentication is not defined, or failed, principal will be left unset.
-  // In other words, binding rule does not affect the decision to accept or
-  // reject request.
-  PrincipalBinding principal_binding = 6 [deprecated=true];
-}
-
-// $hide_from_docs
-// Deprecated. Only support mesh and namespace level policy in the future.
-// TargetSelector defines a matching rule to a workload. A workload is selected
-// if it is associated with the service name and service port(s) specified in the selector rule.
-message TargetSelector {
-  // The name must be a short name from the service registry. The
-  // fully qualified domain name will be resolved in a platform specific manner.
-  string name = 1 [(google.api.field_behavior) = REQUIRED];
-
-  reserved 3;
-  reserved "labels";
-
-  // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
-  // For example, if a service is defined as below, then `8000` should be used, not `9000`.
-  // ```yaml
-  // kind: Service
-  // metadata:
-  //   ...
-  // spec:
-  //   ports:
-  //   - name: http
-  //     port: 8000
-  //     targetPort: 9000
-  //   selector:
-  //     app: backend
-  // ```
-  //Leave empty to match all ports that are exposed.
-  repeated PortSelector ports = 2;
-}
-
-// $hide_from_docs
-// Deprecated. Only support mesh and namespace level policy in the future.
-// PortSelector specifies the name or number of a port to be used for
-// matching targets for authentication policy. This is copied from
-// networking API to avoid dependency.
-message PortSelector {
-  oneof port {
-    // Valid port number
-    uint32 number = 1;
-    // Port name
-    string name = 2;
-  }
-}
--- a/authentication/v1alpha1/policy_deepcopy.gen.go
+++ b/authentication/v1alpha1/policy_deepcopy.gen.go
@ -1,195 +0,0 @@
-// Code generated by protoc-gen-deepcopy. DO NOT EDIT.
-package v1alpha1
-
-import (
-	proto "google.golang.org/protobuf/proto"
-)
-
-// DeepCopyInto supports using StringMatch within kubernetes types, where deepcopy-gen is used.
-func (in *StringMatch) DeepCopyInto(out *StringMatch) {
-	p := proto.Clone(in).(*StringMatch)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.
-func (in *StringMatch) DeepCopy() *StringMatch {
-	if in == nil {
-		return nil
-	}
-	out := new(StringMatch)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.
-func (in *StringMatch) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using MutualTls within kubernetes types, where deepcopy-gen is used.
-func (in *MutualTls) DeepCopyInto(out *MutualTls) {
-	p := proto.Clone(in).(*MutualTls)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.
-func (in *MutualTls) DeepCopy() *MutualTls {
-	if in == nil {
-		return nil
-	}
-	out := new(MutualTls)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.
-func (in *MutualTls) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Jwt within kubernetes types, where deepcopy-gen is used.
-func (in *Jwt) DeepCopyInto(out *Jwt) {
-	p := proto.Clone(in).(*Jwt)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.
-func (in *Jwt) DeepCopy() *Jwt {
-	if in == nil {
-		return nil
-	}
-	out := new(Jwt)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.
-func (in *Jwt) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Jwt_TriggerRule within kubernetes types, where deepcopy-gen is used.
-func (in *Jwt_TriggerRule) DeepCopyInto(out *Jwt_TriggerRule) {
-	p := proto.Clone(in).(*Jwt_TriggerRule)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.
-func (in *Jwt_TriggerRule) DeepCopy() *Jwt_TriggerRule {
-	if in == nil {
-		return nil
-	}
-	out := new(Jwt_TriggerRule)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.
-func (in *Jwt_TriggerRule) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using PeerAuthenticationMethod within kubernetes types, where deepcopy-gen is used.
-func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod) {
-	p := proto.Clone(in).(*PeerAuthenticationMethod)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.
-func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod {
-	if in == nil {
-		return nil
-	}
-	out := new(PeerAuthenticationMethod)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.
-func (in *PeerAuthenticationMethod) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using OriginAuthenticationMethod within kubernetes types, where deepcopy-gen is used.
-func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod) {
-	p := proto.Clone(in).(*OriginAuthenticationMethod)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.
-func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod {
-	if in == nil {
-		return nil
-	}
-	out := new(OriginAuthenticationMethod)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.
-func (in *OriginAuthenticationMethod) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Policy within kubernetes types, where deepcopy-gen is used.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	p := proto.Clone(in).(*Policy)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.
-func (in *Policy) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using TargetSelector within kubernetes types, where deepcopy-gen is used.
-func (in *TargetSelector) DeepCopyInto(out *TargetSelector) {
-	p := proto.Clone(in).(*TargetSelector)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.
-func (in *TargetSelector) DeepCopy() *TargetSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(TargetSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.
-func (in *TargetSelector) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using PortSelector within kubernetes types, where deepcopy-gen is used.
-func (in *PortSelector) DeepCopyInto(out *PortSelector) {
-	p := proto.Clone(in).(*PortSelector)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
-func (in *PortSelector) DeepCopy() *PortSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(PortSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
-func (in *PortSelector) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
--- a/authentication/v1alpha1/policy_json.gen.go
+++ b/authentication/v1alpha1/policy_json.gen.go
@ -1,111 +0,0 @@
-// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
-package v1alpha1
-
-import (
-	bytes "bytes"
-	jsonpb "github.com/golang/protobuf/jsonpb"
-)
-
-// MarshalJSON is a custom marshaler for StringMatch
-func (this *StringMatch) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for StringMatch
-func (this *StringMatch) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for MutualTls
-func (this *MutualTls) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for MutualTls
-func (this *MutualTls) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Jwt
-func (this *Jwt) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Jwt
-func (this *Jwt) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Jwt_TriggerRule
-func (this *Jwt_TriggerRule) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Jwt_TriggerRule
-func (this *Jwt_TriggerRule) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for PeerAuthenticationMethod
-func (this *PeerAuthenticationMethod) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for PeerAuthenticationMethod
-func (this *PeerAuthenticationMethod) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for OriginAuthenticationMethod
-func (this *OriginAuthenticationMethod) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for OriginAuthenticationMethod
-func (this *OriginAuthenticationMethod) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Policy
-func (this *Policy) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Policy
-func (this *Policy) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for TargetSelector
-func (this *TargetSelector) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for TargetSelector
-func (this *TargetSelector) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for PortSelector
-func (this *PortSelector) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for PortSelector
-func (this *PortSelector) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-var (
-	PolicyMarshaler   = &jsonpb.Marshaler{}
-	PolicyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
-)
--- a/buf.gen-noncrd.yaml
+++ b/buf.gen-noncrd.yaml
@ -9,3 +9,6 @@ plugins:
 - name: docs
  out: .
  opt: warnings=false,dictionary=./dictionaries/en-US,custom_word_list=./dictionaries/custom.txt,per_file=true,mode=html_fragment_with_front_matter
+- name: golang-jsonshim
+  out: .
+  opt: paths=source_relative
--- a/common-protos/k8s.io/api/admission/v1/generated.proto
+++ b/common-protos/k8s.io/api/admission/v1/generated.proto
@ -1,167 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.admission.v1;
-
-import "k8s.io/api/authentication/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/admission/v1";
-
-// AdmissionRequest describes the admission.Attributes for the admission request.
-message AdmissionRequest {
-  // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
-  // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
-  // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
-  // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
-  optional string uid = 1;
-
-  // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
-
-  // Resource is the fully-qualified resource being requested (for example, v1.pods)
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
-
-  // SubResource is the subresource being requested, if any (for example, "status" or "scale")
-  // +optional
-  optional string subResource = 4;
-
-  // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
-  // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-  //
-  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
-  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
-  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
-  // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
-  // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-  //
-  // See documentation for the "matchPolicy" field in the webhook configuration type for more details.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
-
-  // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
-  // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-  //
-  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
-  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
-  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
-  // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
-  // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-  //
-  // See documentation for the "matchPolicy" field in the webhook configuration type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
-
-  // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
-  // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
-  // See documentation for the "matchPolicy" field in the webhook configuration type.
-  // +optional
-  optional string requestSubResource = 15;
-
-  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
-  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
-  // +optional
-  optional string name = 5;
-
-  // Namespace is the namespace associated with the request (if any).
-  // +optional
-  optional string namespace = 6;
-
-  // Operation is the operation being performed. This may be different than the operation
-  // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
-  optional string operation = 7;
-
-  // UserInfo is information about the requesting user
-  optional k8s.io.api.authentication.v1.UserInfo userInfo = 8;
-
-  // Object is the object from the incoming request.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
-
-  // OldObject is the existing object. Only populated for DELETE and UPDATE requests.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
-
-  // DryRun indicates that modifications will definitely not be persisted for this request.
-  // Defaults to false.
-  // +optional
-  optional bool dryRun = 11;
-
-  // Options is the operation option structure of the operation being performed.
-  // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
-  // different than the options the caller provided. e.g. for a patch request the performed
-  // Operation might be a CREATE, in which case the Options will a
-  // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
-}
-
-// AdmissionResponse describes an admission response.
-message AdmissionResponse {
-  // UID is an identifier for the individual request/response.
-  // This must be copied over from the corresponding AdmissionRequest.
-  optional string uid = 1;
-
-  // Allowed indicates whether or not the admission request was permitted.
-  optional bool allowed = 2;
-
-  // Result contains extra details into why an admission request was denied.
-  // This field IS NOT consulted in any way if "Allowed" is "true".
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
-
-  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
-  // +optional
-  optional bytes patch = 4;
-
-  // The type of Patch. Currently we only allow "JSONPatch".
-  // +optional
-  optional string patchType = 5;
-
-  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
-  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
-  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
-  // the admission webhook to add additional context to the audit log for this request.
-  // +optional
-  map<string, string> auditAnnotations = 6;
-
-  // warnings is a list of warning messages to return to the requesting API client.
-  // Warning messages describe a problem the client making the API request should correct or be aware of.
-  // Limit warnings to 120 characters if possible.
-  // Warnings over 256 characters and large numbers of warnings may be truncated.
-  // +optional
-  repeated string warnings = 7;
-}
-
-// AdmissionReview describes an admission review request/response.
-message AdmissionReview {
-  // Request describes the attributes for the admission request.
-  // +optional
-  optional AdmissionRequest request = 1;
-
-  // Response describes the attributes for the admission response.
-  // +optional
-  optional AdmissionResponse response = 2;
-}
-
--- a/common-protos/k8s.io/api/admission/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/admission/v1beta1/generated.proto
@ -1,167 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.admission.v1beta1;
-
-import "k8s.io/api/authentication/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/admission/v1beta1";
-
-// AdmissionRequest describes the admission.Attributes for the admission request.
-message AdmissionRequest {
-  // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
-  // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
-  // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
-  // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
-  optional string uid = 1;
-
-  // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
-
-  // Resource is the fully-qualified resource being requested (for example, v1.pods)
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
-
-  // SubResource is the subresource being requested, if any (for example, "status" or "scale")
-  // +optional
-  optional string subResource = 4;
-
-  // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
-  // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
-  //
-  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
-  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
-  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
-  // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
-  // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
-  //
-  // See documentation for the "matchPolicy" field in the webhook configuration type for more details.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
-
-  // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
-  // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
-  //
-  // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
-  // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
-  // an API request to apps/v1beta1 deployments would be converted and sent to the webhook
-  // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
-  // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
-  //
-  // See documentation for the "matchPolicy" field in the webhook configuration type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
-
-  // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
-  // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
-  // See documentation for the "matchPolicy" field in the webhook configuration type.
-  // +optional
-  optional string requestSubResource = 15;
-
-  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
-  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
-  // +optional
-  optional string name = 5;
-
-  // Namespace is the namespace associated with the request (if any).
-  // +optional
-  optional string namespace = 6;
-
-  // Operation is the operation being performed. This may be different than the operation
-  // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
-  optional string operation = 7;
-
-  // UserInfo is information about the requesting user
-  optional k8s.io.api.authentication.v1.UserInfo userInfo = 8;
-
-  // Object is the object from the incoming request.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
-
-  // OldObject is the existing object. Only populated for DELETE and UPDATE requests.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
-
-  // DryRun indicates that modifications will definitely not be persisted for this request.
-  // Defaults to false.
-  // +optional
-  optional bool dryRun = 11;
-
-  // Options is the operation option structure of the operation being performed.
-  // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
-  // different than the options the caller provided. e.g. for a patch request the performed
-  // Operation might be a CREATE, in which case the Options will a
-  // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
-  // +optional
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
-}
-
-// AdmissionResponse describes an admission response.
-message AdmissionResponse {
-  // UID is an identifier for the individual request/response.
-  // This should be copied over from the corresponding AdmissionRequest.
-  optional string uid = 1;
-
-  // Allowed indicates whether or not the admission request was permitted.
-  optional bool allowed = 2;
-
-  // Result contains extra details into why an admission request was denied.
-  // This field IS NOT consulted in any way if "Allowed" is "true".
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
-
-  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
-  // +optional
-  optional bytes patch = 4;
-
-  // The type of Patch. Currently we only allow "JSONPatch".
-  // +optional
-  optional string patchType = 5;
-
-  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
-  // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
-  // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
-  // the admission webhook to add additional context to the audit log for this request.
-  // +optional
-  map<string, string> auditAnnotations = 6;
-
-  // warnings is a list of warning messages to return to the requesting API client.
-  // Warning messages describe a problem the client making the API request should correct or be aware of.
-  // Limit warnings to 120 characters if possible.
-  // Warnings over 256 characters and large numbers of warnings may be truncated.
-  // +optional
-  repeated string warnings = 7;
-}
-
-// AdmissionReview describes an admission review request/response.
-message AdmissionReview {
-  // Request describes the attributes for the admission request.
-  // +optional
-  optional AdmissionRequest request = 1;
-
-  // Response describes the attributes for the admission response.
-  // +optional
-  optional AdmissionResponse response = 2;
-}
-
--- a/common-protos/k8s.io/api/admissionregistration/v1/generated.proto
+++ b/common-protos/k8s.io/api/admissionregistration/v1/generated.proto
@ -1,479 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.admissionregistration.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/admissionregistration/v1";
-
-// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
-message MutatingWebhook {
-  // The name of the admission webhook.
-  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
-  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
-  // of the organization.
-  // Required.
-  optional string name = 1;
-
-  // ClientConfig defines how to communicate with the hook.
-  // Required
-  optional WebhookClientConfig clientConfig = 2;
-
-  // Rules describes what operations on what resources/subresources the webhook cares about.
-  // The webhook cares about an operation if it matches _any_ Rule.
-  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
-  // from putting the cluster in a state which cannot be recovered from without completely
-  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
-  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
-  repeated RuleWithOperations rules = 3;
-
-  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
-  // allowed values are Ignore or Fail. Defaults to Fail.
-  // +optional
-  optional string failurePolicy = 4;
-
-  // matchPolicy defines how the "rules" list is used to match incoming requests.
-  // Allowed values are "Exact" or "Equivalent".
-  //
-  // - Exact: match a request only if it exactly matches a specified rule.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-  //
-  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-  //
-  // Defaults to "Equivalent"
-  // +optional
-  optional string matchPolicy = 9;
-
-  // NamespaceSelector decides whether to run the webhook on an object based
-  // on whether the namespace for that object matches the selector. If the
-  // object itself is a namespace, the matching is performed on
-  // object.metadata.labels. If the object is another cluster scoped resource,
-  // it never skips the webhook.
-  //
-  // For example, to run the webhook on any objects whose namespace is not
-  // associated with "runlevel" of "0" or "1";  you will set the selector as
-  // follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "runlevel",
-  //       "operator": "NotIn",
-  //       "values": [
-  //         "0",
-  //         "1"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // If instead you want to only run the webhook on any objects whose
-  // namespace is associated with the "environment" of "prod" or "staging";
-  // you will set the selector as follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "environment",
-  //       "operator": "In",
-  //       "values": [
-  //         "prod",
-  //         "staging"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // See
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-  // for more examples of label selectors.
-  //
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
-
-  // ObjectSelector decides whether to run the webhook based on if the
-  // object has matching labels. objectSelector is evaluated against both
-  // the oldObject and newObject that would be sent to the webhook, and
-  // is considered to match if either object matches the selector. A null
-  // object (oldObject in the case of create, or newObject in the case of
-  // delete) or an object that cannot have labels (like a
-  // DeploymentRollback or a PodProxyOptions object) is not considered to
-  // match.
-  // Use the object selector only if the webhook is opt-in, because end
-  // users may skip the admission webhook by setting the labels.
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 11;
-
-  // SideEffects states whether this webhook has side effects.
-  // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
-  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
-  // rejected by a future step in the admission chain and the side effects therefore need to be undone.
-  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
-  // sideEffects == Unknown or Some.
-  optional string sideEffects = 6;
-
-  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
-  // the webhook call will be ignored or the API call will fail based on the
-  // failure policy.
-  // The timeout value must be between 1 and 30 seconds.
-  // Default to 10 seconds.
-  // +optional
-  optional int32 timeoutSeconds = 7;
-
-  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
-  // versions the Webhook expects. API server will try to use first version in
-  // the list which it supports. If none of the versions specified in this list
-  // supported by API server, validation will fail for this object.
-  // If a persisted webhook configuration specifies allowed versions and does not
-  // include any versions known to the API Server, calls to the webhook will fail
-  // and be subject to the failure policy.
-  repeated string admissionReviewVersions = 8;
-
-  // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
-  // Allowed values are "Never" and "IfNeeded".
-  //
-  // Never: the webhook will not be called more than once in a single admission evaluation.
-  //
-  // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
-  // if the object being admitted is modified by other admission plugins after the initial webhook call.
-  // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
-  // Note:
-  // * the number of additional invocations is not guaranteed to be exactly one.
-  // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
-  // * webhooks that use this option may be reordered to minimize the number of additional invocations.
-  // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
-  //
-  // Defaults to "Never".
-  // +optional
-  optional string reinvocationPolicy = 10;
-}
-
-// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
-message MutatingWebhookConfiguration {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Webhooks is a list of webhooks and the affected resources and operations.
-  // +optional
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated MutatingWebhook Webhooks = 2;
-}
-
-// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
-message MutatingWebhookConfigurationList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of MutatingWebhookConfiguration.
-  repeated MutatingWebhookConfiguration items = 2;
-}
-
-// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
-// to make sure that all the tuple expansions are valid.
-message Rule {
-  // APIGroups is the API groups the resources belong to. '*' is all groups.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string apiGroups = 1;
-
-  // APIVersions is the API versions the resources belong to. '*' is all versions.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string apiVersions = 2;
-
-  // Resources is a list of resources this rule applies to.
-  //
-  // For example:
-  // 'pods' means pods.
-  // 'pods/log' means the log subresource of pods.
-  // '*' means all resources, but not subresources.
-  // 'pods/*' means all subresources of pods.
-  // '*/scale' means all scale subresources.
-  // '*/*' means all resources and their subresources.
-  //
-  // If wildcard is present, the validation rule will ensure resources do not
-  // overlap with each other.
-  //
-  // Depending on the enclosing object, subresources might not be allowed.
-  // Required.
-  repeated string resources = 3;
-
-  // scope specifies the scope of this rule.
-  // Valid values are "Cluster", "Namespaced", and "*"
-  // "Cluster" means that only cluster-scoped resources will match this rule.
-  // Namespace API objects are cluster-scoped.
-  // "Namespaced" means that only namespaced resources will match this rule.
-  // "*" means that there are no scope restrictions.
-  // Subresources match the scope of their parent resource.
-  // Default is "*".
-  //
-  // +optional
-  optional string scope = 4;
-}
-
-// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
-// sure that all the tuple expansions are valid.
-message RuleWithOperations {
-  // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
-  // for all of those operations and any future admission operations that are added.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string operations = 1;
-
-  // Rule is embedded, it describes other criteria of the rule, like
-  // APIGroups, APIVersions, Resources, etc.
-  optional Rule rule = 2;
-}
-
-// ServiceReference holds a reference to Service.legacy.k8s.io
-message ServiceReference {
-  // `namespace` is the namespace of the service.
-  // Required
-  optional string namespace = 1;
-
-  // `name` is the name of the service.
-  // Required
-  optional string name = 2;
-
-  // `path` is an optional URL path which will be sent in any request to
-  // this service.
-  // +optional
-  optional string path = 3;
-
-  // If specified, the port on the service that hosting webhook.
-  // Default to 443 for backward compatibility.
-  // `port` should be a valid port number (1-65535, inclusive).
-  // +optional
-  optional int32 port = 4;
-}
-
-// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
-message ValidatingWebhook {
-  // The name of the admission webhook.
-  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
-  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
-  // of the organization.
-  // Required.
-  optional string name = 1;
-
-  // ClientConfig defines how to communicate with the hook.
-  // Required
-  optional WebhookClientConfig clientConfig = 2;
-
-  // Rules describes what operations on what resources/subresources the webhook cares about.
-  // The webhook cares about an operation if it matches _any_ Rule.
-  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
-  // from putting the cluster in a state which cannot be recovered from without completely
-  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
-  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
-  repeated RuleWithOperations rules = 3;
-
-  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
-  // allowed values are Ignore or Fail. Defaults to Fail.
-  // +optional
-  optional string failurePolicy = 4;
-
-  // matchPolicy defines how the "rules" list is used to match incoming requests.
-  // Allowed values are "Exact" or "Equivalent".
-  //
-  // - Exact: match a request only if it exactly matches a specified rule.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-  //
-  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-  //
-  // Defaults to "Equivalent"
-  // +optional
-  optional string matchPolicy = 9;
-
-  // NamespaceSelector decides whether to run the webhook on an object based
-  // on whether the namespace for that object matches the selector. If the
-  // object itself is a namespace, the matching is performed on
-  // object.metadata.labels. If the object is another cluster scoped resource,
-  // it never skips the webhook.
-  //
-  // For example, to run the webhook on any objects whose namespace is not
-  // associated with "runlevel" of "0" or "1";  you will set the selector as
-  // follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "runlevel",
-  //       "operator": "NotIn",
-  //       "values": [
-  //         "0",
-  //         "1"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // If instead you want to only run the webhook on any objects whose
-  // namespace is associated with the "environment" of "prod" or "staging";
-  // you will set the selector as follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "environment",
-  //       "operator": "In",
-  //       "values": [
-  //         "prod",
-  //         "staging"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // See
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
-  // for more examples of label selectors.
-  //
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
-
-  // ObjectSelector decides whether to run the webhook based on if the
-  // object has matching labels. objectSelector is evaluated against both
-  // the oldObject and newObject that would be sent to the webhook, and
-  // is considered to match if either object matches the selector. A null
-  // object (oldObject in the case of create, or newObject in the case of
-  // delete) or an object that cannot have labels (like a
-  // DeploymentRollback or a PodProxyOptions object) is not considered to
-  // match.
-  // Use the object selector only if the webhook is opt-in, because end
-  // users may skip the admission webhook by setting the labels.
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 10;
-
-  // SideEffects states whether this webhook has side effects.
-  // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
-  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
-  // rejected by a future step in the admission chain and the side effects therefore need to be undone.
-  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
-  // sideEffects == Unknown or Some.
-  optional string sideEffects = 6;
-
-  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
-  // the webhook call will be ignored or the API call will fail based on the
-  // failure policy.
-  // The timeout value must be between 1 and 30 seconds.
-  // Default to 10 seconds.
-  // +optional
-  optional int32 timeoutSeconds = 7;
-
-  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
-  // versions the Webhook expects. API server will try to use first version in
-  // the list which it supports. If none of the versions specified in this list
-  // supported by API server, validation will fail for this object.
-  // If a persisted webhook configuration specifies allowed versions and does not
-  // include any versions known to the API Server, calls to the webhook will fail
-  // and be subject to the failure policy.
-  repeated string admissionReviewVersions = 8;
-}
-
-// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
-message ValidatingWebhookConfiguration {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Webhooks is a list of webhooks and the affected resources and operations.
-  // +optional
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated ValidatingWebhook Webhooks = 2;
-}
-
-// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
-message ValidatingWebhookConfigurationList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of ValidatingWebhookConfiguration.
-  repeated ValidatingWebhookConfiguration items = 2;
-}
-
-// WebhookClientConfig contains the information to make a TLS
-// connection with the webhook
-message WebhookClientConfig {
-  // `url` gives the location of the webhook, in standard URL form
-  // (`scheme://host:port/path`). Exactly one of `url` or `service`
-  // must be specified.
-  //
-  // The `host` should not refer to a service running in the cluster; use
-  // the `service` field instead. The host might be resolved via external
-  // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
-  // in-cluster DNS as that would be a layering violation). `host` may
-  // also be an IP address.
-  //
-  // Please note that using `localhost` or `127.0.0.1` as a `host` is
-  // risky unless you take great care to run this webhook on all hosts
-  // which run an apiserver which might need to make calls to this
-  // webhook. Such installs are likely to be non-portable, i.e., not easy
-  // to turn up in a new cluster.
-  //
-  // The scheme must be "https"; the URL must begin with "https://".
-  //
-  // A path is optional, and if present may be any string permissible in
-  // a URL. You may use the path to pass an arbitrary string to the
-  // webhook, for example, a cluster identifier.
-  //
-  // Attempting to use a user or basic auth e.g. "user:password@" is not
-  // allowed. Fragments ("#...") and query parameters ("?...") are not
-  // allowed, either.
-  //
-  // +optional
-  optional string url = 3;
-
-  // `service` is a reference to the service for this webhook. Either
-  // `service` or `url` must be specified.
-  //
-  // If the webhook is running within the cluster, then you should use `service`.
-  //
-  // +optional
-  optional ServiceReference service = 1;
-
-  // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
-  // If unspecified, system trust roots on the apiserver are used.
-  // +optional
-  optional bytes caBundle = 2;
-}
-
--- a/common-protos/k8s.io/api/admissionregistration/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/admissionregistration/v1beta1/generated.proto
@ -1,487 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.admissionregistration.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/admissionregistration/v1beta1";
-
-// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
-message MutatingWebhook {
-  // The name of the admission webhook.
-  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
-  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
-  // of the organization.
-  // Required.
-  optional string name = 1;
-
-  // ClientConfig defines how to communicate with the hook.
-  // Required
-  optional WebhookClientConfig clientConfig = 2;
-
-  // Rules describes what operations on what resources/subresources the webhook cares about.
-  // The webhook cares about an operation if it matches _any_ Rule.
-  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
-  // from putting the cluster in a state which cannot be recovered from without completely
-  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
-  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
-  repeated RuleWithOperations rules = 3;
-
-  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
-  // allowed values are Ignore or Fail. Defaults to Ignore.
-  // +optional
-  optional string failurePolicy = 4;
-
-  // matchPolicy defines how the "rules" list is used to match incoming requests.
-  // Allowed values are "Exact" or "Equivalent".
-  //
-  // - Exact: match a request only if it exactly matches a specified rule.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-  //
-  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-  //
-  // Defaults to "Exact"
-  // +optional
-  optional string matchPolicy = 9;
-
-  // NamespaceSelector decides whether to run the webhook on an object based
-  // on whether the namespace for that object matches the selector. If the
-  // object itself is a namespace, the matching is performed on
-  // object.metadata.labels. If the object is another cluster scoped resource,
-  // it never skips the webhook.
-  //
-  // For example, to run the webhook on any objects whose namespace is not
-  // associated with "runlevel" of "0" or "1";  you will set the selector as
-  // follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "runlevel",
-  //       "operator": "NotIn",
-  //       "values": [
-  //         "0",
-  //         "1"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // If instead you want to only run the webhook on any objects whose
-  // namespace is associated with the "environment" of "prod" or "staging";
-  // you will set the selector as follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "environment",
-  //       "operator": "In",
-  //       "values": [
-  //         "prod",
-  //         "staging"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // See
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-  // for more examples of label selectors.
-  //
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
-
-  // ObjectSelector decides whether to run the webhook based on if the
-  // object has matching labels. objectSelector is evaluated against both
-  // the oldObject and newObject that would be sent to the webhook, and
-  // is considered to match if either object matches the selector. A null
-  // object (oldObject in the case of create, or newObject in the case of
-  // delete) or an object that cannot have labels (like a
-  // DeploymentRollback or a PodProxyOptions object) is not considered to
-  // match.
-  // Use the object selector only if the webhook is opt-in, because end
-  // users may skip the admission webhook by setting the labels.
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 11;
-
-  // SideEffects states whether this webhook has side effects.
-  // Acceptable values are: Unknown, None, Some, NoneOnDryRun
-  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
-  // rejected by a future step in the admission chain and the side effects therefore need to be undone.
-  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
-  // sideEffects == Unknown or Some. Defaults to Unknown.
-  // +optional
-  optional string sideEffects = 6;
-
-  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
-  // the webhook call will be ignored or the API call will fail based on the
-  // failure policy.
-  // The timeout value must be between 1 and 30 seconds.
-  // Default to 30 seconds.
-  // +optional
-  optional int32 timeoutSeconds = 7;
-
-  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
-  // versions the Webhook expects. API server will try to use first version in
-  // the list which it supports. If none of the versions specified in this list
-  // supported by API server, validation will fail for this object.
-  // If a persisted webhook configuration specifies allowed versions and does not
-  // include any versions known to the API Server, calls to the webhook will fail
-  // and be subject to the failure policy.
-  // Default to `['v1beta1']`.
-  // +optional
-  repeated string admissionReviewVersions = 8;
-
-  // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
-  // Allowed values are "Never" and "IfNeeded".
-  //
-  // Never: the webhook will not be called more than once in a single admission evaluation.
-  //
-  // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
-  // if the object being admitted is modified by other admission plugins after the initial webhook call.
-  // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
-  // Note:
-  // * the number of additional invocations is not guaranteed to be exactly one.
-  // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
-  // * webhooks that use this option may be reordered to minimize the number of additional invocations.
-  // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
-  //
-  // Defaults to "Never".
-  // +optional
-  optional string reinvocationPolicy = 10;
-}
-
-// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
-// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.
-message MutatingWebhookConfiguration {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Webhooks is a list of webhooks and the affected resources and operations.
-  // +optional
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated MutatingWebhook Webhooks = 2;
-}
-
-// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
-message MutatingWebhookConfigurationList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of MutatingWebhookConfiguration.
-  repeated MutatingWebhookConfiguration items = 2;
-}
-
-// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
-// to make sure that all the tuple expansions are valid.
-message Rule {
-  // APIGroups is the API groups the resources belong to. '*' is all groups.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string apiGroups = 1;
-
-  // APIVersions is the API versions the resources belong to. '*' is all versions.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string apiVersions = 2;
-
-  // Resources is a list of resources this rule applies to.
-  //
-  // For example:
-  // 'pods' means pods.
-  // 'pods/log' means the log subresource of pods.
-  // '*' means all resources, but not subresources.
-  // 'pods/*' means all subresources of pods.
-  // '*/scale' means all scale subresources.
-  // '*/*' means all resources and their subresources.
-  //
-  // If wildcard is present, the validation rule will ensure resources do not
-  // overlap with each other.
-  //
-  // Depending on the enclosing object, subresources might not be allowed.
-  // Required.
-  repeated string resources = 3;
-
-  // scope specifies the scope of this rule.
-  // Valid values are "Cluster", "Namespaced", and "*"
-  // "Cluster" means that only cluster-scoped resources will match this rule.
-  // Namespace API objects are cluster-scoped.
-  // "Namespaced" means that only namespaced resources will match this rule.
-  // "*" means that there are no scope restrictions.
-  // Subresources match the scope of their parent resource.
-  // Default is "*".
-  //
-  // +optional
-  optional string scope = 4;
-}
-
-// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
-// sure that all the tuple expansions are valid.
-message RuleWithOperations {
-  // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
-  // for all of those operations and any future admission operations that are added.
-  // If '*' is present, the length of the slice must be one.
-  // Required.
-  repeated string operations = 1;
-
-  // Rule is embedded, it describes other criteria of the rule, like
-  // APIGroups, APIVersions, Resources, etc.
-  optional Rule rule = 2;
-}
-
-// ServiceReference holds a reference to Service.legacy.k8s.io
-message ServiceReference {
-  // `namespace` is the namespace of the service.
-  // Required
-  optional string namespace = 1;
-
-  // `name` is the name of the service.
-  // Required
-  optional string name = 2;
-
-  // `path` is an optional URL path which will be sent in any request to
-  // this service.
-  // +optional
-  optional string path = 3;
-
-  // If specified, the port on the service that hosting webhook.
-  // Default to 443 for backward compatibility.
-  // `port` should be a valid port number (1-65535, inclusive).
-  // +optional
-  optional int32 port = 4;
-}
-
-// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
-message ValidatingWebhook {
-  // The name of the admission webhook.
-  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
-  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
-  // of the organization.
-  // Required.
-  optional string name = 1;
-
-  // ClientConfig defines how to communicate with the hook.
-  // Required
-  optional WebhookClientConfig clientConfig = 2;
-
-  // Rules describes what operations on what resources/subresources the webhook cares about.
-  // The webhook cares about an operation if it matches _any_ Rule.
-  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
-  // from putting the cluster in a state which cannot be recovered from without completely
-  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
-  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
-  repeated RuleWithOperations rules = 3;
-
-  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
-  // allowed values are Ignore or Fail. Defaults to Ignore.
-  // +optional
-  optional string failurePolicy = 4;
-
-  // matchPolicy defines how the "rules" list is used to match incoming requests.
-  // Allowed values are "Exact" or "Equivalent".
-  //
-  // - Exact: match a request only if it exactly matches a specified rule.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
-  //
-  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
-  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
-  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
-  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
-  //
-  // Defaults to "Exact"
-  // +optional
-  optional string matchPolicy = 9;
-
-  // NamespaceSelector decides whether to run the webhook on an object based
-  // on whether the namespace for that object matches the selector. If the
-  // object itself is a namespace, the matching is performed on
-  // object.metadata.labels. If the object is another cluster scoped resource,
-  // it never skips the webhook.
-  //
-  // For example, to run the webhook on any objects whose namespace is not
-  // associated with "runlevel" of "0" or "1";  you will set the selector as
-  // follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "runlevel",
-  //       "operator": "NotIn",
-  //       "values": [
-  //         "0",
-  //         "1"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // If instead you want to only run the webhook on any objects whose
-  // namespace is associated with the "environment" of "prod" or "staging";
-  // you will set the selector as follows:
-  // "namespaceSelector": {
-  //   "matchExpressions": [
-  //     {
-  //       "key": "environment",
-  //       "operator": "In",
-  //       "values": [
-  //         "prod",
-  //         "staging"
-  //       ]
-  //     }
-  //   ]
-  // }
-  //
-  // See
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
-  // for more examples of label selectors.
-  //
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
-
-  // ObjectSelector decides whether to run the webhook based on if the
-  // object has matching labels. objectSelector is evaluated against both
-  // the oldObject and newObject that would be sent to the webhook, and
-  // is considered to match if either object matches the selector. A null
-  // object (oldObject in the case of create, or newObject in the case of
-  // delete) or an object that cannot have labels (like a
-  // DeploymentRollback or a PodProxyOptions object) is not considered to
-  // match.
-  // Use the object selector only if the webhook is opt-in, because end
-  // users may skip the admission webhook by setting the labels.
-  // Default to the empty LabelSelector, which matches everything.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 10;
-
-  // SideEffects states whether this webhook has side effects.
-  // Acceptable values are: Unknown, None, Some, NoneOnDryRun
-  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
-  // rejected by a future step in the admission chain and the side effects therefore need to be undone.
-  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
-  // sideEffects == Unknown or Some. Defaults to Unknown.
-  // +optional
-  optional string sideEffects = 6;
-
-  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
-  // the webhook call will be ignored or the API call will fail based on the
-  // failure policy.
-  // The timeout value must be between 1 and 30 seconds.
-  // Default to 30 seconds.
-  // +optional
-  optional int32 timeoutSeconds = 7;
-
-  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
-  // versions the Webhook expects. API server will try to use first version in
-  // the list which it supports. If none of the versions specified in this list
-  // supported by API server, validation will fail for this object.
-  // If a persisted webhook configuration specifies allowed versions and does not
-  // include any versions known to the API Server, calls to the webhook will fail
-  // and be subject to the failure policy.
-  // Default to `['v1beta1']`.
-  // +optional
-  repeated string admissionReviewVersions = 8;
-}
-
-// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
-// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.
-message ValidatingWebhookConfiguration {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Webhooks is a list of webhooks and the affected resources and operations.
-  // +optional
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated ValidatingWebhook Webhooks = 2;
-}
-
-// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
-message ValidatingWebhookConfigurationList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of ValidatingWebhookConfiguration.
-  repeated ValidatingWebhookConfiguration items = 2;
-}
-
-// WebhookClientConfig contains the information to make a TLS
-// connection with the webhook
-message WebhookClientConfig {
-  // `url` gives the location of the webhook, in standard URL form
-  // (`scheme://host:port/path`). Exactly one of `url` or `service`
-  // must be specified.
-  //
-  // The `host` should not refer to a service running in the cluster; use
-  // the `service` field instead. The host might be resolved via external
-  // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
-  // in-cluster DNS as that would be a layering violation). `host` may
-  // also be an IP address.
-  //
-  // Please note that using `localhost` or `127.0.0.1` as a `host` is
-  // risky unless you take great care to run this webhook on all hosts
-  // which run an apiserver which might need to make calls to this
-  // webhook. Such installs are likely to be non-portable, i.e., not easy
-  // to turn up in a new cluster.
-  //
-  // The scheme must be "https"; the URL must begin with "https://".
-  //
-  // A path is optional, and if present may be any string permissible in
-  // a URL. You may use the path to pass an arbitrary string to the
-  // webhook, for example, a cluster identifier.
-  //
-  // Attempting to use a user or basic auth e.g. "user:password@" is not
-  // allowed. Fragments ("#...") and query parameters ("?...") are not
-  // allowed, either.
-  //
-  // +optional
-  optional string url = 3;
-
-  // `service` is a reference to the service for this webhook. Either
-  // `service` or `url` must be specified.
-  //
-  // If the webhook is running within the cluster, then you should use `service`.
-  //
-  // +optional
-  optional ServiceReference service = 1;
-
-  // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
-  // If unspecified, system trust roots on the apiserver are used.
-  // +optional
-  optional bytes caBundle = 2;
-}
-
--- a/common-protos/k8s.io/api/apiserverinternal/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/apiserverinternal/v1alpha1/generated.proto
@ -1,124 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.apiserverinternal.v1alpha1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/apiserverinternal/v1alpha1";
-
-// An API server instance reports the version it can decode and the version it
-// encodes objects to when persisting objects in the backend.
-message ServerStorageVersion {
-  // The ID of the reporting API server.
-  optional string apiServerID = 1;
-
-  // The API server encodes the object to this version when persisting it in
-  // the backend (e.g., etcd).
-  optional string encodingVersion = 2;
-
-  // The API server can decode objects encoded in these versions.
-  // The encodingVersion must be included in the decodableVersions.
-  // +listType=set
-  repeated string decodableVersions = 3;
-}
-
-//  Storage version of a specific resource.
-message StorageVersion {
-  // The name is <group>.<resource>.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec is an empty spec. It is here to comply with Kubernetes API style.
-  optional StorageVersionSpec spec = 2;
-
-  // API server instances report the version they can decode and the version they
-  // encode objects to when persisting objects in the backend.
-  optional StorageVersionStatus status = 3;
-}
-
-// Describes the state of the storageVersion at a certain point.
-message StorageVersionCondition {
-  // Type of the condition.
-  // +required
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  // +required
-  optional string status = 2;
-
-  // If set, this represents the .metadata.generation that the condition was set based upon.
-  // +optional
-  optional int64 observedGeneration = 3;
-
-  // Last time the condition transitioned from one status to another.
-  // +required
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
-
-  // The reason for the condition's last transition.
-  // +required
-  optional string reason = 5;
-
-  // A human readable message indicating details about the transition.
-  // +required
-  optional string message = 6;
-}
-
-// A list of StorageVersions.
-message StorageVersionList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items holds a list of StorageVersion
-  repeated StorageVersion items = 2;
-}
-
-// StorageVersionSpec is an empty spec.
-message StorageVersionSpec {
-}
-
-// API server instances report the versions they can decode and the version they
-// encode objects to when persisting objects in the backend.
-message StorageVersionStatus {
-  // The reported versions per API server instance.
-  // +optional
-  // +listType=map
-  // +listMapKey=apiServerID
-  repeated ServerStorageVersion storageVersions = 1;
-
-  // If all API server instances agree on the same encoding storage version,
-  // then this field is set to that version. Otherwise this field is left empty.
-  // API servers should finish updating its storageVersionStatus entry before
-  // serving write operations, so that this field will be in sync with the reality.
-  // +optional
-  optional string commonEncodingVersion = 2;
-
-  // The latest available observations of the storageVersion's state.
-  // +optional
-  // +listType=map
-  // +listMapKey=type
-  repeated StorageVersionCondition conditions = 3;
-}
-
--- a/common-protos/k8s.io/api/apps/v1/generated.proto
+++ b/common-protos/k8s.io/api/apps/v1/generated.proto
@ -1,767 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.apps.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/apps/v1";
-
-// ControllerRevision implements an immutable snapshot of state data. Clients
-// are responsible for serializing and deserializing the objects that contain
-// their internal state.
-// Once a ControllerRevision has been successfully created, it can not be updated.
-// The API Server will fail validation of all requests that attempt to mutate
-// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
-// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
-// it may be subject to name and representation changes in future releases, and clients should not
-// depend on its stability. It is primarily for internal use by controllers.
-message ControllerRevision {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Data is the serialized representation of the state.
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension data = 2;
-
-  // Revision indicates the revision of the state represented by Data.
-  optional int64 revision = 3;
-}
-
-// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
-message ControllerRevisionList {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of ControllerRevisions
-  repeated ControllerRevision items = 2;
-}
-
-// DaemonSet represents the configuration of a daemon set.
-message DaemonSet {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // The desired behavior of this daemon set.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional DaemonSetSpec spec = 2;
-
-  // The current status of this daemon set. This data may be
-  // out of date by some window of time.
-  // Populated by the system.
-  // Read-only.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional DaemonSetStatus status = 3;
-}
-
-// DaemonSetCondition describes the state of a DaemonSet at a certain point.
-message DaemonSetCondition {
-  // Type of DaemonSet condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// DaemonSetList is a collection of daemon sets.
-message DaemonSetList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // A list of daemon sets.
-  repeated DaemonSet items = 2;
-}
-
-// DaemonSetSpec is the specification of a daemon set.
-message DaemonSetSpec {
-  // A label query over pods that are managed by the daemon set.
-  // Must match in order to be controlled.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 1;
-
-  // An object that describes the pod that will be created.
-  // The DaemonSet will create exactly one copy of this pod on every node
-  // that matches the template's node selector (or on every node if no node
-  // selector is specified).
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 2;
-
-  // An update strategy to replace existing DaemonSet pods with new pods.
-  // +optional
-  optional DaemonSetUpdateStrategy updateStrategy = 3;
-
-  // The minimum number of seconds for which a newly created DaemonSet pod should
-  // be ready without any of its container crashing, for it to be considered
-  // available. Defaults to 0 (pod will be considered available as soon as it
-  // is ready).
-  // +optional
-  optional int32 minReadySeconds = 4;
-
-  // The number of old history to retain to allow rollback.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 10.
-  // +optional
-  optional int32 revisionHistoryLimit = 6;
-}
-
-// DaemonSetStatus represents the current status of a daemon set.
-message DaemonSetStatus {
-  // The number of nodes that are running at least 1
-  // daemon pod and are supposed to run the daemon pod.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 currentNumberScheduled = 1;
-
-  // The number of nodes that are running the daemon pod, but are
-  // not supposed to run the daemon pod.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 numberMisscheduled = 2;
-
-  // The total number of nodes that should be running the daemon
-  // pod (including nodes correctly running the daemon pod).
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 desiredNumberScheduled = 3;
-
-  // numberReady is the number of nodes that should be running the daemon pod and have one
-  // or more of the daemon pod running with a Ready Condition.
-  optional int32 numberReady = 4;
-
-  // The most recent generation observed by the daemon set controller.
-  // +optional
-  optional int64 observedGeneration = 5;
-
-  // The total number of nodes that are running updated daemon pod
-  // +optional
-  optional int32 updatedNumberScheduled = 6;
-
-  // The number of nodes that should be running the
-  // daemon pod and have one or more of the daemon pod running and
-  // available (ready for at least spec.minReadySeconds)
-  // +optional
-  optional int32 numberAvailable = 7;
-
-  // The number of nodes that should be running the
-  // daemon pod and have none of the daemon pod running and available
-  // (ready for at least spec.minReadySeconds)
-  // +optional
-  optional int32 numberUnavailable = 8;
-
-  // Count of hash collisions for the DaemonSet. The DaemonSet controller
-  // uses this field as a collision avoidance mechanism when it needs to
-  // create the name for the newest ControllerRevision.
-  // +optional
-  optional int32 collisionCount = 9;
-
-  // Represents the latest available observations of a DaemonSet's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated DaemonSetCondition conditions = 10;
-}
-
-// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
-message DaemonSetUpdateStrategy {
-  // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // Rolling update config params. Present only if type = "RollingUpdate".
-  // ---
-  // TODO: Update this to follow our convention for oneOf, whatever we decide it
-  // to be. Same as Deployment `strategy.rollingUpdate`.
-  // See https://github.com/kubernetes/kubernetes/issues/35345
-  // +optional
-  optional RollingUpdateDaemonSet rollingUpdate = 2;
-}
-
-// Deployment enables declarative updates for Pods and ReplicaSets.
-message Deployment {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the Deployment.
-  // +optional
-  optional DeploymentSpec spec = 2;
-
-  // Most recently observed status of the Deployment.
-  // +optional
-  optional DeploymentStatus status = 3;
-}
-
-// DeploymentCondition describes the state of a deployment at a certain point.
-message DeploymentCondition {
-  // Type of deployment condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time this condition was updated.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
-
-  // Last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
-
-  // The reason for the condition's last transition.
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  optional string message = 5;
-}
-
-// DeploymentList is a list of Deployments.
-message DeploymentList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of Deployments.
-  repeated Deployment items = 2;
-}
-
-// DeploymentSpec is the specification of the desired behavior of the Deployment.
-message DeploymentSpec {
-  // Number of desired pods. This is a pointer to distinguish between explicit
-  // zero and not specified. Defaults to 1.
-  // +optional
-  optional int32 replicas = 1;
-
-  // Label selector for pods. Existing ReplicaSets whose pods are
-  // selected by this will be the ones affected by this deployment.
-  // It must match the pod template's labels.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // Template describes the pods that will be created.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // The deployment strategy to use to replace existing pods with new ones.
-  // +optional
-  // +patchStrategy=retainKeys
-  optional DeploymentStrategy strategy = 4;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing, for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // +optional
-  optional int32 minReadySeconds = 5;
-
-  // The number of old ReplicaSets to retain to allow rollback.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 10.
-  // +optional
-  optional int32 revisionHistoryLimit = 6;
-
-  // Indicates that the deployment is paused.
-  // +optional
-  optional bool paused = 7;
-
-  // The maximum time in seconds for a deployment to make progress before it
-  // is considered to be failed. The deployment controller will continue to
-  // process failed deployments and a condition with a ProgressDeadlineExceeded
-  // reason will be surfaced in the deployment status. Note that progress will
-  // not be estimated during the time a deployment is paused. Defaults to 600s.
-  optional int32 progressDeadlineSeconds = 9;
-}
-
-// DeploymentStatus is the most recently observed status of the Deployment.
-message DeploymentStatus {
-  // The generation observed by the deployment controller.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
-  // +optional
-  optional int32 replicas = 2;
-
-  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
-  // +optional
-  optional int32 updatedReplicas = 3;
-
-  // readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
-  // +optional
-  optional int32 readyReplicas = 7;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
-  // +optional
-  optional int32 availableReplicas = 4;
-
-  // Total number of unavailable pods targeted by this deployment. This is the total number of
-  // pods that are still required for the deployment to have 100% available capacity. They may
-  // either be pods that are running but not yet available or pods that still have not been created.
-  // +optional
-  optional int32 unavailableReplicas = 5;
-
-  // Represents the latest available observations of a deployment's current state.
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated DeploymentCondition conditions = 6;
-
-  // Count of hash collisions for the Deployment. The Deployment controller uses this
-  // field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ReplicaSet.
-  // +optional
-  optional int32 collisionCount = 8;
-}
-
-// DeploymentStrategy describes how to replace existing pods with new ones.
-message DeploymentStrategy {
-  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // Rolling update config params. Present only if DeploymentStrategyType =
-  // RollingUpdate.
-  // ---
-  // TODO: Update this to follow our convention for oneOf, whatever we decide it
-  // to be.
-  // +optional
-  optional RollingUpdateDeployment rollingUpdate = 2;
-}
-
-// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
-message ReplicaSet {
-  // If the Labels of a ReplicaSet are empty, they are defaulted to
-  // be the same as the Pod(s) that the ReplicaSet manages.
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec defines the specification of the desired behavior of the ReplicaSet.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional ReplicaSetSpec spec = 2;
-
-  // Status is the most recently observed status of the ReplicaSet.
-  // This data may be out of date by some window of time.
-  // Populated by the system.
-  // Read-only.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional ReplicaSetStatus status = 3;
-}
-
-// ReplicaSetCondition describes the state of a replica set at a certain point.
-message ReplicaSetCondition {
-  // Type of replica set condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// ReplicaSetList is a collection of ReplicaSets.
-message ReplicaSetList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of ReplicaSets.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
-  repeated ReplicaSet items = 2;
-}
-
-// ReplicaSetSpec is the specification of a ReplicaSet.
-message ReplicaSetSpec {
-  // Replicas is the number of desired replicas.
-  // This is a pointer to distinguish between explicit zero and unspecified.
-  // Defaults to 1.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
-  // +optional
-  optional int32 replicas = 1;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing, for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // +optional
-  optional int32 minReadySeconds = 4;
-
-  // Selector is a label query over pods that should match the replica count.
-  // Label keys and values that must match in order to be controlled by this replica set.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // Template is the object that describes the pod that will be created if
-  // insufficient replicas are detected.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
-  // +optional
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-}
-
-// ReplicaSetStatus represents the current status of a ReplicaSet.
-message ReplicaSetStatus {
-  // Replicas is the most recently oberved number of replicas.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
-  optional int32 replicas = 1;
-
-  // The number of pods that have labels matching the labels of the pod template of the replicaset.
-  // +optional
-  optional int32 fullyLabeledReplicas = 2;
-
-  // readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
-  // +optional
-  optional int32 readyReplicas = 4;
-
-  // The number of available replicas (ready for at least minReadySeconds) for this replica set.
-  // +optional
-  optional int32 availableReplicas = 5;
-
-  // ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
-  // +optional
-  optional int64 observedGeneration = 3;
-
-  // Represents the latest available observations of a replica set's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated ReplicaSetCondition conditions = 6;
-}
-
-// Spec to control the desired behavior of daemon set rolling update.
-message RollingUpdateDaemonSet {
-  // The maximum number of DaemonSet pods that can be unavailable during the
-  // update. Value can be an absolute number (ex: 5) or a percentage of total
-  // number of DaemonSet pods at the start of the update (ex: 10%). Absolute
-  // number is calculated from percentage by rounding up.
-  // This cannot be 0 if MaxSurge is 0
-  // Default value is 1.
-  // Example: when this is set to 30%, at most 30% of the total number of nodes
-  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
-  // can have their pods stopped for an update at any given time. The update
-  // starts by stopping at most 30% of those DaemonSet pods and then brings
-  // up new DaemonSet pods in their place. Once the new pods are available,
-  // it then proceeds onto other DaemonSet pods, thus ensuring that at least
-  // 70% of original number of DaemonSet pods are available at all times during
-  // the update.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
-
-  // The maximum number of nodes with an existing available DaemonSet pod that
-  // can have an updated DaemonSet pod during during an update.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // This can not be 0 if MaxUnavailable is 0.
-  // Absolute number is calculated from percentage by rounding up to a minimum of 1.
-  // Default value is 0.
-  // Example: when this is set to 30%, at most 30% of the total number of nodes
-  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
-  // can have their a new pod created before the old pod is marked as deleted.
-  // The update starts by launching new pods on 30% of nodes. Once an updated
-  // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
-  // on that node is marked deleted. If the old pod becomes unavailable for any
-  // reason (Ready transitions to false, is evicted, or is drained) an updated
-  // pod is immediatedly created on that node without considering surge limits.
-  // Allowing surge implies the possibility that the resources consumed by the
-  // daemonset on any given node can double if the readiness check fails, and
-  // so resource intensive daemonsets should take into account that they may
-  // cause evictions during disruption.
-  // This is beta field and enabled/disabled by DaemonSetUpdateSurge feature gate.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
-}
-
-// Spec to control the desired behavior of rolling update.
-message RollingUpdateDeployment {
-  // The maximum number of pods that can be unavailable during the update.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // Absolute number is calculated from percentage by rounding down.
-  // This can not be 0 if MaxSurge is 0.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
-  // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
-  // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
-  // that the total number of pods available at all times during the update is at
-  // least 70% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
-
-  // The maximum number of pods that can be scheduled above the desired number of
-  // pods.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // This can not be 0 if MaxUnavailable is 0.
-  // Absolute number is calculated from percentage by rounding up.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
-  // the rolling update starts, such that the total number of old and new pods do not exceed
-  // 130% of desired pods. Once old pods have been killed,
-  // new ReplicaSet can be scaled up further, ensuring that total number of pods running
-  // at any time during the update is at most 130% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
-}
-
-// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
-message RollingUpdateStatefulSetStrategy {
-  // Partition indicates the ordinal at which the StatefulSet should be
-  // partitioned.
-  // Default value is 0.
-  // +optional
-  optional int32 partition = 1;
-}
-
-// StatefulSet represents a set of pods with consistent identities.
-// Identities are defined as:
-//  - Network: A single stable DNS and hostname.
-//  - Storage: As many VolumeClaims as requested.
-// The StatefulSet guarantees that a given network identity will always
-// map to the same storage identity.
-message StatefulSet {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec defines the desired identities of pods in this set.
-  // +optional
-  optional StatefulSetSpec spec = 2;
-
-  // Status is the current status of Pods in this StatefulSet. This data
-  // may be out of date by some window of time.
-  // +optional
-  optional StatefulSetStatus status = 3;
-}
-
-// StatefulSetCondition describes the state of a statefulset at a certain point.
-message StatefulSetCondition {
-  // Type of statefulset condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// StatefulSetList is a collection of StatefulSets.
-message StatefulSetList {
-  // Standard list's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of stateful sets.
-  repeated StatefulSet items = 2;
-}
-
-// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
-// created from the StatefulSet VolumeClaimTemplates.
-message StatefulSetPersistentVolumeClaimRetentionPolicy {
-  // WhenDeleted specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is deleted. The default policy
-  // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
-  // `Delete` policy causes those PVCs to be deleted.
-  optional string whenDeleted = 1;
-
-  // WhenScaled specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is scaled down. The default
-  // policy of `Retain` causes PVCs to not be affected by a scaledown. The
-  // `Delete` policy causes the associated PVCs for any excess pods above
-  // the replica count to be deleted.
-  optional string whenScaled = 2;
-}
-
-// A StatefulSetSpec is the specification of a StatefulSet.
-message StatefulSetSpec {
-  // replicas is the desired number of replicas of the given Template.
-  // These are replicas in the sense that they are instantiations of the
-  // same Template, but individual replicas also have a consistent identity.
-  // If unspecified, defaults to 1.
-  // TODO: Consider a rename of this field.
-  // +optional
-  optional int32 replicas = 1;
-
-  // selector is a label query over pods that should match the replica count.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // template is the object that describes the pod that will be created if
-  // insufficient replicas are detected. Each pod stamped out by the StatefulSet
-  // will fulfill this Template, but have a unique identity from the rest
-  // of the StatefulSet.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // volumeClaimTemplates is a list of claims that pods are allowed to reference.
-  // The StatefulSet controller is responsible for mapping network identities to
-  // claims in a way that maintains the identity of a pod. Every claim in
-  // this list must have at least one matching (by name) volumeMount in one
-  // container in the template. A claim in this list takes precedence over
-  // any volumes in the template, with the same name.
-  // TODO: Define the behavior if a claim already exists with the same name.
-  // +optional
-  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;
-
-  // serviceName is the name of the service that governs this StatefulSet.
-  // This service must exist before the StatefulSet, and is responsible for
-  // the network identity of the set. Pods get DNS/hostnames that follow the
-  // pattern: pod-specific-string.serviceName.default.svc.cluster.local
-  // where "pod-specific-string" is managed by the StatefulSet controller.
-  optional string serviceName = 5;
-
-  // podManagementPolicy controls how pods are created during initial scale up,
-  // when replacing pods on nodes, or when scaling down. The default policy is
-  // `OrderedReady`, where pods are created in increasing order (pod-0, then
-  // pod-1, etc) and the controller will wait until each pod is ready before
-  // continuing. When scaling down, the pods are removed in the opposite order.
-  // The alternative policy is `Parallel` which will create pods in parallel
-  // to match the desired scale without waiting, and on scale down will delete
-  // all pods at once.
-  // +optional
-  optional string podManagementPolicy = 6;
-
-  // updateStrategy indicates the StatefulSetUpdateStrategy that will be
-  // employed to update Pods in the StatefulSet when a revision is made to
-  // Template.
-  optional StatefulSetUpdateStrategy updateStrategy = 7;
-
-  // revisionHistoryLimit is the maximum number of revisions that will
-  // be maintained in the StatefulSet's revision history. The revision history
-  // consists of all revisions not represented by a currently applied
-  // StatefulSetSpec version. The default value is 10.
-  optional int32 revisionHistoryLimit = 8;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // This is an alpha field and requires enabling StatefulSetMinReadySeconds feature gate.
-  // +optional
-  optional int32 minReadySeconds = 9;
-
-  // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
-  // volume claims created from volumeClaimTemplates. By default, all persistent
-  // volume claims are created as needed and retained until manually deleted. This
-  // policy allows the lifecycle to be altered, for example by deleting persistent
-  // volume claims when their stateful set is deleted, or when their pod is scaled
-  // down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
-  // which is alpha.  +optional
-  optional StatefulSetPersistentVolumeClaimRetentionPolicy persistentVolumeClaimRetentionPolicy = 10;
-}
-
-// StatefulSetStatus represents the current state of a StatefulSet.
-message StatefulSetStatus {
-  // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
-  // StatefulSet's generation, which is updated on mutation by the API Server.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // replicas is the number of Pods created by the StatefulSet controller.
-  optional int32 replicas = 2;
-
-  // readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
-  optional int32 readyReplicas = 3;
-
-  // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by currentRevision.
-  optional int32 currentReplicas = 4;
-
-  // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by updateRevision.
-  optional int32 updatedReplicas = 5;
-
-  // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
-  // sequence [0,currentReplicas).
-  optional string currentRevision = 6;
-
-  // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
-  // [replicas-updatedReplicas,replicas)
-  optional string updateRevision = 7;
-
-  // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
-  // uses this field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ControllerRevision.
-  // +optional
-  optional int32 collisionCount = 9;
-
-  // Represents the latest available observations of a statefulset's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated StatefulSetCondition conditions = 10;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
-  // This is a beta field and enabled/disabled by StatefulSetMinReadySeconds feature gate.
-  optional int32 availableReplicas = 11;
-}
-
-// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
-// controller will use to perform updates. It includes any additional parameters
-// necessary to perform the update for the indicated strategy.
-message StatefulSetUpdateStrategy {
-  // Type indicates the type of the StatefulSetUpdateStrategy.
-  // Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
-  // +optional
-  optional RollingUpdateStatefulSetStrategy rollingUpdate = 2;
-}
-
--- a/common-protos/k8s.io/api/apps/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/apps/v1beta1/generated.proto
@ -1,518 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.apps.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/apps/v1beta1";
-
-// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1beta2/ControllerRevision. See the
-// release notes for more information.
-// ControllerRevision implements an immutable snapshot of state data. Clients
-// are responsible for serializing and deserializing the objects that contain
-// their internal state.
-// Once a ControllerRevision has been successfully created, it can not be updated.
-// The API Server will fail validation of all requests that attempt to mutate
-// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
-// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
-// it may be subject to name and representation changes in future releases, and clients should not
-// depend on its stability. It is primarily for internal use by controllers.
-message ControllerRevision {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Data is the serialized representation of the state.
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension data = 2;
-
-  // Revision indicates the revision of the state represented by Data.
-  optional int64 revision = 3;
-}
-
-// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
-message ControllerRevisionList {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of ControllerRevisions
-  repeated ControllerRevision items = 2;
-}
-
-// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
-// more information.
-// Deployment enables declarative updates for Pods and ReplicaSets.
-message Deployment {
-  // Standard object metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the Deployment.
-  // +optional
-  optional DeploymentSpec spec = 2;
-
-  // Most recently observed status of the Deployment.
-  // +optional
-  optional DeploymentStatus status = 3;
-}
-
-// DeploymentCondition describes the state of a deployment at a certain point.
-message DeploymentCondition {
-  // Type of deployment condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time this condition was updated.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
-
-  // Last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
-
-  // The reason for the condition's last transition.
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  optional string message = 5;
-}
-
-// DeploymentList is a list of Deployments.
-message DeploymentList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of Deployments.
-  repeated Deployment items = 2;
-}
-
-// DEPRECATED.
-// DeploymentRollback stores the information required to rollback a deployment.
-message DeploymentRollback {
-  // Required: This must match the Name of a deployment.
-  optional string name = 1;
-
-  // The annotations to be updated to a deployment
-  // +optional
-  map<string, string> updatedAnnotations = 2;
-
-  // The config of this deployment rollback.
-  optional RollbackConfig rollbackTo = 3;
-}
-
-// DeploymentSpec is the specification of the desired behavior of the Deployment.
-message DeploymentSpec {
-  // Number of desired pods. This is a pointer to distinguish between explicit
-  // zero and not specified. Defaults to 1.
-  // +optional
-  optional int32 replicas = 1;
-
-  // Label selector for pods. Existing ReplicaSets whose pods are
-  // selected by this will be the ones affected by this deployment.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // Template describes the pods that will be created.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // The deployment strategy to use to replace existing pods with new ones.
-  // +optional
-  // +patchStrategy=retainKeys
-  optional DeploymentStrategy strategy = 4;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing, for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // +optional
-  optional int32 minReadySeconds = 5;
-
-  // The number of old ReplicaSets to retain to allow rollback.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 2.
-  // +optional
-  optional int32 revisionHistoryLimit = 6;
-
-  // Indicates that the deployment is paused.
-  // +optional
-  optional bool paused = 7;
-
-  // DEPRECATED.
-  // The config this deployment is rolling back to. Will be cleared after rollback is done.
-  // +optional
-  optional RollbackConfig rollbackTo = 8;
-
-  // The maximum time in seconds for a deployment to make progress before it
-  // is considered to be failed. The deployment controller will continue to
-  // process failed deployments and a condition with a ProgressDeadlineExceeded
-  // reason will be surfaced in the deployment status. Note that progress will
-  // not be estimated during the time a deployment is paused. Defaults to 600s.
-  // +optional
-  optional int32 progressDeadlineSeconds = 9;
-}
-
-// DeploymentStatus is the most recently observed status of the Deployment.
-message DeploymentStatus {
-  // The generation observed by the deployment controller.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
-  // +optional
-  optional int32 replicas = 2;
-
-  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
-  // +optional
-  optional int32 updatedReplicas = 3;
-
-  // readyReplicas is the number of pods targeted by this Deployment controller with a Ready Condition.
-  // +optional
-  optional int32 readyReplicas = 7;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
-  // +optional
-  optional int32 availableReplicas = 4;
-
-  // Total number of unavailable pods targeted by this deployment. This is the total number of
-  // pods that are still required for the deployment to have 100% available capacity. They may
-  // either be pods that are running but not yet available or pods that still have not been created.
-  // +optional
-  optional int32 unavailableReplicas = 5;
-
-  // Represents the latest available observations of a deployment's current state.
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated DeploymentCondition conditions = 6;
-
-  // Count of hash collisions for the Deployment. The Deployment controller uses this
-  // field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ReplicaSet.
-  // +optional
-  optional int32 collisionCount = 8;
-}
-
-// DeploymentStrategy describes how to replace existing pods with new ones.
-message DeploymentStrategy {
-  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // Rolling update config params. Present only if DeploymentStrategyType =
-  // RollingUpdate.
-  // ---
-  // TODO: Update this to follow our convention for oneOf, whatever we decide it
-  // to be.
-  // +optional
-  optional RollingUpdateDeployment rollingUpdate = 2;
-}
-
-// DEPRECATED.
-message RollbackConfig {
-  // The revision to rollback to. If set to 0, rollback to the last revision.
-  // +optional
-  optional int64 revision = 1;
-}
-
-// Spec to control the desired behavior of rolling update.
-message RollingUpdateDeployment {
-  // The maximum number of pods that can be unavailable during the update.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // Absolute number is calculated from percentage by rounding down.
-  // This can not be 0 if MaxSurge is 0.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
-  // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
-  // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
-  // that the total number of pods available at all times during the update is at
-  // least 70% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
-
-  // The maximum number of pods that can be scheduled above the desired number of
-  // pods.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // This can not be 0 if MaxUnavailable is 0.
-  // Absolute number is calculated from percentage by rounding up.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
-  // the rolling update starts, such that the total number of old and new pods do not exceed
-  // 130% of desired pods. Once old pods have been killed,
-  // new ReplicaSet can be scaled up further, ensuring that total number of pods running
-  // at any time during the update is at most 130% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
-}
-
-// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
-message RollingUpdateStatefulSetStrategy {
-  // Partition indicates the ordinal at which the StatefulSet should be
-  // partitioned.
-  optional int32 partition = 1;
-}
-
-// Scale represents a scaling request for a resource.
-message Scale {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional ScaleSpec spec = 2;
-
-  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
-  // +optional
-  optional ScaleStatus status = 3;
-}
-
-// ScaleSpec describes the attributes of a scale subresource
-message ScaleSpec {
-  // desired number of instances for the scaled object.
-  // +optional
-  optional int32 replicas = 1;
-}
-
-// ScaleStatus represents the current status of a scale subresource.
-message ScaleStatus {
-  // actual number of observed instances of the scaled object.
-  optional int32 replicas = 1;
-
-  // label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
-  // +optional
-  map<string, string> selector = 2;
-
-  // label selector for pods that should match the replicas count. This is a serializated
-  // version of both map-based and more expressive set-based selectors. This is done to
-  // avoid introspection in the clients. The string will be in the same format as the
-  // query-param syntax. If the target type only supports map-based selectors, both this
-  // field and map-based selector field are populated.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  // +optional
-  optional string targetSelector = 3;
-}
-
-// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1beta2/StatefulSet. See the release notes for
-// more information.
-// StatefulSet represents a set of pods with consistent identities.
-// Identities are defined as:
-//  - Network: A single stable DNS and hostname.
-//  - Storage: As many VolumeClaims as requested.
-// The StatefulSet guarantees that a given network identity will always
-// map to the same storage identity.
-message StatefulSet {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec defines the desired identities of pods in this set.
-  // +optional
-  optional StatefulSetSpec spec = 2;
-
-  // Status is the current status of Pods in this StatefulSet. This data
-  // may be out of date by some window of time.
-  // +optional
-  optional StatefulSetStatus status = 3;
-}
-
-// StatefulSetCondition describes the state of a statefulset at a certain point.
-message StatefulSetCondition {
-  // Type of statefulset condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// StatefulSetList is a collection of StatefulSets.
-message StatefulSetList {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  repeated StatefulSet items = 2;
-}
-
-// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
-// created from the StatefulSet VolumeClaimTemplates.
-message StatefulSetPersistentVolumeClaimRetentionPolicy {
-  // WhenDeleted specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is deleted. The default policy
-  // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
-  // `Delete` policy causes those PVCs to be deleted.
-  optional string whenDeleted = 1;
-
-  // WhenScaled specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is scaled down. The default
-  // policy of `Retain` causes PVCs to not be affected by a scaledown. The
-  // `Delete` policy causes the associated PVCs for any excess pods above
-  // the replica count to be deleted.
-  optional string whenScaled = 2;
-}
-
-// A StatefulSetSpec is the specification of a StatefulSet.
-message StatefulSetSpec {
-  // replicas is the desired number of replicas of the given Template.
-  // These are replicas in the sense that they are instantiations of the
-  // same Template, but individual replicas also have a consistent identity.
-  // If unspecified, defaults to 1.
-  // TODO: Consider a rename of this field.
-  // +optional
-  optional int32 replicas = 1;
-
-  // selector is a label query over pods that should match the replica count.
-  // If empty, defaulted to labels on the pod template.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // template is the object that describes the pod that will be created if
-  // insufficient replicas are detected. Each pod stamped out by the StatefulSet
-  // will fulfill this Template, but have a unique identity from the rest
-  // of the StatefulSet.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // volumeClaimTemplates is a list of claims that pods are allowed to reference.
-  // The StatefulSet controller is responsible for mapping network identities to
-  // claims in a way that maintains the identity of a pod. Every claim in
-  // this list must have at least one matching (by name) volumeMount in one
-  // container in the template. A claim in this list takes precedence over
-  // any volumes in the template, with the same name.
-  // TODO: Define the behavior if a claim already exists with the same name.
-  // +optional
-  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;
-
-  // serviceName is the name of the service that governs this StatefulSet.
-  // This service must exist before the StatefulSet, and is responsible for
-  // the network identity of the set. Pods get DNS/hostnames that follow the
-  // pattern: pod-specific-string.serviceName.default.svc.cluster.local
-  // where "pod-specific-string" is managed by the StatefulSet controller.
-  optional string serviceName = 5;
-
-  // podManagementPolicy controls how pods are created during initial scale up,
-  // when replacing pods on nodes, or when scaling down. The default policy is
-  // `OrderedReady`, where pods are created in increasing order (pod-0, then
-  // pod-1, etc) and the controller will wait until each pod is ready before
-  // continuing. When scaling down, the pods are removed in the opposite order.
-  // The alternative policy is `Parallel` which will create pods in parallel
-  // to match the desired scale without waiting, and on scale down will delete
-  // all pods at once.
-  // +optional
-  optional string podManagementPolicy = 6;
-
-  // updateStrategy indicates the StatefulSetUpdateStrategy that will be
-  // employed to update Pods in the StatefulSet when a revision is made to
-  // Template.
-  optional StatefulSetUpdateStrategy updateStrategy = 7;
-
-  // revisionHistoryLimit is the maximum number of revisions that will
-  // be maintained in the StatefulSet's revision history. The revision history
-  // consists of all revisions not represented by a currently applied
-  // StatefulSetSpec version. The default value is 10.
-  optional int32 revisionHistoryLimit = 8;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // This is an alpha field and requires enabling StatefulSetMinReadySeconds feature gate.
-  // +optional
-  optional int32 minReadySeconds = 9;
-
-  // PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-  // the StatefulSet VolumeClaimTemplates. This requires the
-  // StatefulSetAutoDeletePVC feature gate to be enabled, which is alpha.
-  // +optional
-  optional StatefulSetPersistentVolumeClaimRetentionPolicy persistentVolumeClaimRetentionPolicy = 10;
-}
-
-// StatefulSetStatus represents the current state of a StatefulSet.
-message StatefulSetStatus {
-  // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
-  // StatefulSet's generation, which is updated on mutation by the API Server.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // replicas is the number of Pods created by the StatefulSet controller.
-  optional int32 replicas = 2;
-
-  // readyReplicas is the number of pods created by this StatefulSet controller with a Ready Condition.
-  optional int32 readyReplicas = 3;
-
-  // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by currentRevision.
-  optional int32 currentReplicas = 4;
-
-  // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by updateRevision.
-  optional int32 updatedReplicas = 5;
-
-  // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
-  // sequence [0,currentReplicas).
-  optional string currentRevision = 6;
-
-  // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
-  // [replicas-updatedReplicas,replicas)
-  optional string updateRevision = 7;
-
-  // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
-  // uses this field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ControllerRevision.
-  // +optional
-  optional int32 collisionCount = 9;
-
-  // Represents the latest available observations of a statefulset's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated StatefulSetCondition conditions = 10;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this StatefulSet.
-  // This is a beta field and enabled/disabled by StatefulSetMinReadySeconds feature gate.
-  optional int32 availableReplicas = 11;
-}
-
-// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
-// controller will use to perform updates. It includes any additional parameters
-// necessary to perform the update for the indicated strategy.
-message StatefulSetUpdateStrategy {
-  // Type indicates the type of the StatefulSetUpdateStrategy.
-  optional string type = 1;
-
-  // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
-  optional RollingUpdateStatefulSetStrategy rollingUpdate = 2;
-}
-
--- a/common-protos/k8s.io/api/apps/v1beta2/generated.proto
+++ b/common-protos/k8s.io/api/apps/v1beta2/generated.proto
@ -1,809 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.apps.v1beta2;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/apps/v1beta2";
-
-// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1/ControllerRevision. See the
-// release notes for more information.
-// ControllerRevision implements an immutable snapshot of state data. Clients
-// are responsible for serializing and deserializing the objects that contain
-// their internal state.
-// Once a ControllerRevision has been successfully created, it can not be updated.
-// The API Server will fail validation of all requests that attempt to mutate
-// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
-// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
-// it may be subject to name and representation changes in future releases, and clients should not
-// depend on its stability. It is primarily for internal use by controllers.
-message ControllerRevision {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Data is the serialized representation of the state.
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension data = 2;
-
-  // Revision indicates the revision of the state represented by Data.
-  optional int64 revision = 3;
-}
-
-// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
-message ControllerRevisionList {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of ControllerRevisions
-  repeated ControllerRevision items = 2;
-}
-
-// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1/DaemonSet. See the release notes for
-// more information.
-// DaemonSet represents the configuration of a daemon set.
-message DaemonSet {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // The desired behavior of this daemon set.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional DaemonSetSpec spec = 2;
-
-  // The current status of this daemon set. This data may be
-  // out of date by some window of time.
-  // Populated by the system.
-  // Read-only.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional DaemonSetStatus status = 3;
-}
-
-// DaemonSetCondition describes the state of a DaemonSet at a certain point.
-message DaemonSetCondition {
-  // Type of DaemonSet condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// DaemonSetList is a collection of daemon sets.
-message DaemonSetList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // A list of daemon sets.
-  repeated DaemonSet items = 2;
-}
-
-// DaemonSetSpec is the specification of a daemon set.
-message DaemonSetSpec {
-  // A label query over pods that are managed by the daemon set.
-  // Must match in order to be controlled.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 1;
-
-  // An object that describes the pod that will be created.
-  // The DaemonSet will create exactly one copy of this pod on every node
-  // that matches the template's node selector (or on every node if no node
-  // selector is specified).
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 2;
-
-  // An update strategy to replace existing DaemonSet pods with new pods.
-  // +optional
-  optional DaemonSetUpdateStrategy updateStrategy = 3;
-
-  // The minimum number of seconds for which a newly created DaemonSet pod should
-  // be ready without any of its container crashing, for it to be considered
-  // available. Defaults to 0 (pod will be considered available as soon as it
-  // is ready).
-  // +optional
-  optional int32 minReadySeconds = 4;
-
-  // The number of old history to retain to allow rollback.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 10.
-  // +optional
-  optional int32 revisionHistoryLimit = 6;
-}
-
-// DaemonSetStatus represents the current status of a daemon set.
-message DaemonSetStatus {
-  // The number of nodes that are running at least 1
-  // daemon pod and are supposed to run the daemon pod.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 currentNumberScheduled = 1;
-
-  // The number of nodes that are running the daemon pod, but are
-  // not supposed to run the daemon pod.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 numberMisscheduled = 2;
-
-  // The total number of nodes that should be running the daemon
-  // pod (including nodes correctly running the daemon pod).
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
-  optional int32 desiredNumberScheduled = 3;
-
-  // Total number of nodes that should be running the daemon pod and have one
-  // or more of the daemon pod running with a Ready Condition by passing the readinessProbe.
-  optional int32 numberReady = 4;
-
-  // The most recent generation observed by the daemon set controller.
-  // +optional
-  optional int64 observedGeneration = 5;
-
-  // The total number of nodes that are running updated daemon pod
-  // +optional
-  optional int32 updatedNumberScheduled = 6;
-
-  // The number of nodes that should be running the
-  // daemon pod and have one or more of the daemon pod running and
-  // available (ready for at least spec.minReadySeconds)
-  // +optional
-  optional int32 numberAvailable = 7;
-
-  // The number of nodes that should be running the
-  // daemon pod and have none of the daemon pod running and available
-  // (ready for at least spec.minReadySeconds)
-  // +optional
-  optional int32 numberUnavailable = 8;
-
-  // Count of hash collisions for the DaemonSet. The DaemonSet controller
-  // uses this field as a collision avoidance mechanism when it needs to
-  // create the name for the newest ControllerRevision.
-  // +optional
-  optional int32 collisionCount = 9;
-
-  // Represents the latest available observations of a DaemonSet's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated DaemonSetCondition conditions = 10;
-}
-
-// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
-message DaemonSetUpdateStrategy {
-  // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // Rolling update config params. Present only if type = "RollingUpdate".
-  // ---
-  // TODO: Update this to follow our convention for oneOf, whatever we decide it
-  // to be. Same as Deployment `strategy.rollingUpdate`.
-  // See https://github.com/kubernetes/kubernetes/issues/35345
-  // +optional
-  optional RollingUpdateDaemonSet rollingUpdate = 2;
-}
-
-// DEPRECATED - This group version of Deployment is deprecated by apps/v1/Deployment. See the release notes for
-// more information.
-// Deployment enables declarative updates for Pods and ReplicaSets.
-message Deployment {
-  // Standard object metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the Deployment.
-  // +optional
-  optional DeploymentSpec spec = 2;
-
-  // Most recently observed status of the Deployment.
-  // +optional
-  optional DeploymentStatus status = 3;
-}
-
-// DeploymentCondition describes the state of a deployment at a certain point.
-message DeploymentCondition {
-  // Type of deployment condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time this condition was updated.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
-
-  // Last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
-
-  // The reason for the condition's last transition.
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  optional string message = 5;
-}
-
-// DeploymentList is a list of Deployments.
-message DeploymentList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of Deployments.
-  repeated Deployment items = 2;
-}
-
-// DeploymentSpec is the specification of the desired behavior of the Deployment.
-message DeploymentSpec {
-  // Number of desired pods. This is a pointer to distinguish between explicit
-  // zero and not specified. Defaults to 1.
-  // +optional
-  optional int32 replicas = 1;
-
-  // Label selector for pods. Existing ReplicaSets whose pods are
-  // selected by this will be the ones affected by this deployment.
-  // It must match the pod template's labels.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // Template describes the pods that will be created.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // The deployment strategy to use to replace existing pods with new ones.
-  // +optional
-  // +patchStrategy=retainKeys
-  optional DeploymentStrategy strategy = 4;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing, for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // +optional
-  optional int32 minReadySeconds = 5;
-
-  // The number of old ReplicaSets to retain to allow rollback.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 10.
-  // +optional
-  optional int32 revisionHistoryLimit = 6;
-
-  // Indicates that the deployment is paused.
-  // +optional
-  optional bool paused = 7;
-
-  // The maximum time in seconds for a deployment to make progress before it
-  // is considered to be failed. The deployment controller will continue to
-  // process failed deployments and a condition with a ProgressDeadlineExceeded
-  // reason will be surfaced in the deployment status. Note that progress will
-  // not be estimated during the time a deployment is paused. Defaults to 600s.
-  optional int32 progressDeadlineSeconds = 9;
-}
-
-// DeploymentStatus is the most recently observed status of the Deployment.
-message DeploymentStatus {
-  // The generation observed by the deployment controller.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
-  // +optional
-  optional int32 replicas = 2;
-
-  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
-  // +optional
-  optional int32 updatedReplicas = 3;
-
-  // readyReplicas is the number of pods targeted by this Deployment controller with a Ready Condition.
-  // +optional
-  optional int32 readyReplicas = 7;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
-  // +optional
-  optional int32 availableReplicas = 4;
-
-  // Total number of unavailable pods targeted by this deployment. This is the total number of
-  // pods that are still required for the deployment to have 100% available capacity. They may
-  // either be pods that are running but not yet available or pods that still have not been created.
-  // +optional
-  optional int32 unavailableReplicas = 5;
-
-  // Represents the latest available observations of a deployment's current state.
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated DeploymentCondition conditions = 6;
-
-  // Count of hash collisions for the Deployment. The Deployment controller uses this
-  // field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ReplicaSet.
-  // +optional
-  optional int32 collisionCount = 8;
-}
-
-// DeploymentStrategy describes how to replace existing pods with new ones.
-message DeploymentStrategy {
-  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // Rolling update config params. Present only if DeploymentStrategyType =
-  // RollingUpdate.
-  // ---
-  // TODO: Update this to follow our convention for oneOf, whatever we decide it
-  // to be.
-  // +optional
-  optional RollingUpdateDeployment rollingUpdate = 2;
-}
-
-// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1/ReplicaSet. See the release notes for
-// more information.
-// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
-message ReplicaSet {
-  // If the Labels of a ReplicaSet are empty, they are defaulted to
-  // be the same as the Pod(s) that the ReplicaSet manages.
-  // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec defines the specification of the desired behavior of the ReplicaSet.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional ReplicaSetSpec spec = 2;
-
-  // Status is the most recently observed status of the ReplicaSet.
-  // This data may be out of date by some window of time.
-  // Populated by the system.
-  // Read-only.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional ReplicaSetStatus status = 3;
-}
-
-// ReplicaSetCondition describes the state of a replica set at a certain point.
-message ReplicaSetCondition {
-  // Type of replica set condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// ReplicaSetList is a collection of ReplicaSets.
-message ReplicaSetList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of ReplicaSets.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
-  repeated ReplicaSet items = 2;
-}
-
-// ReplicaSetSpec is the specification of a ReplicaSet.
-message ReplicaSetSpec {
-  // Replicas is the number of desired replicas.
-  // This is a pointer to distinguish between explicit zero and unspecified.
-  // Defaults to 1.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
-  // +optional
-  optional int32 replicas = 1;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing, for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // +optional
-  optional int32 minReadySeconds = 4;
-
-  // Selector is a label query over pods that should match the replica count.
-  // Label keys and values that must match in order to be controlled by this replica set.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // Template is the object that describes the pod that will be created if
-  // insufficient replicas are detected.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
-  // +optional
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-}
-
-// ReplicaSetStatus represents the current status of a ReplicaSet.
-message ReplicaSetStatus {
-  // Replicas is the most recently oberved number of replicas.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
-  optional int32 replicas = 1;
-
-  // The number of pods that have labels matching the labels of the pod template of the replicaset.
-  // +optional
-  optional int32 fullyLabeledReplicas = 2;
-
-  // readyReplicas is the number of pods targeted by this ReplicaSet controller with a Ready Condition.
-  // +optional
-  optional int32 readyReplicas = 4;
-
-  // The number of available replicas (ready for at least minReadySeconds) for this replica set.
-  // +optional
-  optional int32 availableReplicas = 5;
-
-  // ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
-  // +optional
-  optional int64 observedGeneration = 3;
-
-  // Represents the latest available observations of a replica set's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated ReplicaSetCondition conditions = 6;
-}
-
-// Spec to control the desired behavior of daemon set rolling update.
-message RollingUpdateDaemonSet {
-  // The maximum number of DaemonSet pods that can be unavailable during the
-  // update. Value can be an absolute number (ex: 5) or a percentage of total
-  // number of DaemonSet pods at the start of the update (ex: 10%). Absolute
-  // number is calculated from percentage by rounding up.
-  // This cannot be 0 if MaxSurge is 0
-  // Default value is 1.
-  // Example: when this is set to 30%, at most 30% of the total number of nodes
-  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
-  // can have their pods stopped for an update at any given time. The update
-  // starts by stopping at most 30% of those DaemonSet pods and then brings
-  // up new DaemonSet pods in their place. Once the new pods are available,
-  // it then proceeds onto other DaemonSet pods, thus ensuring that at least
-  // 70% of original number of DaemonSet pods are available at all times during
-  // the update.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
-
-  // The maximum number of nodes with an existing available DaemonSet pod that
-  // can have an updated DaemonSet pod during during an update.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // This can not be 0 if MaxUnavailable is 0.
-  // Absolute number is calculated from percentage by rounding up to a minimum of 1.
-  // Default value is 0.
-  // Example: when this is set to 30%, at most 30% of the total number of nodes
-  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
-  // can have their a new pod created before the old pod is marked as deleted.
-  // The update starts by launching new pods on 30% of nodes. Once an updated
-  // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
-  // on that node is marked deleted. If the old pod becomes unavailable for any
-  // reason (Ready transitions to false, is evicted, or is drained) an updated
-  // pod is immediatedly created on that node without considering surge limits.
-  // Allowing surge implies the possibility that the resources consumed by the
-  // daemonset on any given node can double if the readiness check fails, and
-  // so resource intensive daemonsets should take into account that they may
-  // cause evictions during disruption.
-  // This is beta field and enabled/disabled by DaemonSetUpdateSurge feature gate.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
-}
-
-// Spec to control the desired behavior of rolling update.
-message RollingUpdateDeployment {
-  // The maximum number of pods that can be unavailable during the update.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // Absolute number is calculated from percentage by rounding down.
-  // This can not be 0 if MaxSurge is 0.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
-  // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
-  // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
-  // that the total number of pods available at all times during the update is at
-  // least 70% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
-
-  // The maximum number of pods that can be scheduled above the desired number of
-  // pods.
-  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
-  // This can not be 0 if MaxUnavailable is 0.
-  // Absolute number is calculated from percentage by rounding up.
-  // Defaults to 25%.
-  // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
-  // the rolling update starts, such that the total number of old and new pods do not exceed
-  // 130% of desired pods. Once old pods have been killed,
-  // new ReplicaSet can be scaled up further, ensuring that total number of pods running
-  // at any time during the update is at most 130% of desired pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
-}
-
-// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
-message RollingUpdateStatefulSetStrategy {
-  // Partition indicates the ordinal at which the StatefulSet should be
-  // partitioned.
-  // Default value is 0.
-  // +optional
-  optional int32 partition = 1;
-}
-
-// Scale represents a scaling request for a resource.
-message Scale {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional ScaleSpec spec = 2;
-
-  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
-  // +optional
-  optional ScaleStatus status = 3;
-}
-
-// ScaleSpec describes the attributes of a scale subresource
-message ScaleSpec {
-  // desired number of instances for the scaled object.
-  // +optional
-  optional int32 replicas = 1;
-}
-
-// ScaleStatus represents the current status of a scale subresource.
-message ScaleStatus {
-  // actual number of observed instances of the scaled object.
-  optional int32 replicas = 1;
-
-  // label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
-  // +optional
-  // +mapType=atomic
-  map<string, string> selector = 2;
-
-  // label selector for pods that should match the replicas count. This is a serializated
-  // version of both map-based and more expressive set-based selectors. This is done to
-  // avoid introspection in the clients. The string will be in the same format as the
-  // query-param syntax. If the target type only supports map-based selectors, both this
-  // field and map-based selector field are populated.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  // +optional
-  optional string targetSelector = 3;
-}
-
-// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1/StatefulSet. See the release notes for
-// more information.
-// StatefulSet represents a set of pods with consistent identities.
-// Identities are defined as:
-//  - Network: A single stable DNS and hostname.
-//  - Storage: As many VolumeClaims as requested.
-// The StatefulSet guarantees that a given network identity will always
-// map to the same storage identity.
-message StatefulSet {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec defines the desired identities of pods in this set.
-  // +optional
-  optional StatefulSetSpec spec = 2;
-
-  // Status is the current status of Pods in this StatefulSet. This data
-  // may be out of date by some window of time.
-  // +optional
-  optional StatefulSetStatus status = 3;
-}
-
-// StatefulSetCondition describes the state of a statefulset at a certain point.
-message StatefulSetCondition {
-  // Type of statefulset condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition transitioned from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// StatefulSetList is a collection of StatefulSets.
-message StatefulSetList {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  repeated StatefulSet items = 2;
-}
-
-// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
-// created from the StatefulSet VolumeClaimTemplates.
-message StatefulSetPersistentVolumeClaimRetentionPolicy {
-  // WhenDeleted specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is deleted. The default policy
-  // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
-  // `Delete` policy causes those PVCs to be deleted.
-  optional string whenDeleted = 1;
-
-  // WhenScaled specifies what happens to PVCs created from StatefulSet
-  // VolumeClaimTemplates when the StatefulSet is scaled down. The default
-  // policy of `Retain` causes PVCs to not be affected by a scaledown. The
-  // `Delete` policy causes the associated PVCs for any excess pods above
-  // the replica count to be deleted.
-  optional string whenScaled = 2;
-}
-
-// A StatefulSetSpec is the specification of a StatefulSet.
-message StatefulSetSpec {
-  // replicas is the desired number of replicas of the given Template.
-  // These are replicas in the sense that they are instantiations of the
-  // same Template, but individual replicas also have a consistent identity.
-  // If unspecified, defaults to 1.
-  // TODO: Consider a rename of this field.
-  // +optional
-  optional int32 replicas = 1;
-
-  // selector is a label query over pods that should match the replica count.
-  // It must match the pod template's labels.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // template is the object that describes the pod that will be created if
-  // insufficient replicas are detected. Each pod stamped out by the StatefulSet
-  // will fulfill this Template, but have a unique identity from the rest
-  // of the StatefulSet.
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
-
-  // volumeClaimTemplates is a list of claims that pods are allowed to reference.
-  // The StatefulSet controller is responsible for mapping network identities to
-  // claims in a way that maintains the identity of a pod. Every claim in
-  // this list must have at least one matching (by name) volumeMount in one
-  // container in the template. A claim in this list takes precedence over
-  // any volumes in the template, with the same name.
-  // TODO: Define the behavior if a claim already exists with the same name.
-  // +optional
-  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;
-
-  // serviceName is the name of the service that governs this StatefulSet.
-  // This service must exist before the StatefulSet, and is responsible for
-  // the network identity of the set. Pods get DNS/hostnames that follow the
-  // pattern: pod-specific-string.serviceName.default.svc.cluster.local
-  // where "pod-specific-string" is managed by the StatefulSet controller.
-  optional string serviceName = 5;
-
-  // podManagementPolicy controls how pods are created during initial scale up,
-  // when replacing pods on nodes, or when scaling down. The default policy is
-  // `OrderedReady`, where pods are created in increasing order (pod-0, then
-  // pod-1, etc) and the controller will wait until each pod is ready before
-  // continuing. When scaling down, the pods are removed in the opposite order.
-  // The alternative policy is `Parallel` which will create pods in parallel
-  // to match the desired scale without waiting, and on scale down will delete
-  // all pods at once.
-  // +optional
-  optional string podManagementPolicy = 6;
-
-  // updateStrategy indicates the StatefulSetUpdateStrategy that will be
-  // employed to update Pods in the StatefulSet when a revision is made to
-  // Template.
-  optional StatefulSetUpdateStrategy updateStrategy = 7;
-
-  // revisionHistoryLimit is the maximum number of revisions that will
-  // be maintained in the StatefulSet's revision history. The revision history
-  // consists of all revisions not represented by a currently applied
-  // StatefulSetSpec version. The default value is 10.
-  optional int32 revisionHistoryLimit = 8;
-
-  // Minimum number of seconds for which a newly created pod should be ready
-  // without any of its container crashing for it to be considered available.
-  // Defaults to 0 (pod will be considered available as soon as it is ready)
-  // This is an alpha field and requires enabling StatefulSetMinReadySeconds feature gate.
-  // +optional
-  optional int32 minReadySeconds = 9;
-
-  // PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-  // the StatefulSet VolumeClaimTemplates. This requires the
-  // StatefulSetAutoDeletePVC feature gate to be enabled, which is alpha.
-  // +optional
-  optional StatefulSetPersistentVolumeClaimRetentionPolicy persistentVolumeClaimRetentionPolicy = 10;
-}
-
-// StatefulSetStatus represents the current state of a StatefulSet.
-message StatefulSetStatus {
-  // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
-  // StatefulSet's generation, which is updated on mutation by the API Server.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // replicas is the number of Pods created by the StatefulSet controller.
-  optional int32 replicas = 2;
-
-  // readyReplicas is the number of pods created by this StatefulSet controller with a Ready Condition.
-  optional int32 readyReplicas = 3;
-
-  // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by currentRevision.
-  optional int32 currentReplicas = 4;
-
-  // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
-  // indicated by updateRevision.
-  optional int32 updatedReplicas = 5;
-
-  // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
-  // sequence [0,currentReplicas).
-  optional string currentRevision = 6;
-
-  // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
-  // [replicas-updatedReplicas,replicas)
-  optional string updateRevision = 7;
-
-  // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
-  // uses this field as a collision avoidance mechanism when it needs to create the name for the
-  // newest ControllerRevision.
-  // +optional
-  optional int32 collisionCount = 9;
-
-  // Represents the latest available observations of a statefulset's current state.
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  repeated StatefulSetCondition conditions = 10;
-
-  // Total number of available pods (ready for at least minReadySeconds) targeted by this StatefulSet.
-  // This is a beta field and enabled/disabled by StatefulSetMinReadySeconds feature gate.
-  optional int32 availableReplicas = 11;
-}
-
-// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
-// controller will use to perform updates. It includes any additional parameters
-// necessary to perform the update for the indicated strategy.
-message StatefulSetUpdateStrategy {
-  // Type indicates the type of the StatefulSetUpdateStrategy.
-  // Default is RollingUpdate.
-  // +optional
-  optional string type = 1;
-
-  // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
-  // +optional
-  optional RollingUpdateStatefulSetStrategy rollingUpdate = 2;
-}
-
--- a/common-protos/k8s.io/api/authentication/v1/generated.proto
+++ b/common-protos/k8s.io/api/authentication/v1/generated.proto
@ -1,188 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.authentication.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/authentication/v1";
-
-// BoundObjectReference is a reference to an object that a token is bound to.
-message BoundObjectReference {
-  // Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
-  // +optional
-  optional string kind = 1;
-
-  // API version of the referent.
-  // +optional
-  optional string apiVersion = 2;
-
-  // Name of the referent.
-  // +optional
-  optional string name = 3;
-
-  // UID of the referent.
-  // +optional
-  optional string uID = 4;
-}
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
-// TokenRequest requests a token for a given service account.
-message TokenRequest {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated
-  optional TokenRequestSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the token can be authenticated.
-  // +optional
-  optional TokenRequestStatus status = 3;
-}
-
-// TokenRequestSpec contains client provided parameters of a token request.
-message TokenRequestSpec {
-  // Audiences are the intendend audiences of the token. A recipient of a
-  // token must identitfy themself with an identifier in the list of
-  // audiences of the token, and otherwise should reject the token. A
-  // token issued for multiple audiences may be used to authenticate
-  // against any of the audiences listed but implies a high degree of
-  // trust between the target audiences.
-  repeated string audiences = 1;
-
-  // ExpirationSeconds is the requested duration of validity of the request. The
-  // token issuer may return a token with a different validity duration so a
-  // client needs to check the 'expiration' field in a response.
-  // +optional
-  optional int64 expirationSeconds = 4;
-
-  // BoundObjectRef is a reference to an object that the token will be bound to.
-  // The token will only be valid for as long as the bound object exists.
-  // NOTE: The API server's TokenReview endpoint will validate the
-  // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds
-  // small if you want prompt revocation.
-  // +optional
-  optional BoundObjectReference boundObjectRef = 3;
-}
-
-// TokenRequestStatus is the result of a token request.
-message TokenRequestStatus {
-  // Token is the opaque bearer token.
-  optional string token = 1;
-
-  // ExpirationTimestamp is the time of expiration of the returned token.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time expirationTimestamp = 2;
-}
-
-// TokenReview attempts to authenticate a token to a known user.
-// Note: TokenReview requests may be cached by the webhook token authenticator
-// plugin in the kube-apiserver.
-message TokenReview {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated
-  optional TokenReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request can be authenticated.
-  // +optional
-  optional TokenReviewStatus status = 3;
-}
-
-// TokenReviewSpec is a description of the token authentication request.
-message TokenReviewSpec {
-  // Token is the opaque bearer token.
-  // +optional
-  optional string token = 1;
-
-  // Audiences is a list of the identifiers that the resource server presented
-  // with the token identifies as. Audience-aware token authenticators will
-  // verify that the token was intended for at least one of the audiences in
-  // this list. If no audiences are provided, the audience will default to the
-  // audience of the Kubernetes apiserver.
-  // +optional
-  repeated string audiences = 2;
-}
-
-// TokenReviewStatus is the result of the token authentication request.
-message TokenReviewStatus {
-  // Authenticated indicates that the token was associated with a known user.
-  // +optional
-  optional bool authenticated = 1;
-
-  // User is the UserInfo associated with the provided token.
-  // +optional
-  optional UserInfo user = 2;
-
-  // Audiences are audience identifiers chosen by the authenticator that are
-  // compatible with both the TokenReview and token. An identifier is any
-  // identifier in the intersection of the TokenReviewSpec audiences and the
-  // token's audiences. A client of the TokenReview API that sets the
-  // spec.audiences field should validate that a compatible audience identifier
-  // is returned in the status.audiences field to ensure that the TokenReview
-  // server is audience aware. If a TokenReview returns an empty
-  // status.audience field where status.authenticated is "true", the token is
-  // valid against the audience of the Kubernetes API server.
-  // +optional
-  repeated string audiences = 4;
-
-  // Error indicates that the token couldn't be checked
-  // +optional
-  optional string error = 3;
-}
-
-// UserInfo holds the information about the user needed to implement the
-// user.Info interface.
-message UserInfo {
-  // The name that uniquely identifies this user among all active users.
-  // +optional
-  optional string username = 1;
-
-  // A unique value that identifies this user across time. If this user is
-  // deleted and another user by the same name is added, they will have
-  // different UIDs.
-  // +optional
-  optional string uid = 2;
-
-  // The names of groups this user is a part of.
-  // +optional
-  repeated string groups = 3;
-
-  // Any additional information provided by the authenticator.
-  // +optional
-  map<string, ExtraValue> extra = 4;
-}
-
--- a/common-protos/k8s.io/api/authentication/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/authentication/v1beta1/generated.proto
@ -1,120 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.authentication.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/authentication/v1beta1";
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
-// TokenReview attempts to authenticate a token to a known user.
-// Note: TokenReview requests may be cached by the webhook token authenticator
-// plugin in the kube-apiserver.
-message TokenReview {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated
-  optional TokenReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the token can be authenticated.
-  // +optional
-  optional TokenReviewStatus status = 3;
-}
-
-// TokenReviewSpec is a description of the token authentication request.
-message TokenReviewSpec {
-  // Token is the opaque bearer token.
-  // +optional
-  optional string token = 1;
-
-  // Audiences is a list of the identifiers that the resource server presented
-  // with the token identifies as. Audience-aware token authenticators will
-  // verify that the token was intended for at least one of the audiences in
-  // this list. If no audiences are provided, the audience will default to the
-  // audience of the Kubernetes apiserver.
-  // +optional
-  repeated string audiences = 2;
-}
-
-// TokenReviewStatus is the result of the token authentication request.
-message TokenReviewStatus {
-  // Authenticated indicates that the token was associated with a known user.
-  // +optional
-  optional bool authenticated = 1;
-
-  // User is the UserInfo associated with the provided token.
-  // +optional
-  optional UserInfo user = 2;
-
-  // Audiences are audience identifiers chosen by the authenticator that are
-  // compatible with both the TokenReview and token. An identifier is any
-  // identifier in the intersection of the TokenReviewSpec audiences and the
-  // token's audiences. A client of the TokenReview API that sets the
-  // spec.audiences field should validate that a compatible audience identifier
-  // is returned in the status.audiences field to ensure that the TokenReview
-  // server is audience aware. If a TokenReview returns an empty
-  // status.audience field where status.authenticated is "true", the token is
-  // valid against the audience of the Kubernetes API server.
-  // +optional
-  repeated string audiences = 4;
-
-  // Error indicates that the token couldn't be checked
-  // +optional
-  optional string error = 3;
-}
-
-// UserInfo holds the information about the user needed to implement the
-// user.Info interface.
-message UserInfo {
-  // The name that uniquely identifies this user among all active users.
-  // +optional
-  optional string username = 1;
-
-  // A unique value that identifies this user across time. If this user is
-  // deleted and another user by the same name is added, they will have
-  // different UIDs.
-  // +optional
-  optional string uid = 2;
-
-  // The names of groups this user is a part of.
-  // +optional
-  repeated string groups = 3;
-
-  // Any additional information provided by the authenticator.
-  // +optional
-  map<string, ExtraValue> extra = 4;
-}
-
--- a/common-protos/k8s.io/api/authorization/v1/generated.proto
+++ b/common-protos/k8s.io/api/authorization/v1/generated.proto
@ -1,281 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.authorization.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/authorization/v1";
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
-// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
-// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
-// checking.
-message LocalSubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
-  // you made the request against.  If empty, it is defaulted.
-  optional SubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
-message NonResourceAttributes {
-  // Path is the URL path of the request
-  // +optional
-  optional string path = 1;
-
-  // Verb is the standard HTTP verb
-  // +optional
-  optional string verb = 2;
-}
-
-// NonResourceRule holds information that describes a rule for the non-resource
-message NonResourceRule {
-  // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
-  repeated string verbs = 1;
-
-  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
-  // final step in the path.  "*" means all.
-  // +optional
-  repeated string nonResourceURLs = 2;
-}
-
-// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
-message ResourceAttributes {
-  // Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
-  // "" (empty) is defaulted for LocalSubjectAccessReviews
-  // "" (empty) is empty for cluster-scoped resources
-  // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
-  // +optional
-  optional string namespace = 1;
-
-  // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
-  // +optional
-  optional string verb = 2;
-
-  // Group is the API Group of the Resource.  "*" means all.
-  // +optional
-  optional string group = 3;
-
-  // Version is the API Version of the Resource.  "*" means all.
-  // +optional
-  optional string version = 4;
-
-  // Resource is one of the existing resource types.  "*" means all.
-  // +optional
-  optional string resource = 5;
-
-  // Subresource is one of the existing resource types.  "" means none.
-  // +optional
-  optional string subresource = 6;
-
-  // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
-  // +optional
-  optional string name = 7;
-}
-
-// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
-// may contain duplicates, and possibly be incomplete.
-message ResourceRule {
-  // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
-  repeated string verbs = 1;
-
-  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
-  // the enumerated resources in any API group will be allowed.  "*" means all.
-  // +optional
-  repeated string apiGroups = 2;
-
-  // Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
-  //  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
-  // +optional
-  repeated string resources = 3;
-
-  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
-  // +optional
-  repeated string resourceNames = 4;
-}
-
-// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
-// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
-// to check whether they can perform an action
-message SelfSubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.  user and groups must be empty
-  optional SelfSubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
-// and NonResourceAuthorizationAttributes must be set
-message SelfSubjectAccessReviewSpec {
-  // ResourceAuthorizationAttributes describes information for a resource access request
-  // +optional
-  optional ResourceAttributes resourceAttributes = 1;
-
-  // NonResourceAttributes describes information for a non-resource access request
-  // +optional
-  optional NonResourceAttributes nonResourceAttributes = 2;
-}
-
-// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
-// The returned list of actions may be incomplete depending on the server's authorization mode,
-// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
-// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
-// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
-// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
-message SelfSubjectRulesReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.
-  optional SelfSubjectRulesReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates the set of actions a user can perform.
-  // +optional
-  optional SubjectRulesReviewStatus status = 3;
-}
-
-// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
-message SelfSubjectRulesReviewSpec {
-  // Namespace to evaluate rules for. Required.
-  optional string namespace = 1;
-}
-
-// SubjectAccessReview checks whether or not a user or group can perform an action.
-message SubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated
-  optional SubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
-// and NonResourceAuthorizationAttributes must be set
-message SubjectAccessReviewSpec {
-  // ResourceAuthorizationAttributes describes information for a resource access request
-  // +optional
-  optional ResourceAttributes resourceAttributes = 1;
-
-  // NonResourceAttributes describes information for a non-resource access request
-  // +optional
-  optional NonResourceAttributes nonResourceAttributes = 2;
-
-  // User is the user you're testing for.
-  // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
-  // +optional
-  optional string user = 3;
-
-  // Groups is the groups you're testing for.
-  // +optional
-  repeated string groups = 4;
-
-  // Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
-  // it needs a reflection here.
-  // +optional
-  map<string, ExtraValue> extra = 5;
-
-  // UID information about the requesting user.
-  // +optional
-  optional string uid = 6;
-}
-
-// SubjectAccessReviewStatus
-message SubjectAccessReviewStatus {
-  // Allowed is required. True if the action would be allowed, false otherwise.
-  optional bool allowed = 1;
-
-  // Denied is optional. True if the action would be denied, otherwise
-  // false. If both allowed is false and denied is false, then the
-  // authorizer has no opinion on whether to authorize the action. Denied
-  // may not be true if Allowed is true.
-  // +optional
-  optional bool denied = 4;
-
-  // Reason is optional.  It indicates why a request was allowed or denied.
-  // +optional
-  optional string reason = 2;
-
-  // EvaluationError is an indication that some error occurred during the authorization check.
-  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
-  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
-  // +optional
-  optional string evaluationError = 3;
-}
-
-// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
-// the set of authorizers the server is configured with and any errors experienced during evaluation.
-// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
-// even if that list is incomplete.
-message SubjectRulesReviewStatus {
-  // ResourceRules is the list of actions the subject is allowed to perform on resources.
-  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
-  repeated ResourceRule resourceRules = 1;
-
-  // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
-  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
-  repeated NonResourceRule nonResourceRules = 2;
-
-  // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
-  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
-  optional bool incomplete = 3;
-
-  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
-  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
-  // ResourceRules and/or NonResourceRules may be incomplete.
-  // +optional
-  optional string evaluationError = 4;
-}
-
--- a/common-protos/k8s.io/api/authorization/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/authorization/v1beta1/generated.proto
@ -1,281 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.authorization.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/authorization/v1beta1";
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
-// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
-// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
-// checking.
-message LocalSubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
-  // you made the request against.  If empty, it is defaulted.
-  optional SubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
-message NonResourceAttributes {
-  // Path is the URL path of the request
-  // +optional
-  optional string path = 1;
-
-  // Verb is the standard HTTP verb
-  // +optional
-  optional string verb = 2;
-}
-
-// NonResourceRule holds information that describes a rule for the non-resource
-message NonResourceRule {
-  // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
-  repeated string verbs = 1;
-
-  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
-  // final step in the path.  "*" means all.
-  // +optional
-  repeated string nonResourceURLs = 2;
-}
-
-// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
-message ResourceAttributes {
-  // Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
-  // "" (empty) is defaulted for LocalSubjectAccessReviews
-  // "" (empty) is empty for cluster-scoped resources
-  // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
-  // +optional
-  optional string namespace = 1;
-
-  // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
-  // +optional
-  optional string verb = 2;
-
-  // Group is the API Group of the Resource.  "*" means all.
-  // +optional
-  optional string group = 3;
-
-  // Version is the API Version of the Resource.  "*" means all.
-  // +optional
-  optional string version = 4;
-
-  // Resource is one of the existing resource types.  "*" means all.
-  // +optional
-  optional string resource = 5;
-
-  // Subresource is one of the existing resource types.  "" means none.
-  // +optional
-  optional string subresource = 6;
-
-  // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
-  // +optional
-  optional string name = 7;
-}
-
-// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
-// may contain duplicates, and possibly be incomplete.
-message ResourceRule {
-  // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
-  repeated string verbs = 1;
-
-  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
-  // the enumerated resources in any API group will be allowed.  "*" means all.
-  // +optional
-  repeated string apiGroups = 2;
-
-  // Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
-  //  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
-  // +optional
-  repeated string resources = 3;
-
-  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
-  // +optional
-  repeated string resourceNames = 4;
-}
-
-// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
-// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
-// to check whether they can perform an action
-message SelfSubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.  user and groups must be empty
-  optional SelfSubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
-// and NonResourceAuthorizationAttributes must be set
-message SelfSubjectAccessReviewSpec {
-  // ResourceAuthorizationAttributes describes information for a resource access request
-  // +optional
-  optional ResourceAttributes resourceAttributes = 1;
-
-  // NonResourceAttributes describes information for a non-resource access request
-  // +optional
-  optional NonResourceAttributes nonResourceAttributes = 2;
-}
-
-// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
-// The returned list of actions may be incomplete depending on the server's authorization mode,
-// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
-// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
-// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
-// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
-message SelfSubjectRulesReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated.
-  optional SelfSubjectRulesReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates the set of actions a user can perform.
-  // +optional
-  optional SubjectRulesReviewStatus status = 3;
-}
-
-// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
-message SelfSubjectRulesReviewSpec {
-  // Namespace to evaluate rules for. Required.
-  optional string namespace = 1;
-}
-
-// SubjectAccessReview checks whether or not a user or group can perform an action.
-message SubjectAccessReview {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the request being evaluated
-  optional SubjectAccessReviewSpec spec = 2;
-
-  // Status is filled in by the server and indicates whether the request is allowed or not
-  // +optional
-  optional SubjectAccessReviewStatus status = 3;
-}
-
-// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
-// and NonResourceAuthorizationAttributes must be set
-message SubjectAccessReviewSpec {
-  // ResourceAuthorizationAttributes describes information for a resource access request
-  // +optional
-  optional ResourceAttributes resourceAttributes = 1;
-
-  // NonResourceAttributes describes information for a non-resource access request
-  // +optional
-  optional NonResourceAttributes nonResourceAttributes = 2;
-
-  // User is the user you're testing for.
-  // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
-  // +optional
-  optional string user = 3;
-
-  // Groups is the groups you're testing for.
-  // +optional
-  repeated string group = 4;
-
-  // Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
-  // it needs a reflection here.
-  // +optional
-  map<string, ExtraValue> extra = 5;
-
-  // UID information about the requesting user.
-  // +optional
-  optional string uid = 6;
-}
-
-// SubjectAccessReviewStatus
-message SubjectAccessReviewStatus {
-  // Allowed is required. True if the action would be allowed, false otherwise.
-  optional bool allowed = 1;
-
-  // Denied is optional. True if the action would be denied, otherwise
-  // false. If both allowed is false and denied is false, then the
-  // authorizer has no opinion on whether to authorize the action. Denied
-  // may not be true if Allowed is true.
-  // +optional
-  optional bool denied = 4;
-
-  // Reason is optional.  It indicates why a request was allowed or denied.
-  // +optional
-  optional string reason = 2;
-
-  // EvaluationError is an indication that some error occurred during the authorization check.
-  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
-  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
-  // +optional
-  optional string evaluationError = 3;
-}
-
-// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
-// the set of authorizers the server is configured with and any errors experienced during evaluation.
-// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
-// even if that list is incomplete.
-message SubjectRulesReviewStatus {
-  // ResourceRules is the list of actions the subject is allowed to perform on resources.
-  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
-  repeated ResourceRule resourceRules = 1;
-
-  // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
-  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
-  repeated NonResourceRule nonResourceRules = 2;
-
-  // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
-  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
-  optional bool incomplete = 3;
-
-  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
-  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
-  // ResourceRules and/or NonResourceRules may be incomplete.
-  // +optional
-  optional string evaluationError = 4;
-}
-
--- a/common-protos/k8s.io/api/autoscaling/v1/generated.proto
+++ b/common-protos/k8s.io/api/autoscaling/v1/generated.proto
@ -1,495 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.autoscaling.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/autoscaling/v1";
-
-// ContainerResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in the requests and limits, describing a single container in
-// each of the pods of the current scale target(e.g. CPU or memory). The values will be
-// averaged together before being compared to the target. Such metrics are built into
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source. Only one "target" type
-// should be set.
-message ContainerResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // targetAverageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 targetAverageUtilization = 2;
-
-  // targetAverageValue is the target value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
-
-  // container is the name of the container in the pods of the scaling target.
-  optional string container = 5;
-}
-
-// ContainerResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ContainerResourceMetricStatus {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.  It will only be
-  // present if `targetAverageValue` was set in the corresponding metric
-  // specification.
-  // +optional
-  optional int32 currentAverageUtilization = 2;
-
-  // currentAverageValue is the current value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // It will always be set, regardless of the corresponding metric specification.
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
-
-  // container is the name of the container in the pods of the scaling taget
-  optional string container = 4;
-}
-
-// CrossVersionObjectReference contains enough information to let you identify the referred resource.
-// +structType=atomic
-message CrossVersionObjectReference {
-  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-  optional string kind = 1;
-
-  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
-  optional string name = 2;
-
-  // API version of the referent
-  // +optional
-  optional string apiVersion = 3;
-}
-
-// ExternalMetricSource indicates how to scale on a metric not associated with
-// any Kubernetes object (for example length of queue in cloud
-// messaging service, or QPS from loadbalancer running outside of cluster).
-message ExternalMetricSource {
-  // metricName is the name of the metric in question.
-  optional string metricName = 1;
-
-  // metricSelector is used to identify a specific time series
-  // within a given metric.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector metricSelector = 2;
-
-  // targetValue is the target value of the metric (as a quantity).
-  // Mutually exclusive with TargetAverageValue.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
-
-  // targetAverageValue is the target per-pod value of global metric (as a quantity).
-  // Mutually exclusive with TargetValue.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 4;
-}
-
-// ExternalMetricStatus indicates the current value of a global metric
-// not associated with any Kubernetes object.
-message ExternalMetricStatus {
-  // metricName is the name of a metric used for autoscaling in
-  // metric system.
-  optional string metricName = 1;
-
-  // metricSelector is used to identify a specific time series
-  // within a given metric.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector metricSelector = 2;
-
-  // currentValue is the current value of the metric (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
-
-  // currentAverageValue is the current value of metric averaged over autoscaled pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 4;
-}
-
-// configuration of a horizontal pod autoscaler.
-message HorizontalPodAutoscaler {
-  // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional HorizontalPodAutoscalerSpec spec = 2;
-
-  // current information about the autoscaler.
-  // +optional
-  optional HorizontalPodAutoscalerStatus status = 3;
-}
-
-// HorizontalPodAutoscalerCondition describes the state of
-// a HorizontalPodAutoscaler at a certain point.
-message HorizontalPodAutoscalerCondition {
-  // type describes the current condition
-  optional string type = 1;
-
-  // status is the status of the condition (True, False, Unknown)
-  optional string status = 2;
-
-  // lastTransitionTime is the last time the condition transitioned from
-  // one status to another
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // reason is the reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // message is a human-readable explanation containing details about
-  // the transition
-  // +optional
-  optional string message = 5;
-}
-
-// list of horizontal pod autoscaler objects.
-message HorizontalPodAutoscalerList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // list of horizontal pod autoscaler objects.
-  repeated HorizontalPodAutoscaler items = 2;
-}
-
-// specification of a horizontal pod autoscaler.
-message HorizontalPodAutoscalerSpec {
-  // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
-  // and will set the desired number of pods by using its Scale subresource.
-  optional CrossVersionObjectReference scaleTargetRef = 1;
-
-  // minReplicas is the lower limit for the number of replicas to which the autoscaler
-  // can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
-  // alpha feature gate HPAScaleToZero is enabled and at least one Object or External
-  // metric is configured.  Scaling is active as long as at least one metric value is
-  // available.
-  // +optional
-  optional int32 minReplicas = 2;
-
-  // upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
-  optional int32 maxReplicas = 3;
-
-  // target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
-  // if not specified the default autoscaling policy will be used.
-  // +optional
-  optional int32 targetCPUUtilizationPercentage = 4;
-}
-
-// current status of a horizontal pod autoscaler
-message HorizontalPodAutoscalerStatus {
-  // most recent generation observed by this autoscaler.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // last time the HorizontalPodAutoscaler scaled the number of pods;
-  // used by the autoscaler to control how often the number of pods is changed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
-
-  // current number of replicas of pods managed by this autoscaler.
-  optional int32 currentReplicas = 3;
-
-  // desired number of replicas of pods managed by this autoscaler.
-  optional int32 desiredReplicas = 4;
-
-  // current average CPU utilization over all pods, represented as a percentage of requested CPU,
-  // e.g. 70 means that an average pod is using now 70% of its requested CPU.
-  // +optional
-  optional int32 currentCPUUtilizationPercentage = 5;
-}
-
-// MetricSpec specifies how to scale based on a single metric
-// (only `type` and one other matching field should be set at once).
-message MetricSpec {
-  // type is the type of metric source.  It should be one of "ContainerResource",
-  // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricSource object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricSource pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricSource resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in each pod of the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
-  // +optional
-  optional ContainerResourceMetricSource containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricSource external = 5;
-}
-
-// MetricStatus describes the last-read state of a single metric.
-message MetricStatus {
-  // type is the type of metric source.  It will be one of "ContainerResource",
-  // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricStatus object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricStatus pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricStatus resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ContainerResourceMetricStatus containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricStatus external = 5;
-}
-
-// ObjectMetricSource indicates how to scale on a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricSource {
-  // target is the described Kubernetes object.
-  optional CrossVersionObjectReference target = 1;
-
-  // metricName is the name of the metric in question.
-  optional string metricName = 2;
-
-  // targetValue is the target value of the metric (as a quantity).
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric.
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
-
-  // averageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 5;
-}
-
-// ObjectMetricStatus indicates the current value of a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricStatus {
-  // target is the described Kubernetes object.
-  optional CrossVersionObjectReference target = 1;
-
-  // metricName is the name of the metric in question.
-  optional string metricName = 2;
-
-  // currentValue is the current value of the metric (as a quantity).
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
-
-  // averageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 5;
-}
-
-// PodsMetricSource indicates how to scale on a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-// The values will be averaged together before being compared to the target
-// value.
-message PodsMetricSource {
-  // metricName is the name of the metric in question
-  optional string metricName = 1;
-
-  // targetAverageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 2;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 3;
-}
-
-// PodsMetricStatus indicates the current value of a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-message PodsMetricStatus {
-  // metricName is the name of the metric in question
-  optional string metricName = 1;
-
-  // currentAverageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 2;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 3;
-}
-
-// ResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // targetAverageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 targetAverageUtilization = 2;
-
-  // targetAverageValue is the target value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
-}
-
-// ResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ResourceMetricStatus {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.  It will only be
-  // present if `targetAverageValue` was set in the corresponding metric
-  // specification.
-  // +optional
-  optional int32 currentAverageUtilization = 2;
-
-  // currentAverageValue is the current value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // It will always be set, regardless of the corresponding metric specification.
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
-}
-
-// Scale represents a scaling request for a resource.
-message Scale {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional ScaleSpec spec = 2;
-
-  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
-  // +optional
-  optional ScaleStatus status = 3;
-}
-
-// ScaleSpec describes the attributes of a scale subresource.
-message ScaleSpec {
-  // desired number of instances for the scaled object.
-  // +optional
-  optional int32 replicas = 1;
-}
-
-// ScaleStatus represents the current status of a scale subresource.
-message ScaleStatus {
-  // actual number of observed instances of the scaled object.
-  optional int32 replicas = 1;
-
-  // label query over pods that should match the replicas count. This is same
-  // as the label selector but in the string format to avoid introspection
-  // by clients. The string will be in the same format as the query-param syntax.
-  // More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors
-  // +optional
-  optional string selector = 2;
-}
-
--- a/common-protos/k8s.io/api/autoscaling/v2/generated.proto
+++ b/common-protos/k8s.io/api/autoscaling/v2/generated.proto
@ -1,504 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.autoscaling.v2;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/autoscaling/v2";
-
-// ContainerResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ContainerResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-
-  // container is the name of the container in the pods of the scaling target
-  optional string container = 3;
-}
-
-// ContainerResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ContainerResourceMetricStatus {
-  // Name is the name of the resource in question.
-  optional string name = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-
-  // Container is the name of the container in the pods of the scaling target
-  optional string container = 3;
-}
-
-// CrossVersionObjectReference contains enough information to let you identify the referred resource.
-message CrossVersionObjectReference {
-  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-  optional string kind = 1;
-
-  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
-  optional string name = 2;
-
-  // API version of the referent
-  // +optional
-  optional string apiVersion = 3;
-}
-
-// ExternalMetricSource indicates how to scale on a metric not associated with
-// any Kubernetes object (for example length of queue in cloud
-// messaging service, or QPS from loadbalancer running outside of cluster).
-message ExternalMetricSource {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// ExternalMetricStatus indicates the current value of a global metric
-// not associated with any Kubernetes object.
-message ExternalMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
-// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
-message HPAScalingPolicy {
-  // Type is used to specify the scaling policy.
-  optional string type = 1;
-
-  // Value contains the amount of change which is permitted by the policy.
-  // It must be greater than zero
-  optional int32 value = 2;
-
-  // PeriodSeconds specifies the window of time for which the policy should hold true.
-  // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
-  optional int32 periodSeconds = 3;
-}
-
-// HPAScalingRules configures the scaling behavior for one direction.
-// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
-// They can limit the scaling velocity by specifying scaling policies.
-// They can prevent flapping by specifying the stabilization window, so that the
-// number of replicas is not set instantly, instead, the safest value from the stabilization
-// window is chosen.
-message HPAScalingRules {
-  // StabilizationWindowSeconds is the number of seconds for which past recommendations should be
-  // considered while scaling up or scaling down.
-  // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
-  // If not set, use the default values:
-  // - For scale up: 0 (i.e. no stabilization is done).
-  // - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
-  // +optional
-  optional int32 stabilizationWindowSeconds = 3;
-
-  // selectPolicy is used to specify which policy should be used.
-  // If not set, the default value Max is used.
-  // +optional
-  optional string selectPolicy = 1;
-
-  // policies is a list of potential scaling polices which can be used during scaling.
-  // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
-  // +listType=atomic
-  // +optional
-  repeated HPAScalingPolicy policies = 2;
-}
-
-// HorizontalPodAutoscaler is the configuration for a horizontal pod
-// autoscaler, which automatically manages the replica count of any resource
-// implementing the scale subresource based on the metrics specified.
-message HorizontalPodAutoscaler {
-  // metadata is the standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec is the specification for the behaviour of the autoscaler.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional HorizontalPodAutoscalerSpec spec = 2;
-
-  // status is the current information about the autoscaler.
-  // +optional
-  optional HorizontalPodAutoscalerStatus status = 3;
-}
-
-// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
-// in both Up and Down directions (scaleUp and scaleDown fields respectively).
-message HorizontalPodAutoscalerBehavior {
-  // scaleUp is scaling policy for scaling Up.
-  // If not set, the default value is the higher of:
-  //   * increase no more than 4 pods per 60 seconds
-  //   * double the number of pods per 60 seconds
-  // No stabilization is used.
-  // +optional
-  optional HPAScalingRules scaleUp = 1;
-
-  // scaleDown is scaling policy for scaling Down.
-  // If not set, the default value is to allow to scale down to minReplicas pods, with a
-  // 300 second stabilization window (i.e., the highest recommendation for
-  // the last 300sec is used).
-  // +optional
-  optional HPAScalingRules scaleDown = 2;
-}
-
-// HorizontalPodAutoscalerCondition describes the state of
-// a HorizontalPodAutoscaler at a certain point.
-message HorizontalPodAutoscalerCondition {
-  // type describes the current condition
-  optional string type = 1;
-
-  // status is the status of the condition (True, False, Unknown)
-  optional string status = 2;
-
-  // lastTransitionTime is the last time the condition transitioned from
-  // one status to another
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // reason is the reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // message is a human-readable explanation containing details about
-  // the transition
-  // +optional
-  optional string message = 5;
-}
-
-// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
-message HorizontalPodAutoscalerList {
-  // metadata is the standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of horizontal pod autoscaler objects.
-  repeated HorizontalPodAutoscaler items = 2;
-}
-
-// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
-message HorizontalPodAutoscalerSpec {
-  // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
-  // should be collected, as well as to actually change the replica count.
-  optional CrossVersionObjectReference scaleTargetRef = 1;
-
-  // minReplicas is the lower limit for the number of replicas to which the autoscaler
-  // can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
-  // alpha feature gate HPAScaleToZero is enabled and at least one Object or External
-  // metric is configured.  Scaling is active as long as at least one metric value is
-  // available.
-  // +optional
-  optional int32 minReplicas = 2;
-
-  // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
-  // It cannot be less that minReplicas.
-  optional int32 maxReplicas = 3;
-
-  // metrics contains the specifications for which to use to calculate the
-  // desired replica count (the maximum replica count across all metrics will
-  // be used).  The desired replica count is calculated multiplying the
-  // ratio between the target value and the current value by the current
-  // number of pods.  Ergo, metrics used must decrease as the pod count is
-  // increased, and vice-versa.  See the individual metric source types for
-  // more information about how each type of metric must respond.
-  // If not set, the default metric will be set to 80% average CPU utilization.
-  // +listType=atomic
-  // +optional
-  repeated MetricSpec metrics = 4;
-
-  // behavior configures the scaling behavior of the target
-  // in both Up and Down directions (scaleUp and scaleDown fields respectively).
-  // If not set, the default HPAScalingRules for scale up and scale down are used.
-  // +optional
-  optional HorizontalPodAutoscalerBehavior behavior = 5;
-}
-
-// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
-message HorizontalPodAutoscalerStatus {
-  // observedGeneration is the most recent generation observed by this autoscaler.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
-  // used by the autoscaler to control how often the number of pods is changed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
-
-  // currentReplicas is current number of replicas of pods managed by this autoscaler,
-  // as last seen by the autoscaler.
-  // +optional
-  optional int32 currentReplicas = 3;
-
-  // desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
-  // as last calculated by the autoscaler.
-  optional int32 desiredReplicas = 4;
-
-  // currentMetrics is the last read state of the metrics used by this autoscaler.
-  // +listType=atomic
-  // +optional
-  repeated MetricStatus currentMetrics = 5;
-
-  // conditions is the set of conditions required for this autoscaler to scale its target,
-  // and indicates whether or not those conditions are met.
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated HorizontalPodAutoscalerCondition conditions = 6;
-}
-
-// MetricIdentifier defines the name and optionally selector for a metric
-message MetricIdentifier {
-  // name is the name of the given metric
-  optional string name = 1;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-}
-
-// MetricSpec specifies how to scale based on a single metric
-// (only `type` and one other matching field should be set at once).
-message MetricSpec {
-  // type is the type of metric source.  It should be one of "ContainerResource", "External",
-  // "Object", "Pods" or "Resource", each mapping to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricSource object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricSource pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricSource resource = 4;
-
-  // containerResource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in
-  // each pod of the current scale target (e.g. CPU or memory). Such metrics are
-  // built in to Kubernetes, and have special scaling options on top of those
-  // available to normal per-pod metrics using the "pods" source.
-  // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
-  // +optional
-  optional ContainerResourceMetricSource containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricSource external = 5;
-}
-
-// MetricStatus describes the last-read state of a single metric.
-message MetricStatus {
-  // type is the type of metric source.  It will be one of "ContainerResource", "External",
-  // "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricStatus object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricStatus pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricStatus resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ContainerResourceMetricStatus containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricStatus external = 5;
-}
-
-// MetricTarget defines the target value, average value, or average utilization of a specific metric
-message MetricTarget {
-  // type represents whether the metric type is Utilization, Value, or AverageValue
-  optional string type = 1;
-
-  // value is the target value of the metric (as a quantity).
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 2;
-
-  // averageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 3;
-
-  // averageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // Currently only valid for Resource metric source type
-  // +optional
-  optional int32 averageUtilization = 4;
-}
-
-// MetricValueStatus holds the current value for a metric
-message MetricValueStatus {
-  // value is the current value of the metric (as a quantity).
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 1;
-
-  // averageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 2;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 averageUtilization = 3;
-}
-
-// ObjectMetricSource indicates how to scale on a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricSource {
-  // describedObject specifies the descriptions of a object,such as kind,name apiVersion
-  optional CrossVersionObjectReference describedObject = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 3;
-}
-
-// ObjectMetricStatus indicates the current value of a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-
-  // DescribedObject specifies the descriptions of a object,such as kind,name apiVersion
-  optional CrossVersionObjectReference describedObject = 3;
-}
-
-// PodsMetricSource indicates how to scale on a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-// The values will be averaged together before being compared to the target
-// value.
-message PodsMetricSource {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// PodsMetricStatus indicates the current value of a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-message PodsMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
-// ResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// ResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ResourceMetricStatus {
-  // Name is the name of the resource in question.
-  optional string name = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
--- a/common-protos/k8s.io/api/autoscaling/v2beta1/generated.proto
+++ b/common-protos/k8s.io/api/autoscaling/v2beta1/generated.proto
@ -1,476 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.autoscaling.v2beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/autoscaling/v2beta1";
-
-// ContainerResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ContainerResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // targetAverageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 targetAverageUtilization = 2;
-
-  // targetAverageValue is the target value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
-
-  // container is the name of the container in the pods of the scaling target
-  optional string container = 4;
-}
-
-// ContainerResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ContainerResourceMetricStatus {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.  It will only be
-  // present if `targetAverageValue` was set in the corresponding metric
-  // specification.
-  // +optional
-  optional int32 currentAverageUtilization = 2;
-
-  // currentAverageValue is the current value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // It will always be set, regardless of the corresponding metric specification.
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
-
-  // container is the name of the container in the pods of the scaling target
-  optional string container = 4;
-}
-
-// CrossVersionObjectReference contains enough information to let you identify the referred resource.
-message CrossVersionObjectReference {
-  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-  optional string kind = 1;
-
-  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
-  optional string name = 2;
-
-  // API version of the referent
-  // +optional
-  optional string apiVersion = 3;
-}
-
-// ExternalMetricSource indicates how to scale on a metric not associated with
-// any Kubernetes object (for example length of queue in cloud
-// messaging service, or QPS from loadbalancer running outside of cluster).
-// Exactly one "target" type should be set.
-message ExternalMetricSource {
-  // metricName is the name of the metric in question.
-  optional string metricName = 1;
-
-  // metricSelector is used to identify a specific time series
-  // within a given metric.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector metricSelector = 2;
-
-  // targetValue is the target value of the metric (as a quantity).
-  // Mutually exclusive with TargetAverageValue.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
-
-  // targetAverageValue is the target per-pod value of global metric (as a quantity).
-  // Mutually exclusive with TargetValue.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 4;
-}
-
-// ExternalMetricStatus indicates the current value of a global metric
-// not associated with any Kubernetes object.
-message ExternalMetricStatus {
-  // metricName is the name of a metric used for autoscaling in
-  // metric system.
-  optional string metricName = 1;
-
-  // metricSelector is used to identify a specific time series
-  // within a given metric.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector metricSelector = 2;
-
-  // currentValue is the current value of the metric (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
-
-  // currentAverageValue is the current value of metric averaged over autoscaled pods.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 4;
-}
-
-// HorizontalPodAutoscaler is the configuration for a horizontal pod
-// autoscaler, which automatically manages the replica count of any resource
-// implementing the scale subresource based on the metrics specified.
-message HorizontalPodAutoscaler {
-  // metadata is the standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec is the specification for the behaviour of the autoscaler.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional HorizontalPodAutoscalerSpec spec = 2;
-
-  // status is the current information about the autoscaler.
-  // +optional
-  optional HorizontalPodAutoscalerStatus status = 3;
-}
-
-// HorizontalPodAutoscalerCondition describes the state of
-// a HorizontalPodAutoscaler at a certain point.
-message HorizontalPodAutoscalerCondition {
-  // type describes the current condition
-  optional string type = 1;
-
-  // status is the status of the condition (True, False, Unknown)
-  optional string status = 2;
-
-  // lastTransitionTime is the last time the condition transitioned from
-  // one status to another
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // reason is the reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // message is a human-readable explanation containing details about
-  // the transition
-  // +optional
-  optional string message = 5;
-}
-
-// HorizontalPodAutoscaler is a list of horizontal pod autoscaler objects.
-message HorizontalPodAutoscalerList {
-  // metadata is the standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of horizontal pod autoscaler objects.
-  repeated HorizontalPodAutoscaler items = 2;
-}
-
-// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
-message HorizontalPodAutoscalerSpec {
-  // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
-  // should be collected, as well as to actually change the replica count.
-  optional CrossVersionObjectReference scaleTargetRef = 1;
-
-  // minReplicas is the lower limit for the number of replicas to which the autoscaler
-  // can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
-  // alpha feature gate HPAScaleToZero is enabled and at least one Object or External
-  // metric is configured.  Scaling is active as long as at least one metric value is
-  // available.
-  // +optional
-  optional int32 minReplicas = 2;
-
-  // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
-  // It cannot be less that minReplicas.
-  optional int32 maxReplicas = 3;
-
-  // metrics contains the specifications for which to use to calculate the
-  // desired replica count (the maximum replica count across all metrics will
-  // be used).  The desired replica count is calculated multiplying the
-  // ratio between the target value and the current value by the current
-  // number of pods.  Ergo, metrics used must decrease as the pod count is
-  // increased, and vice-versa.  See the individual metric source types for
-  // more information about how each type of metric must respond.
-  // +optional
-  repeated MetricSpec metrics = 4;
-}
-
-// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
-message HorizontalPodAutoscalerStatus {
-  // observedGeneration is the most recent generation observed by this autoscaler.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
-  // used by the autoscaler to control how often the number of pods is changed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
-
-  // currentReplicas is current number of replicas of pods managed by this autoscaler,
-  // as last seen by the autoscaler.
-  optional int32 currentReplicas = 3;
-
-  // desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
-  // as last calculated by the autoscaler.
-  optional int32 desiredReplicas = 4;
-
-  // currentMetrics is the last read state of the metrics used by this autoscaler.
-  // +optional
-  repeated MetricStatus currentMetrics = 5;
-
-  // conditions is the set of conditions required for this autoscaler to scale its target,
-  // and indicates whether or not those conditions are met.
-  // +optional
-  repeated HorizontalPodAutoscalerCondition conditions = 6;
-}
-
-// MetricSpec specifies how to scale based on a single metric
-// (only `type` and one other matching field should be set at once).
-message MetricSpec {
-  // type is the type of metric source.  It should be one of "ContainerResource",
-  // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricSource object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricSource pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricSource resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in
-  // each pod of the current scale target (e.g. CPU or memory). Such metrics are
-  // built in to Kubernetes, and have special scaling options on top of those
-  // available to normal per-pod metrics using the "pods" source.
-  // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
-  // +optional
-  optional ContainerResourceMetricSource containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricSource external = 5;
-}
-
-// MetricStatus describes the last-read state of a single metric.
-message MetricStatus {
-  // type is the type of metric source.  It will be one of "ContainerResource",
-  // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricStatus object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricStatus pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricStatus resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ContainerResourceMetricStatus containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricStatus external = 5;
-}
-
-// ObjectMetricSource indicates how to scale on a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricSource {
-  // target is the described Kubernetes object.
-  optional CrossVersionObjectReference target = 1;
-
-  // metricName is the name of the metric in question.
-  optional string metricName = 2;
-
-  // targetValue is the target value of the metric (as a quantity).
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
-
-  // averageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 5;
-}
-
-// ObjectMetricStatus indicates the current value of a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricStatus {
-  // target is the described Kubernetes object.
-  optional CrossVersionObjectReference target = 1;
-
-  // metricName is the name of the metric in question.
-  optional string metricName = 2;
-
-  // currentValue is the current value of the metric (as a quantity).
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
-
-  // averageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 5;
-}
-
-// PodsMetricSource indicates how to scale on a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-// The values will be averaged together before being compared to the target
-// value.
-message PodsMetricSource {
-  // metricName is the name of the metric in question
-  optional string metricName = 1;
-
-  // targetAverageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 2;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 3;
-}
-
-// PodsMetricStatus indicates the current value of a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-message PodsMetricStatus {
-  // metricName is the name of the metric in question
-  optional string metricName = 1;
-
-  // currentAverageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 2;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 3;
-}
-
-// ResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // targetAverageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 targetAverageUtilization = 2;
-
-  // targetAverageValue is the target value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
-}
-
-// ResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ResourceMetricStatus {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.  It will only be
-  // present if `targetAverageValue` was set in the corresponding metric
-  // specification.
-  // +optional
-  optional int32 currentAverageUtilization = 2;
-
-  // currentAverageValue is the current value of the average of the
-  // resource metric across all relevant pods, as a raw value (instead of as
-  // a percentage of the request), similar to the "pods" metric source type.
-  // It will always be set, regardless of the corresponding metric specification.
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
-}
-
--- a/common-protos/k8s.io/api/autoscaling/v2beta2/generated.proto
+++ b/common-protos/k8s.io/api/autoscaling/v2beta2/generated.proto
@ -1,494 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.autoscaling.v2beta2;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/autoscaling/v2beta2";
-
-// ContainerResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ContainerResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-
-  // container is the name of the container in the pods of the scaling target
-  optional string container = 3;
-}
-
-// ContainerResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ContainerResourceMetricStatus {
-  // Name is the name of the resource in question.
-  optional string name = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-
-  // Container is the name of the container in the pods of the scaling target
-  optional string container = 3;
-}
-
-// CrossVersionObjectReference contains enough information to let you identify the referred resource.
-message CrossVersionObjectReference {
-  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-  optional string kind = 1;
-
-  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
-  optional string name = 2;
-
-  // API version of the referent
-  // +optional
-  optional string apiVersion = 3;
-}
-
-// ExternalMetricSource indicates how to scale on a metric not associated with
-// any Kubernetes object (for example length of queue in cloud
-// messaging service, or QPS from loadbalancer running outside of cluster).
-message ExternalMetricSource {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// ExternalMetricStatus indicates the current value of a global metric
-// not associated with any Kubernetes object.
-message ExternalMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
-// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
-message HPAScalingPolicy {
-  // Type is used to specify the scaling policy.
-  optional string type = 1;
-
-  // Value contains the amount of change which is permitted by the policy.
-  // It must be greater than zero
-  optional int32 value = 2;
-
-  // PeriodSeconds specifies the window of time for which the policy should hold true.
-  // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
-  optional int32 periodSeconds = 3;
-}
-
-// HPAScalingRules configures the scaling behavior for one direction.
-// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
-// They can limit the scaling velocity by specifying scaling policies.
-// They can prevent flapping by specifying the stabilization window, so that the
-// number of replicas is not set instantly, instead, the safest value from the stabilization
-// window is chosen.
-message HPAScalingRules {
-  // StabilizationWindowSeconds is the number of seconds for which past recommendations should be
-  // considered while scaling up or scaling down.
-  // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
-  // If not set, use the default values:
-  // - For scale up: 0 (i.e. no stabilization is done).
-  // - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
-  // +optional
-  optional int32 stabilizationWindowSeconds = 3;
-
-  // selectPolicy is used to specify which policy should be used.
-  // If not set, the default value MaxPolicySelect is used.
-  // +optional
-  optional string selectPolicy = 1;
-
-  // policies is a list of potential scaling polices which can be used during scaling.
-  // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
-  // +optional
-  repeated HPAScalingPolicy policies = 2;
-}
-
-// HorizontalPodAutoscaler is the configuration for a horizontal pod
-// autoscaler, which automatically manages the replica count of any resource
-// implementing the scale subresource based on the metrics specified.
-message HorizontalPodAutoscaler {
-  // metadata is the standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec is the specification for the behaviour of the autoscaler.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
-  // +optional
-  optional HorizontalPodAutoscalerSpec spec = 2;
-
-  // status is the current information about the autoscaler.
-  // +optional
-  optional HorizontalPodAutoscalerStatus status = 3;
-}
-
-// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
-// in both Up and Down directions (scaleUp and scaleDown fields respectively).
-message HorizontalPodAutoscalerBehavior {
-  // scaleUp is scaling policy for scaling Up.
-  // If not set, the default value is the higher of:
-  //   * increase no more than 4 pods per 60 seconds
-  //   * double the number of pods per 60 seconds
-  // No stabilization is used.
-  // +optional
-  optional HPAScalingRules scaleUp = 1;
-
-  // scaleDown is scaling policy for scaling Down.
-  // If not set, the default value is to allow to scale down to minReplicas pods, with a
-  // 300 second stabilization window (i.e., the highest recommendation for
-  // the last 300sec is used).
-  // +optional
-  optional HPAScalingRules scaleDown = 2;
-}
-
-// HorizontalPodAutoscalerCondition describes the state of
-// a HorizontalPodAutoscaler at a certain point.
-message HorizontalPodAutoscalerCondition {
-  // type describes the current condition
-  optional string type = 1;
-
-  // status is the status of the condition (True, False, Unknown)
-  optional string status = 2;
-
-  // lastTransitionTime is the last time the condition transitioned from
-  // one status to another
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // reason is the reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // message is a human-readable explanation containing details about
-  // the transition
-  // +optional
-  optional string message = 5;
-}
-
-// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
-message HorizontalPodAutoscalerList {
-  // metadata is the standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of horizontal pod autoscaler objects.
-  repeated HorizontalPodAutoscaler items = 2;
-}
-
-// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
-message HorizontalPodAutoscalerSpec {
-  // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
-  // should be collected, as well as to actually change the replica count.
-  optional CrossVersionObjectReference scaleTargetRef = 1;
-
-  // minReplicas is the lower limit for the number of replicas to which the autoscaler
-  // can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
-  // alpha feature gate HPAScaleToZero is enabled and at least one Object or External
-  // metric is configured.  Scaling is active as long as at least one metric value is
-  // available.
-  // +optional
-  optional int32 minReplicas = 2;
-
-  // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
-  // It cannot be less that minReplicas.
-  optional int32 maxReplicas = 3;
-
-  // metrics contains the specifications for which to use to calculate the
-  // desired replica count (the maximum replica count across all metrics will
-  // be used).  The desired replica count is calculated multiplying the
-  // ratio between the target value and the current value by the current
-  // number of pods.  Ergo, metrics used must decrease as the pod count is
-  // increased, and vice-versa.  See the individual metric source types for
-  // more information about how each type of metric must respond.
-  // If not set, the default metric will be set to 80% average CPU utilization.
-  // +optional
-  repeated MetricSpec metrics = 4;
-
-  // behavior configures the scaling behavior of the target
-  // in both Up and Down directions (scaleUp and scaleDown fields respectively).
-  // If not set, the default HPAScalingRules for scale up and scale down are used.
-  // +optional
-  optional HorizontalPodAutoscalerBehavior behavior = 5;
-}
-
-// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
-message HorizontalPodAutoscalerStatus {
-  // observedGeneration is the most recent generation observed by this autoscaler.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
-  // used by the autoscaler to control how often the number of pods is changed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
-
-  // currentReplicas is current number of replicas of pods managed by this autoscaler,
-  // as last seen by the autoscaler.
-  optional int32 currentReplicas = 3;
-
-  // desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
-  // as last calculated by the autoscaler.
-  optional int32 desiredReplicas = 4;
-
-  // currentMetrics is the last read state of the metrics used by this autoscaler.
-  // +optional
-  repeated MetricStatus currentMetrics = 5;
-
-  // conditions is the set of conditions required for this autoscaler to scale its target,
-  // and indicates whether or not those conditions are met.
-  // +optional
-  repeated HorizontalPodAutoscalerCondition conditions = 6;
-}
-
-// MetricIdentifier defines the name and optionally selector for a metric
-message MetricIdentifier {
-  // name is the name of the given metric
-  optional string name = 1;
-
-  // selector is the string-encoded form of a standard kubernetes label selector for the given metric
-  // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
-  // When unset, just the metricName will be used to gather metrics.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-}
-
-// MetricSpec specifies how to scale based on a single metric
-// (only `type` and one other matching field should be set at once).
-message MetricSpec {
-  // type is the type of metric source.  It should be one of "ContainerResource", "External",
-  // "Object", "Pods" or "Resource", each mapping to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricSource object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricSource pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricSource resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in
-  // each pod of the current scale target (e.g. CPU or memory). Such metrics are
-  // built in to Kubernetes, and have special scaling options on top of those
-  // available to normal per-pod metrics using the "pods" source.
-  // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
-  // +optional
-  optional ContainerResourceMetricSource containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricSource external = 5;
-}
-
-// MetricStatus describes the last-read state of a single metric.
-message MetricStatus {
-  // type is the type of metric source.  It will be one of "ContainerResource", "External",
-  // "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
-  // Note: "ContainerResource" type is available on when the feature-gate
-  // HPAContainerMetrics is enabled
-  optional string type = 1;
-
-  // object refers to a metric describing a single kubernetes object
-  // (for example, hits-per-second on an Ingress object).
-  // +optional
-  optional ObjectMetricStatus object = 2;
-
-  // pods refers to a metric describing each pod in the current scale target
-  // (for example, transactions-processed-per-second).  The values will be
-  // averaged together before being compared to the target value.
-  // +optional
-  optional PodsMetricStatus pods = 3;
-
-  // resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ResourceMetricStatus resource = 4;
-
-  // container resource refers to a resource metric (such as those specified in
-  // requests and limits) known to Kubernetes describing a single container in each pod in the
-  // current scale target (e.g. CPU or memory). Such metrics are built in to
-  // Kubernetes, and have special scaling options on top of those available
-  // to normal per-pod metrics using the "pods" source.
-  // +optional
-  optional ContainerResourceMetricStatus containerResource = 7;
-
-  // external refers to a global metric that is not associated
-  // with any Kubernetes object. It allows autoscaling based on information
-  // coming from components running outside of cluster
-  // (for example length of queue in cloud messaging service, or
-  // QPS from loadbalancer running outside of cluster).
-  // +optional
-  optional ExternalMetricStatus external = 5;
-}
-
-// MetricTarget defines the target value, average value, or average utilization of a specific metric
-message MetricTarget {
-  // type represents whether the metric type is Utilization, Value, or AverageValue
-  optional string type = 1;
-
-  // value is the target value of the metric (as a quantity).
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 2;
-
-  // averageValue is the target value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 3;
-
-  // averageUtilization is the target value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // Currently only valid for Resource metric source type
-  // +optional
-  optional int32 averageUtilization = 4;
-}
-
-// MetricValueStatus holds the current value for a metric
-message MetricValueStatus {
-  // value is the current value of the metric (as a quantity).
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 1;
-
-  // averageValue is the current value of the average of the
-  // metric across all relevant pods (as a quantity)
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity averageValue = 2;
-
-  // currentAverageUtilization is the current value of the average of the
-  // resource metric across all relevant pods, represented as a percentage of
-  // the requested value of the resource for the pods.
-  // +optional
-  optional int32 averageUtilization = 3;
-}
-
-// ObjectMetricSource indicates how to scale on a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricSource {
-  optional CrossVersionObjectReference describedObject = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 3;
-}
-
-// ObjectMetricStatus indicates the current value of a metric describing a
-// kubernetes object (for example, hits-per-second on an Ingress object).
-message ObjectMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-
-  optional CrossVersionObjectReference describedObject = 3;
-}
-
-// PodsMetricSource indicates how to scale on a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-// The values will be averaged together before being compared to the target
-// value.
-message PodsMetricSource {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// PodsMetricStatus indicates the current value of a metric describing each pod in
-// the current scale target (for example, transactions-processed-per-second).
-message PodsMetricStatus {
-  // metric identifies the target metric by name and selector
-  optional MetricIdentifier metric = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
-// ResourceMetricSource indicates how to scale on a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  The values will be averaged
-// together before being compared to the target.  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.  Only one "target" type
-// should be set.
-message ResourceMetricSource {
-  // name is the name of the resource in question.
-  optional string name = 1;
-
-  // target specifies the target value for the given metric
-  optional MetricTarget target = 2;
-}
-
-// ResourceMetricStatus indicates the current value of a resource metric known to
-// Kubernetes, as specified in requests and limits, describing each pod in the
-// current scale target (e.g. CPU or memory).  Such metrics are built in to
-// Kubernetes, and have special scaling options on top of those available to
-// normal per-pod metrics using the "pods" source.
-message ResourceMetricStatus {
-  // Name is the name of the resource in question.
-  optional string name = 1;
-
-  // current contains the current value for the given metric
-  optional MetricValueStatus current = 2;
-}
-
--- a/common-protos/k8s.io/api/batch/v1/generated.proto
+++ b/common-protos/k8s.io/api/batch/v1/generated.proto
@ -1,373 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.batch.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/batch/v1";
-
-// CronJob represents the configuration of a single cron job.
-message CronJob {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of a cron job, including the schedule.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional CronJobSpec spec = 2;
-
-  // Current status of a cron job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional CronJobStatus status = 3;
-}
-
-// CronJobList is a collection of cron jobs.
-message CronJobList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CronJobs.
-  repeated CronJob items = 2;
-}
-
-// CronJobSpec describes how the job execution will look like and when it will actually run.
-message CronJobSpec {
-  // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
-  optional string schedule = 1;
-
-  // Optional deadline in seconds for starting the job if it misses scheduled
-  // time for any reason.  Missed jobs executions will be counted as failed ones.
-  // +optional
-  optional int64 startingDeadlineSeconds = 2;
-
-  // Specifies how to treat concurrent executions of a Job.
-  // Valid values are:
-  // - "Allow" (default): allows CronJobs to run concurrently;
-  // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
-  // - "Replace": cancels currently running job and replaces it with a new one
-  // +optional
-  optional string concurrencyPolicy = 3;
-
-  // This flag tells the controller to suspend subsequent executions, it does
-  // not apply to already started executions.  Defaults to false.
-  // +optional
-  optional bool suspend = 4;
-
-  // Specifies the job that will be created when executing a CronJob.
-  optional JobTemplateSpec jobTemplate = 5;
-
-  // The number of successful finished jobs to retain. Value must be non-negative integer.
-  // Defaults to 3.
-  // +optional
-  optional int32 successfulJobsHistoryLimit = 6;
-
-  // The number of failed finished jobs to retain. Value must be non-negative integer.
-  // Defaults to 1.
-  // +optional
-  optional int32 failedJobsHistoryLimit = 7;
-}
-
-// CronJobStatus represents the current state of a cron job.
-message CronJobStatus {
-  // A list of pointers to currently running jobs.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.ObjectReference active = 1;
-
-  // Information when was the last time the job was successfully scheduled.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScheduleTime = 4;
-
-  // Information when was the last time the job successfully completed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastSuccessfulTime = 5;
-}
-
-// Job represents the configuration of a single job.
-message Job {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of a job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional JobSpec spec = 2;
-
-  // Current status of a job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional JobStatus status = 3;
-}
-
-// JobCondition describes current state of a job.
-message JobCondition {
-  // Type of job condition, Complete or Failed.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // Last time the condition was checked.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastProbeTime = 3;
-
-  // Last time the condition transit from one status to another.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
-
-  // (brief) reason for the condition's last transition.
-  // +optional
-  optional string reason = 5;
-
-  // Human readable message indicating details about last transition.
-  // +optional
-  optional string message = 6;
-}
-
-// JobList is a collection of jobs.
-message JobList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of Jobs.
-  repeated Job items = 2;
-}
-
-// JobSpec describes how the job execution will look like.
-message JobSpec {
-  // Specifies the maximum desired number of pods the job should
-  // run at any given time. The actual number of pods running in steady state will
-  // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
-  // i.e. when the work left to do is less than max parallelism.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
-  // +optional
-  optional int32 parallelism = 1;
-
-  // Specifies the desired number of successfully finished pods the
-  // job should be run with.  Setting to nil means that the success of any
-  // pod signals the success of all pods, and allows parallelism to have any positive
-  // value.  Setting to 1 means that parallelism is limited to 1 and the success of that
-  // pod signals the success of the job.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
-  // +optional
-  optional int32 completions = 2;
-
-  // Specifies the duration in seconds relative to the startTime that the job
-  // may be continuously active before the system tries to terminate it; value
-  // must be positive integer. If a Job is suspended (at creation or through an
-  // update), this timer will effectively be stopped and reset when the Job is
-  // resumed again.
-  // +optional
-  optional int64 activeDeadlineSeconds = 3;
-
-  // Specifies the number of retries before marking this job failed.
-  // Defaults to 6
-  // +optional
-  optional int32 backoffLimit = 7;
-
-  // A label query over pods that should match the pod count.
-  // Normally, the system sets this field for you.
-  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
-
-  // manualSelector controls generation of pod labels and pod selectors.
-  // Leave `manualSelector` unset unless you are certain what you are doing.
-  // When false or unset, the system pick labels unique to this job
-  // and appends those labels to the pod template.  When true,
-  // the user is responsible for picking unique labels and specifying
-  // the selector.  Failure to pick a unique label may cause this
-  // and other jobs to not function correctly.  However, You may see
-  // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
-  // API.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
-  // +optional
-  optional bool manualSelector = 5;
-
-  // Describes the pod that will be created when executing a job.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
-  optional k8s.io.api.core.v1.PodTemplateSpec template = 6;
-
-  // ttlSecondsAfterFinished limits the lifetime of a Job that has finished
-  // execution (either Complete or Failed). If this field is set,
-  // ttlSecondsAfterFinished after the Job finishes, it is eligible to be
-  // automatically deleted. When the Job is being deleted, its lifecycle
-  // guarantees (e.g. finalizers) will be honored. If this field is unset,
-  // the Job won't be automatically deleted. If this field is set to zero,
-  // the Job becomes eligible to be deleted immediately after it finishes.
-  // +optional
-  optional int32 ttlSecondsAfterFinished = 8;
-
-  // CompletionMode specifies how Pod completions are tracked. It can be
-  // `NonIndexed` (default) or `Indexed`.
-  //
-  // `NonIndexed` means that the Job is considered complete when there have
-  // been .spec.completions successfully completed Pods. Each Pod completion is
-  // homologous to each other.
-  //
-  // `Indexed` means that the Pods of a
-  // Job get an associated completion index from 0 to (.spec.completions - 1),
-  // available in the annotation batch.kubernetes.io/job-completion-index.
-  // The Job is considered complete when there is one successfully completed Pod
-  // for each index.
-  // When value is `Indexed`, .spec.completions must be specified and
-  // `.spec.parallelism` must be less than or equal to 10^5.
-  // In addition, The Pod name takes the form
-  // `$(job-name)-$(index)-$(random-string)`,
-  // the Pod hostname takes the form `$(job-name)-$(index)`.
-  //
-  // This field is beta-level. More completion modes can be added in the future.
-  // If the Job controller observes a mode that it doesn't recognize, the
-  // controller skips updates for the Job.
-  // +optional
-  optional string completionMode = 9;
-
-  // Suspend specifies whether the Job controller should create Pods or not. If
-  // a Job is created with suspend set to true, no Pods are created by the Job
-  // controller. If a Job is suspended after creation (i.e. the flag goes from
-  // false to true), the Job controller will delete all active Pods associated
-  // with this Job. Users must design their workload to gracefully handle this.
-  // Suspending a Job will reset the StartTime field of the Job, effectively
-  // resetting the ActiveDeadlineSeconds timer too. Defaults to false.
-  //
-  // +optional
-  optional bool suspend = 10;
-}
-
-// JobStatus represents the current state of a Job.
-message JobStatus {
-  // The latest available observations of an object's current state. When a Job
-  // fails, one of the conditions will have type "Failed" and status true. When
-  // a Job is suspended, one of the conditions will have type "Suspended" and
-  // status true; when the Job is resumed, the status of this condition will
-  // become false. When a Job is completed, one of the conditions will have
-  // type "Complete" and status true.
-  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=atomic
-  repeated JobCondition conditions = 1;
-
-  // Represents time when the job controller started processing a job. When a
-  // Job is created in the suspended state, this field is not set until the
-  // first time it is resumed. This field is reset every time a Job is resumed
-  // from suspension. It is represented in RFC3339 form and is in UTC.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startTime = 2;
-
-  // Represents time when the job was completed. It is not guaranteed to
-  // be set in happens-before order across separate operations.
-  // It is represented in RFC3339 form and is in UTC.
-  // The completion time is only set when the job finishes successfully.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time completionTime = 3;
-
-  // The number of pending and running pods.
-  // +optional
-  optional int32 active = 4;
-
-  // The number of pods which reached phase Succeeded.
-  // +optional
-  optional int32 succeeded = 5;
-
-  // The number of pods which reached phase Failed.
-  // +optional
-  optional int32 failed = 6;
-
-  // CompletedIndexes holds the completed indexes when .spec.completionMode =
-  // "Indexed" in a text format. The indexes are represented as decimal integers
-  // separated by commas. The numbers are listed in increasing order. Three or
-  // more consecutive numbers are compressed and represented by the first and
-  // last element of the series, separated by a hyphen.
-  // For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
-  // represented as "1,3-5,7".
-  // +optional
-  optional string completedIndexes = 7;
-
-  // UncountedTerminatedPods holds the UIDs of Pods that have terminated but
-  // the job controller hasn't yet accounted for in the status counters.
-  //
-  // The job controller creates pods with a finalizer. When a pod terminates
-  // (succeeded or failed), the controller does three steps to account for it
-  // in the job status:
-  // (1) Add the pod UID to the arrays in this field.
-  // (2) Remove the pod finalizer.
-  // (3) Remove the pod UID from the arrays while increasing the corresponding
-  //     counter.
-  //
-  // This field is beta-level. The job controller only makes use of this field
-  // when the feature gate JobTrackingWithFinalizers is enabled (enabled
-  // by default).
-  // Old jobs might not be tracked using this field, in which case the field
-  // remains null.
-  // +optional
-  optional UncountedTerminatedPods uncountedTerminatedPods = 8;
-
-  // The number of pods which have a Ready condition.
-  //
-  // This field is alpha-level. The job controller populates the field when
-  // the feature gate JobReadyPods is enabled (disabled by default).
-  // +optional
-  optional int32 ready = 9;
-}
-
-// JobTemplateSpec describes the data a Job should have when created from a template
-message JobTemplateSpec {
-  // Standard object's metadata of the jobs created from this template.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional JobSpec spec = 2;
-}
-
-// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
-// been accounted in Job status counters.
-message UncountedTerminatedPods {
-  // Succeeded holds UIDs of succeeded Pods.
-  // +listType=set
-  // +optional
-  repeated string succeeded = 1;
-
-  // Failed holds UIDs of failed Pods.
-  // +listType=set
-  // +optional
-  repeated string failed = 2;
-}
-
--- a/common-protos/k8s.io/api/batch/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/batch/v1beta1/generated.proto
@ -1,142 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.batch.v1beta1;
-
-import "k8s.io/api/batch/v1/generated.proto";
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/batch/v1beta1";
-
-// CronJob represents the configuration of a single cron job.
-message CronJob {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of a cron job, including the schedule.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional CronJobSpec spec = 2;
-
-  // Current status of a cron job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional CronJobStatus status = 3;
-}
-
-// CronJobList is a collection of cron jobs.
-message CronJobList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CronJobs.
-  repeated CronJob items = 2;
-}
-
-// CronJobSpec describes how the job execution will look like and when it will actually run.
-message CronJobSpec {
-  // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
-  optional string schedule = 1;
-
-  // Optional deadline in seconds for starting the job if it misses scheduled
-  // time for any reason.  Missed jobs executions will be counted as failed ones.
-  // +optional
-  optional int64 startingDeadlineSeconds = 2;
-
-  // Specifies how to treat concurrent executions of a Job.
-  // Valid values are:
-  // - "Allow" (default): allows CronJobs to run concurrently;
-  // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
-  // - "Replace": cancels currently running job and replaces it with a new one
-  // +optional
-  optional string concurrencyPolicy = 3;
-
-  // This flag tells the controller to suspend subsequent executions, it does
-  // not apply to already started executions.  Defaults to false.
-  // +optional
-  optional bool suspend = 4;
-
-  // Specifies the job that will be created when executing a CronJob.
-  optional JobTemplateSpec jobTemplate = 5;
-
-  // The number of successful finished jobs to retain.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 3.
-  // +optional
-  optional int32 successfulJobsHistoryLimit = 6;
-
-  // The number of failed finished jobs to retain.
-  // This is a pointer to distinguish between explicit zero and not specified.
-  // Defaults to 1.
-  // +optional
-  optional int32 failedJobsHistoryLimit = 7;
-}
-
-// CronJobStatus represents the current state of a cron job.
-message CronJobStatus {
-  // A list of pointers to currently running jobs.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.ObjectReference active = 1;
-
-  // Information when was the last time the job was successfully scheduled.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScheduleTime = 4;
-
-  // Information when was the last time the job successfully completed.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastSuccessfulTime = 5;
-}
-
-// JobTemplate describes a template for creating copies of a predefined pod.
-message JobTemplate {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Defines jobs that will be created from this template.
-  // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional JobTemplateSpec template = 2;
-}
-
-// JobTemplateSpec describes the data a Job should have when created from a template
-message JobTemplateSpec {
-  // Standard object's metadata of the jobs created from this template.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the job.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional k8s.io.api.batch.v1.JobSpec spec = 2;
-}
-
--- a/common-protos/k8s.io/api/certificates/v1/generated.proto
+++ b/common-protos/k8s.io/api/certificates/v1/generated.proto
@ -1,250 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.certificates.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/certificates/v1";
-
-// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
-// by submitting a certificate signing request, and having it asynchronously approved and issued.
-//
-// Kubelets use this API to obtain:
-//  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
-//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
-//
-// This API can be used to request client certificates to authenticate to kube-apiserver
-// (with the "kubernetes.io/kube-apiserver-client" signerName),
-// or to obtain certificates from custom non-Kubernetes signers.
-message CertificateSigningRequest {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec contains the certificate request, and is immutable after creation.
-  // Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
-  // Other fields are derived by Kubernetes and cannot be modified by users.
-  optional CertificateSigningRequestSpec spec = 2;
-
-  // status contains information about whether the request is approved or denied,
-  // and the certificate issued by the signer, or the failure condition indicating signer failure.
-  // +optional
-  optional CertificateSigningRequestStatus status = 3;
-}
-
-// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
-message CertificateSigningRequestCondition {
-  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
-  //
-  // An "Approved" condition is added via the /approval subresource,
-  // indicating the request was approved and should be issued by the signer.
-  //
-  // A "Denied" condition is added via the /approval subresource,
-  // indicating the request was denied and should not be issued by the signer.
-  //
-  // A "Failed" condition is added via the /status subresource,
-  // indicating the signer failed to issue the certificate.
-  //
-  // Approved and Denied conditions are mutually exclusive.
-  // Approved, Denied, and Failed conditions cannot be removed once added.
-  //
-  // Only one condition of a given type is allowed.
-  optional string type = 1;
-
-  // status of the condition, one of True, False, Unknown.
-  // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
-  optional string status = 6;
-
-  // reason indicates a brief reason for the request state
-  // +optional
-  optional string reason = 2;
-
-  // message contains a human readable message with details about the request state
-  // +optional
-  optional string message = 3;
-
-  // lastUpdateTime is the time of the last update to this condition
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;
-
-  // lastTransitionTime is the time the condition last transitioned from one status to another.
-  // If unset, when a new condition type is added or an existing condition's status is changed,
-  // the server defaults this to the current time.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 5;
-}
-
-// CertificateSigningRequestList is a collection of CertificateSigningRequest objects
-message CertificateSigningRequestList {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is a collection of CertificateSigningRequest objects
-  repeated CertificateSigningRequest items = 2;
-}
-
-// CertificateSigningRequestSpec contains the certificate request.
-message CertificateSigningRequestSpec {
-  // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
-  // When serialized as JSON or YAML, the data is additionally base64-encoded.
-  // +listType=atomic
-  optional bytes request = 1;
-
-  // signerName indicates the requested signer, and is a qualified name.
-  //
-  // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
-  //
-  // Well-known Kubernetes signers are:
-  //  1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
-  //   Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
-  //  2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
-  //   Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
-  //  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
-  //   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
-  //
-  // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
-  //
-  // Custom signerNames can also be specified. The signer defines:
-  //  1. Trust distribution: how trust (CA bundles) are distributed.
-  //  2. Permitted subjects: and behavior when a disallowed subject is requested.
-  //  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
-  //  4. Required, permitted, or forbidden key usages / extended key usages.
-  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
-  //  6. Whether or not requests for CA certificates are allowed.
-  optional string signerName = 7;
-
-  // expirationSeconds is the requested duration of validity of the issued
-  // certificate. The certificate signer may issue a certificate with a different
-  // validity duration so a client must check the delta between the notBefore and
-  // and notAfter fields in the issued certificate to determine the actual duration.
-  //
-  // The v1.22+ in-tree implementations of the well-known Kubernetes signers will
-  // honor this field as long as the requested duration is not greater than the
-  // maximum duration they will honor per the --cluster-signing-duration CLI
-  // flag to the Kubernetes controller manager.
-  //
-  // Certificate signers may not honor this field for various reasons:
-  //
-  //   1. Old signer that is unaware of the field (such as the in-tree
-  //      implementations prior to v1.22)
-  //   2. Signer whose configured maximum is shorter than the requested duration
-  //   3. Signer whose configured minimum is longer than the requested duration
-  //
-  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
-  //
-  // As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
-  //
-  // +optional
-  optional int32 expirationSeconds = 8;
-
-  // usages specifies a set of key usages requested in the issued certificate.
-  //
-  // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
-  //
-  // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
-  //
-  // Valid values are:
-  //  "signing", "digital signature", "content commitment",
-  //  "key encipherment", "key agreement", "data encipherment",
-  //  "cert sign", "crl sign", "encipher only", "decipher only", "any",
-  //  "server auth", "client auth",
-  //  "code signing", "email protection", "s/mime",
-  //  "ipsec end system", "ipsec tunnel", "ipsec user",
-  //  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
-  // +listType=atomic
-  repeated string usages = 5;
-
-  // username contains the name of the user that created the CertificateSigningRequest.
-  // Populated by the API server on creation and immutable.
-  // +optional
-  optional string username = 2;
-
-  // uid contains the uid of the user that created the CertificateSigningRequest.
-  // Populated by the API server on creation and immutable.
-  // +optional
-  optional string uid = 3;
-
-  // groups contains group membership of the user that created the CertificateSigningRequest.
-  // Populated by the API server on creation and immutable.
-  // +listType=atomic
-  // +optional
-  repeated string groups = 4;
-
-  // extra contains extra attributes of the user that created the CertificateSigningRequest.
-  // Populated by the API server on creation and immutable.
-  // +optional
-  map<string, ExtraValue> extra = 6;
-}
-
-// CertificateSigningRequestStatus contains conditions used to indicate
-// approved/denied/failed status of the request, and the issued certificate.
-message CertificateSigningRequestStatus {
-  // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated CertificateSigningRequestCondition conditions = 1;
-
-  // certificate is populated with an issued certificate by the signer after an Approved condition is present.
-  // This field is set via the /status subresource. Once populated, this field is immutable.
-  //
-  // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
-  // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
-  //
-  // Validation requirements:
-  //  1. certificate must contain one or more PEM blocks.
-  //  2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
-  //   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
-  //  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
-  //   to allow for explanatory text as described in section 5.2 of RFC7468.
-  //
-  // If more than one PEM block is present, and the definition of the requested spec.signerName
-  // does not indicate otherwise, the first block is the issued certificate,
-  // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
-  //
-  // The certificate is encoded in PEM format.
-  //
-  // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
-  //
-  //     base64(
-  //     -----BEGIN CERTIFICATE-----
-  //     ...
-  //     -----END CERTIFICATE-----
-  //     )
-  //
-  // +listType=atomic
-  // +optional
-  optional bytes certificate = 2;
-}
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
--- a/common-protos/k8s.io/api/certificates/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/certificates/v1beta1/generated.proto
@ -1,201 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.certificates.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/certificates/v1beta1";
-
-// Describes a certificate signing request
-message CertificateSigningRequest {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec contains the certificate request, and is immutable after creation.
-  // Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
-  // Other fields are derived by Kubernetes and cannot be modified by users.
-  optional CertificateSigningRequestSpec spec = 2;
-
-  // Derived information about the request.
-  // +optional
-  optional CertificateSigningRequestStatus status = 3;
-}
-
-message CertificateSigningRequestCondition {
-  // type of the condition. Known conditions include "Approved", "Denied", and "Failed".
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
-  // Defaults to "True".
-  // If unset, should be treated as "True".
-  // +optional
-  optional string status = 6;
-
-  // brief reason for the request state
-  // +optional
-  optional string reason = 2;
-
-  // human readable message with details about the request state
-  // +optional
-  optional string message = 3;
-
-  // timestamp for the last update to this condition
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;
-
-  // lastTransitionTime is the time the condition last transitioned from one status to another.
-  // If unset, when a new condition type is added or an existing condition's status is changed,
-  // the server defaults this to the current time.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 5;
-}
-
-message CertificateSigningRequestList {
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  repeated CertificateSigningRequest items = 2;
-}
-
-// CertificateSigningRequestSpec contains the certificate request.
-message CertificateSigningRequestSpec {
-  // Base64-encoded PKCS#10 CSR data
-  // +listType=atomic
-  optional bytes request = 1;
-
-  // Requested signer for the request. It is a qualified name in the form:
-  // `scope-hostname.io/name`.
-  // If empty, it will be defaulted:
-  //  1. If it's a kubelet client certificate, it is assigned
-  //     "kubernetes.io/kube-apiserver-client-kubelet".
-  //  2. If it's a kubelet serving certificate, it is assigned
-  //     "kubernetes.io/kubelet-serving".
-  //  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
-  // Distribution of trust for signers happens out of band.
-  // You can select on this field using `spec.signerName`.
-  // +optional
-  optional string signerName = 7;
-
-  // expirationSeconds is the requested duration of validity of the issued
-  // certificate. The certificate signer may issue a certificate with a different
-  // validity duration so a client must check the delta between the notBefore and
-  // and notAfter fields in the issued certificate to determine the actual duration.
-  //
-  // The v1.22+ in-tree implementations of the well-known Kubernetes signers will
-  // honor this field as long as the requested duration is not greater than the
-  // maximum duration they will honor per the --cluster-signing-duration CLI
-  // flag to the Kubernetes controller manager.
-  //
-  // Certificate signers may not honor this field for various reasons:
-  //
-  //   1. Old signer that is unaware of the field (such as the in-tree
-  //      implementations prior to v1.22)
-  //   2. Signer whose configured maximum is shorter than the requested duration
-  //   3. Signer whose configured minimum is longer than the requested duration
-  //
-  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
-  //
-  // As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
-  //
-  // +optional
-  optional int32 expirationSeconds = 8;
-
-  // allowedUsages specifies a set of usage contexts the key will be
-  // valid for.
-  // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-  //      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
-  // Valid values are:
-  //  "signing",
-  //  "digital signature",
-  //  "content commitment",
-  //  "key encipherment",
-  //  "key agreement",
-  //  "data encipherment",
-  //  "cert sign",
-  //  "crl sign",
-  //  "encipher only",
-  //  "decipher only",
-  //  "any",
-  //  "server auth",
-  //  "client auth",
-  //  "code signing",
-  //  "email protection",
-  //  "s/mime",
-  //  "ipsec end system",
-  //  "ipsec tunnel",
-  //  "ipsec user",
-  //  "timestamping",
-  //  "ocsp signing",
-  //  "microsoft sgc",
-  //  "netscape sgc"
-  // +listType=atomic
-  repeated string usages = 5;
-
-  // Information about the requesting user.
-  // See user.Info interface for details.
-  // +optional
-  optional string username = 2;
-
-  // UID information about the requesting user.
-  // See user.Info interface for details.
-  // +optional
-  optional string uid = 3;
-
-  // Group information about the requesting user.
-  // See user.Info interface for details.
-  // +listType=atomic
-  // +optional
-  repeated string groups = 4;
-
-  // Extra information about the requesting user.
-  // See user.Info interface for details.
-  // +optional
-  map<string, ExtraValue> extra = 6;
-}
-
-message CertificateSigningRequestStatus {
-  // Conditions applied to the request, such as approval or denial.
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated CertificateSigningRequestCondition conditions = 1;
-
-  // If request was approved, the controller will place the issued certificate here.
-  // +listType=atomic
-  // +optional
-  optional bytes certificate = 2;
-}
-
-// ExtraValue masks the value so protobuf can generate
-// +protobuf.nullable=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-message ExtraValue {
-  // items, if empty, will result in an empty slice
-
-  repeated string items = 1;
-}
-
--- a/common-protos/k8s.io/api/coordination/v1/generated.proto
+++ b/common-protos/k8s.io/api/coordination/v1/generated.proto
@ -1,80 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.coordination.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/coordination/v1";
-
-// Lease defines a lease concept.
-message Lease {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the Lease.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional LeaseSpec spec = 2;
-}
-
-// LeaseList is a list of Lease objects.
-message LeaseList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated Lease items = 2;
-}
-
-// LeaseSpec is a specification of a Lease.
-message LeaseSpec {
-  // holderIdentity contains the identity of the holder of a current lease.
-  // +optional
-  optional string holderIdentity = 1;
-
-  // leaseDurationSeconds is a duration that candidates for a lease need
-  // to wait to force acquire it. This is measure against time of last
-  // observed RenewTime.
-  // +optional
-  optional int32 leaseDurationSeconds = 2;
-
-  // acquireTime is a time when the current lease was acquired.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime acquireTime = 3;
-
-  // renewTime is a time when the current holder of a lease has last
-  // updated the lease.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime renewTime = 4;
-
-  // leaseTransitions is the number of transitions of a lease between
-  // holders.
-  // +optional
-  optional int32 leaseTransitions = 5;
-}
-
--- a/common-protos/k8s.io/api/coordination/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/coordination/v1beta1/generated.proto
@ -1,80 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.coordination.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/coordination/v1beta1";
-
-// Lease defines a lease concept.
-message Lease {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the Lease.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional LeaseSpec spec = 2;
-}
-
-// LeaseList is a list of Lease objects.
-message LeaseList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated Lease items = 2;
-}
-
-// LeaseSpec is a specification of a Lease.
-message LeaseSpec {
-  // holderIdentity contains the identity of the holder of a current lease.
-  // +optional
-  optional string holderIdentity = 1;
-
-  // leaseDurationSeconds is a duration that candidates for a lease need
-  // to wait to force acquire it. This is measure against time of last
-  // observed RenewTime.
-  // +optional
-  optional int32 leaseDurationSeconds = 2;
-
-  // acquireTime is a time when the current lease was acquired.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime acquireTime = 3;
-
-  // renewTime is a time when the current holder of a lease has last
-  // updated the lease.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime renewTime = 4;
-
-  // leaseTransitions is the number of transitions of a lease between
-  // holders.
-  // +optional
-  optional int32 leaseTransitions = 5;
-}
-
--- a/common-protos/k8s.io/api/core/v1/generated.proto
+++ b/common-protos/k8s.io/api/core/v1/generated.proto
--- a/common-protos/k8s.io/api/discovery/v1/generated.proto
+++ b/common-protos/k8s.io/api/discovery/v1/generated.proto
@ -1,198 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.discovery.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/discovery/v1";
-
-// Endpoint represents a single logical "backend" implementing a service.
-message Endpoint {
-  // addresses of this endpoint. The contents of this field are interpreted
-  // according to the corresponding EndpointSlice addressType field. Consumers
-  // must handle different types of addresses in the context of their own
-  // capabilities. This must contain at least one address but no more than
-  // 100. These are all assumed to be fungible and clients may choose to only
-  // use the first element. Refer to: https://issue.k8s.io/106267
-  // +listType=set
-  repeated string addresses = 1;
-
-  // conditions contains information about the current status of the endpoint.
-  optional EndpointConditions conditions = 2;
-
-  // hostname of this endpoint. This field may be used by consumers of
-  // endpoints to distinguish endpoints from each other (e.g. in DNS names).
-  // Multiple endpoints which use the same hostname should be considered
-  // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
-  // Label (RFC 1123) validation.
-  // +optional
-  optional string hostname = 3;
-
-  // targetRef is a reference to a Kubernetes object that represents this
-  // endpoint.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference targetRef = 4;
-
-  // deprecatedTopology contains topology information part of the v1beta1
-  // API. This field is deprecated, and will be removed when the v1beta1
-  // API is removed (no sooner than kubernetes v1.24).  While this field can
-  // hold values, it is not writable through the v1 API, and any attempts to
-  // write to it will be silently ignored. Topology information can be found
-  // in the zone and nodeName fields instead.
-  // +optional
-  map<string, string> deprecatedTopology = 5;
-
-  // nodeName represents the name of the Node hosting this endpoint. This can
-  // be used to determine endpoints local to a Node. This field can be enabled
-  // with the EndpointSliceNodeName feature gate.
-  // +optional
-  optional string nodeName = 6;
-
-  // zone is the name of the Zone this endpoint exists in.
-  // +optional
-  optional string zone = 7;
-
-  // hints contains information associated with how an endpoint should be
-  // consumed.
-  // +optional
-  optional EndpointHints hints = 8;
-}
-
-// EndpointConditions represents the current condition of an endpoint.
-message EndpointConditions {
-  // ready indicates that this endpoint is prepared to receive traffic,
-  // according to whatever system is managing the endpoint. A nil value
-  // indicates an unknown state. In most cases consumers should interpret this
-  // unknown state as ready. For compatibility reasons, ready should never be
-  // "true" for terminating endpoints.
-  // +optional
-  optional bool ready = 1;
-
-  // serving is identical to ready except that it is set regardless of the
-  // terminating state of endpoints. This condition should be set to true for
-  // a ready endpoint that is terminating. If nil, consumers should defer to
-  // the ready condition. This field can be enabled with the
-  // EndpointSliceTerminatingCondition feature gate.
-  // +optional
-  optional bool serving = 2;
-
-  // terminating indicates that this endpoint is terminating. A nil value
-  // indicates an unknown state. Consumers should interpret this unknown state
-  // to mean that the endpoint is not terminating. This field can be enabled
-  // with the EndpointSliceTerminatingCondition feature gate.
-  // +optional
-  optional bool terminating = 3;
-}
-
-// EndpointHints provides hints describing how an endpoint should be consumed.
-message EndpointHints {
-  // forZones indicates the zone(s) this endpoint should be consumed by to
-  // enable topology aware routing.
-  // +listType=atomic
-  repeated ForZone forZones = 1;
-}
-
-// EndpointPort represents a Port used by an EndpointSlice
-// +structType=atomic
-message EndpointPort {
-  // The name of this port. All ports in an EndpointSlice must have a unique
-  // name. If the EndpointSlice is dervied from a Kubernetes service, this
-  // corresponds to the Service.ports[].name.
-  // Name must either be an empty string or pass DNS_LABEL validation:
-  // * must be no more than 63 characters long.
-  // * must consist of lower case alphanumeric characters or '-'.
-  // * must start and end with an alphanumeric character.
-  // Default is empty string.
-  optional string name = 1;
-
-  // The IP protocol for this port.
-  // Must be UDP, TCP, or SCTP.
-  // Default is TCP.
-  optional string protocol = 2;
-
-  // The port number of the endpoint.
-  // If this is not specified, ports are not restricted and must be
-  // interpreted in the context of the specific consumer.
-  optional int32 port = 3;
-
-  // The application protocol for this port.
-  // This field follows standard Kubernetes label syntax.
-  // Un-prefixed names are reserved for IANA standard service names (as per
-  // RFC-6335 and https://www.iana.org/assignments/service-names).
-  // Non-standard protocols should use prefixed names such as
-  // mycompany.com/my-custom-protocol.
-  // +optional
-  optional string appProtocol = 4;
-}
-
-// EndpointSlice represents a subset of the endpoints that implement a service.
-// For a given service there may be multiple EndpointSlice objects, selected by
-// labels, which must be joined to produce the full set of endpoints.
-message EndpointSlice {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // addressType specifies the type of address carried by this EndpointSlice.
-  // All addresses in this slice must be the same type. This field is
-  // immutable after creation. The following address types are currently
-  // supported:
-  // * IPv4: Represents an IPv4 Address.
-  // * IPv6: Represents an IPv6 Address.
-  // * FQDN: Represents a Fully Qualified Domain Name.
-  optional string addressType = 4;
-
-  // endpoints is a list of unique endpoints in this slice. Each slice may
-  // include a maximum of 1000 endpoints.
-  // +listType=atomic
-  repeated Endpoint endpoints = 2;
-
-  // ports specifies the list of network ports exposed by each endpoint in
-  // this slice. Each port must have a unique name. When ports is empty, it
-  // indicates that there are no defined ports. When a port is defined with a
-  // nil port value, it indicates "all ports". Each slice may include a
-  // maximum of 100 ports.
-  // +optional
-  // +listType=atomic
-  repeated EndpointPort ports = 3;
-}
-
-// EndpointSliceList represents a list of endpoint slices
-message EndpointSliceList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of endpoint slices
-  repeated EndpointSlice items = 2;
-}
-
-// ForZone provides information about which zones should consume this endpoint.
-message ForZone {
-  // name represents the name of the zone.
-  optional string name = 1;
-}
-
--- a/common-protos/k8s.io/api/discovery/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/discovery/v1beta1/generated.proto
@ -1,201 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.discovery.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/discovery/v1beta1";
-
-// Endpoint represents a single logical "backend" implementing a service.
-message Endpoint {
-  // addresses of this endpoint. The contents of this field are interpreted
-  // according to the corresponding EndpointSlice addressType field. Consumers
-  // must handle different types of addresses in the context of their own
-  // capabilities. This must contain at least one address but no more than
-  // 100. These are all assumed to be fungible and clients may choose to only
-  // use the first element. Refer to: https://issue.k8s.io/106267
-  // +listType=set
-  repeated string addresses = 1;
-
-  // conditions contains information about the current status of the endpoint.
-  optional EndpointConditions conditions = 2;
-
-  // hostname of this endpoint. This field may be used by consumers of
-  // endpoints to distinguish endpoints from each other (e.g. in DNS names).
-  // Multiple endpoints which use the same hostname should be considered
-  // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
-  // Label (RFC 1123) validation.
-  // +optional
-  optional string hostname = 3;
-
-  // targetRef is a reference to a Kubernetes object that represents this
-  // endpoint.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference targetRef = 4;
-
-  // topology contains arbitrary topology information associated with the
-  // endpoint. These key/value pairs must conform with the label format.
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
-  // Topology may include a maximum of 16 key/value pairs. This includes, but
-  // is not limited to the following well known keys:
-  // * kubernetes.io/hostname: the value indicates the hostname of the node
-  //   where the endpoint is located. This should match the corresponding
-  //   node label.
-  // * topology.kubernetes.io/zone: the value indicates the zone where the
-  //   endpoint is located. This should match the corresponding node label.
-  // * topology.kubernetes.io/region: the value indicates the region where the
-  //   endpoint is located. This should match the corresponding node label.
-  // This field is deprecated and will be removed in future api versions.
-  // +optional
-  map<string, string> topology = 5;
-
-  // nodeName represents the name of the Node hosting this endpoint. This can
-  // be used to determine endpoints local to a Node. This field can be enabled
-  // with the EndpointSliceNodeName feature gate.
-  // +optional
-  optional string nodeName = 6;
-
-  // hints contains information associated with how an endpoint should be
-  // consumed.
-  // +featureGate=TopologyAwareHints
-  // +optional
-  optional EndpointHints hints = 7;
-}
-
-// EndpointConditions represents the current condition of an endpoint.
-message EndpointConditions {
-  // ready indicates that this endpoint is prepared to receive traffic,
-  // according to whatever system is managing the endpoint. A nil value
-  // indicates an unknown state. In most cases consumers should interpret this
-  // unknown state as ready. For compatibility reasons, ready should never be
-  // "true" for terminating endpoints.
-  // +optional
-  optional bool ready = 1;
-
-  // serving is identical to ready except that it is set regardless of the
-  // terminating state of endpoints. This condition should be set to true for
-  // a ready endpoint that is terminating. If nil, consumers should defer to
-  // the ready condition. This field can be enabled with the
-  // EndpointSliceTerminatingCondition feature gate.
-  // +optional
-  optional bool serving = 2;
-
-  // terminating indicates that this endpoint is terminating. A nil value
-  // indicates an unknown state. Consumers should interpret this unknown state
-  // to mean that the endpoint is not terminating. This field can be enabled
-  // with the EndpointSliceTerminatingCondition feature gate.
-  // +optional
-  optional bool terminating = 3;
-}
-
-// EndpointHints provides hints describing how an endpoint should be consumed.
-message EndpointHints {
-  // forZones indicates the zone(s) this endpoint should be consumed by to
-  // enable topology aware routing. May contain a maximum of 8 entries.
-  // +listType=atomic
-  repeated ForZone forZones = 1;
-}
-
-// EndpointPort represents a Port used by an EndpointSlice
-message EndpointPort {
-  // The name of this port. All ports in an EndpointSlice must have a unique
-  // name. If the EndpointSlice is dervied from a Kubernetes service, this
-  // corresponds to the Service.ports[].name.
-  // Name must either be an empty string or pass DNS_LABEL validation:
-  // * must be no more than 63 characters long.
-  // * must consist of lower case alphanumeric characters or '-'.
-  // * must start and end with an alphanumeric character.
-  // Default is empty string.
-  optional string name = 1;
-
-  // The IP protocol for this port.
-  // Must be UDP, TCP, or SCTP.
-  // Default is TCP.
-  optional string protocol = 2;
-
-  // The port number of the endpoint.
-  // If this is not specified, ports are not restricted and must be
-  // interpreted in the context of the specific consumer.
-  optional int32 port = 3;
-
-  // The application protocol for this port.
-  // This field follows standard Kubernetes label syntax.
-  // Un-prefixed names are reserved for IANA standard service names (as per
-  // RFC-6335 and https://www.iana.org/assignments/service-names).
-  // Non-standard protocols should use prefixed names such as
-  // mycompany.com/my-custom-protocol.
-  // +optional
-  optional string appProtocol = 4;
-}
-
-// EndpointSlice represents a subset of the endpoints that implement a service.
-// For a given service there may be multiple EndpointSlice objects, selected by
-// labels, which must be joined to produce the full set of endpoints.
-message EndpointSlice {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // addressType specifies the type of address carried by this EndpointSlice.
-  // All addresses in this slice must be the same type. This field is
-  // immutable after creation. The following address types are currently
-  // supported:
-  // * IPv4: Represents an IPv4 Address.
-  // * IPv6: Represents an IPv6 Address.
-  // * FQDN: Represents a Fully Qualified Domain Name.
-  optional string addressType = 4;
-
-  // endpoints is a list of unique endpoints in this slice. Each slice may
-  // include a maximum of 1000 endpoints.
-  // +listType=atomic
-  repeated Endpoint endpoints = 2;
-
-  // ports specifies the list of network ports exposed by each endpoint in
-  // this slice. Each port must have a unique name. When ports is empty, it
-  // indicates that there are no defined ports. When a port is defined with a
-  // nil port value, it indicates "all ports". Each slice may include a
-  // maximum of 100 ports.
-  // +optional
-  // +listType=atomic
-  repeated EndpointPort ports = 3;
-}
-
-// EndpointSliceList represents a list of endpoint slices
-message EndpointSliceList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of endpoint slices
-  repeated EndpointSlice items = 2;
-}
-
-// ForZone provides information about which zones should consume this endpoint.
-message ForZone {
-  // name represents the name of the zone.
-  optional string name = 1;
-}
-
--- a/common-protos/k8s.io/api/events/v1/generated.proto
+++ b/common-protos/k8s.io/api/events/v1/generated.proto
@ -1,128 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.events.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/events/v1";
-
-// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
-// Events have a limited retention time and triggers and messages may evolve
-// with time.  Event consumers should not rely on the timing of an event
-// with a given Reason reflecting a consistent underlying trigger, or the
-// continued existence of events with that Reason.  Events should be
-// treated as informative, best-effort, supplemental data.
-message Event {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // eventTime is the time when this Event was first observed. It is required.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime eventTime = 2;
-
-  // series is data about the Event series this event represents or nil if it's a singleton Event.
-  // +optional
-  optional EventSeries series = 3;
-
-  // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
-  // This field cannot be empty for new Events.
-  optional string reportingController = 4;
-
-  // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
-  // This field cannot be empty for new Events and it can have at most 128 characters.
-  optional string reportingInstance = 5;
-
-  // action is what action was taken/failed regarding to the regarding object. It is machine-readable.
-  // This field cannot be empty for new Events and it can have at most 128 characters.
-  optional string action = 6;
-
-  // reason is why the action was taken. It is human-readable.
-  // This field cannot be empty for new Events and it can have at most 128 characters.
-  optional string reason = 7;
-
-  // regarding contains the object this Event is about. In most cases it's an Object reporting controller
-  // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
-  // it acts on some changes in a ReplicaSet object.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference regarding = 8;
-
-  // related is the optional secondary object for more complex actions. E.g. when regarding object triggers
-  // a creation or deletion of related object.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference related = 9;
-
-  // note is a human-readable description of the status of this operation.
-  // Maximal length of the note is 1kB, but libraries should be prepared to
-  // handle values up to 64kB.
-  // +optional
-  optional string note = 10;
-
-  // type is the type of this event (Normal, Warning), new types could be added in the future.
-  // It is machine-readable.
-  // This field cannot be empty for new Events.
-  optional string type = 11;
-
-  // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.api.core.v1.EventSource deprecatedSource = 12;
-
-  // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time deprecatedFirstTimestamp = 13;
-
-  // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time deprecatedLastTimestamp = 14;
-
-  // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional int32 deprecatedCount = 15;
-}
-
-// EventList is a list of Event objects.
-message EventList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is a list of schema objects.
-  repeated Event items = 2;
-}
-
-// EventSeries contain information on series of events, i.e. thing that was/is happening
-// continuously for some time. How often to update the EventSeries is up to the event reporters.
-// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows
-// how this struct is updated on heartbeats and can guide customized reporter implementations.
-message EventSeries {
-  // count is the number of occurrences in this series up to the last heartbeat time.
-  optional int32 count = 1;
-
-  // lastObservedTime is the time when last Event from the series was seen before last heartbeat.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime lastObservedTime = 2;
-}
-
--- a/common-protos/k8s.io/api/events/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/events/v1beta1/generated.proto
@ -1,130 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.events.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/events/v1beta1";
-
-// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
-// Events have a limited retention time and triggers and messages may evolve
-// with time.  Event consumers should not rely on the timing of an event
-// with a given Reason reflecting a consistent underlying trigger, or the
-// continued existence of events with that Reason.  Events should be
-// treated as informative, best-effort, supplemental data.
-message Event {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // eventTime is the time when this Event was first observed. It is required.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime eventTime = 2;
-
-  // series is data about the Event series this event represents or nil if it's a singleton Event.
-  // +optional
-  optional EventSeries series = 3;
-
-  // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
-  // This field cannot be empty for new Events.
-  // +optional
-  optional string reportingController = 4;
-
-  // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
-  // This field cannot be empty for new Events and it can have at most 128 characters.
-  // +optional
-  optional string reportingInstance = 5;
-
-  // action is what action was taken/failed regarding to the regarding object. It is machine-readable.
-  // This field can have at most 128 characters.
-  // +optional
-  optional string action = 6;
-
-  // reason is why the action was taken. It is human-readable.
-  // This field can have at most 128 characters.
-  // +optional
-  optional string reason = 7;
-
-  // regarding contains the object this Event is about. In most cases it's an Object reporting controller
-  // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
-  // it acts on some changes in a ReplicaSet object.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference regarding = 8;
-
-  // related is the optional secondary object for more complex actions. E.g. when regarding object triggers
-  // a creation or deletion of related object.
-  // +optional
-  optional k8s.io.api.core.v1.ObjectReference related = 9;
-
-  // note is a human-readable description of the status of this operation.
-  // Maximal length of the note is 1kB, but libraries should be prepared to
-  // handle values up to 64kB.
-  // +optional
-  optional string note = 10;
-
-  // type is the type of this event (Normal, Warning), new types could be added in the future.
-  // It is machine-readable.
-  // +optional
-  optional string type = 11;
-
-  // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.api.core.v1.EventSource deprecatedSource = 12;
-
-  // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time deprecatedFirstTimestamp = 13;
-
-  // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time deprecatedLastTimestamp = 14;
-
-  // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
-  // +optional
-  optional int32 deprecatedCount = 15;
-}
-
-// EventList is a list of Event objects.
-message EventList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is a list of schema objects.
-  repeated Event items = 2;
-}
-
-// EventSeries contain information on series of events, i.e. thing that was/is happening
-// continuously for some time.
-message EventSeries {
-  // count is the number of occurrences in this series up to the last heartbeat time.
-  optional int32 count = 1;
-
-  // lastObservedTime is the time when last Event from the series was seen before last heartbeat.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime lastObservedTime = 2;
-}
-
--- a/common-protos/k8s.io/api/extensions/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/extensions/v1beta1/generated.proto
--- a/common-protos/k8s.io/api/flowcontrol/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/flowcontrol/v1alpha1/generated.proto
@ -1,440 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.flowcontrol.v1alpha1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/flowcontrol/v1alpha1";
-
-// FlowDistinguisherMethod specifies the method of a flow distinguisher.
-message FlowDistinguisherMethod {
-  // `type` is the type of flow distinguisher method
-  // The supported types are "ByUser" and "ByNamespace".
-  // Required.
-  optional string type = 1;
-}
-
-// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
-// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
-message FlowSchema {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaSpec spec = 2;
-
-  // `status` is the current status of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaStatus status = 3;
-}
-
-// FlowSchemaCondition describes conditions for a FlowSchema.
-message FlowSchemaCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// FlowSchemaList is a list of FlowSchema objects.
-message FlowSchemaList {
-  // `metadata` is the standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of FlowSchemas.
-  repeated FlowSchema items = 2;
-}
-
-// FlowSchemaSpec describes how the FlowSchema's specification looks like.
-message FlowSchemaSpec {
-  // `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
-  // be resolved, the FlowSchema will be ignored and marked as invalid in its status.
-  // Required.
-  optional PriorityLevelConfigurationReference priorityLevelConfiguration = 1;
-
-  // `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
-  // FlowSchema is among those with the numerically lowest (which we take to be logically highest)
-  // MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
-  // Note that if the precedence is not specified, it will be set to 1000 as default.
-  // +optional
-  optional int32 matchingPrecedence = 2;
-
-  // `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
-  // `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
-  // +optional
-  optional FlowDistinguisherMethod distinguisherMethod = 3;
-
-  // `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
-  // at least one member of rules matches the request.
-  // if it is an empty slice, there will be no requests matching the FlowSchema.
-  // +listType=atomic
-  // +optional
-  repeated PolicyRulesWithSubjects rules = 4;
-}
-
-// FlowSchemaStatus represents the current state of a FlowSchema.
-message FlowSchemaStatus {
-  // `conditions` is a list of the current states of FlowSchema.
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated FlowSchemaCondition conditions = 1;
-}
-
-// GroupSubject holds detailed information for group-kind subject.
-message GroupSubject {
-  // name is the user group that matches, or "*" to match all user groups.
-  // See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
-  // well-known group names.
-  // Required.
-  optional string name = 1;
-}
-
-// LimitResponse defines how to handle requests that can not be executed right now.
-// +union
-message LimitResponse {
-  // `type` is "Queue" or "Reject".
-  // "Queue" means that requests that can not be executed upon arrival
-  // are held in a queue until they can be executed or a queuing limit
-  // is reached.
-  // "Reject" means that requests that can not be executed upon arrival
-  // are rejected.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `queuing` holds the configuration parameters for queuing.
-  // This field may be non-empty only if `type` is `"Queue"`.
-  // +optional
-  optional QueuingConfiguration queuing = 2;
-}
-
-// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
-// It addresses two issues:
-//  * How are requests for this priority level limited?
-//  * What should be done with requests that exceed the limit?
-message LimitedPriorityLevelConfiguration {
-  // `assuredConcurrencyShares` (ACS) configures the execution
-  // limit, which is a limit on the number of requests of this
-  // priority level that may be exeucting at a given time.  ACS must
-  // be a positive number. The server's concurrency limit (SCL) is
-  // divided among the concurrency-controlled priority levels in
-  // proportion to their assured concurrency shares. This produces
-  // the assured concurrency value (ACV) --- the number of requests
-  // that may be executing at a time --- for each such priority
-  // level:
-  //
-  //             ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
-  //
-  // bigger numbers of ACS mean more reserved concurrent requests (at the
-  // expense of every other PL).
-  // This field has a default value of 30.
-  // +optional
-  optional int32 assuredConcurrencyShares = 1;
-
-  // `limitResponse` indicates what to do with requests that can not be executed right now
-  optional LimitResponse limitResponse = 2;
-}
-
-// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
-// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
-// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
-message NonResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs. If it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
-  // For example:
-  //   - "/healthz" is legal
-  //   - "/hea*" is illegal
-  //   - "/hea" is legal but matches nothing
-  //   - "/hea/*" also matches nothing
-  //   - "/healthz/*" matches all per-component health checks.
-  // "*" matches all non-resource urls. if it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string nonResourceURLs = 6;
-}
-
-// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
-// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
-// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
-// of resourceRules or nonResourceRules matches the request.
-message PolicyRulesWithSubjects {
-  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
-  // There must be at least one member in this slice.
-  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
-  // +listType=atomic
-  // Required.
-  repeated Subject subjects = 1;
-
-  // `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
-  // target resource.
-  // At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
-  // +listType=atomic
-  // +optional
-  repeated ResourcePolicyRule resourceRules = 2;
-
-  // `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
-  // and the target non-resource URL.
-  // +listType=atomic
-  // +optional
-  repeated NonResourcePolicyRule nonResourceRules = 3;
-}
-
-// PriorityLevelConfiguration represents the configuration of a priority level.
-message PriorityLevelConfiguration {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationSpec spec = 2;
-
-  // `status` is the current status of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationStatus status = 3;
-}
-
-// PriorityLevelConfigurationCondition defines the condition of priority level.
-message PriorityLevelConfigurationCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.
-message PriorityLevelConfigurationList {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of request-priorities.
-  repeated PriorityLevelConfiguration items = 2;
-}
-
-// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
-message PriorityLevelConfigurationReference {
-  // `name` is the name of the priority level configuration being referenced
-  // Required.
-  optional string name = 1;
-}
-
-// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
-// +union
-message PriorityLevelConfigurationSpec {
-  // `type` indicates whether this priority level is subject to
-  // limitation on request execution.  A value of `"Exempt"` means
-  // that requests of this priority level are not subject to a limit
-  // (and thus are never queued) and do not detract from the
-  // capacity made available to other priority levels.  A value of
-  // `"Limited"` means that (a) requests of this priority level
-  // _are_ subject to limits and (b) some of the server's limited
-  // capacity is made available exclusively to this priority level.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `limited` specifies how requests are handled for a Limited priority level.
-  // This field must be non-empty if and only if `type` is `"Limited"`.
-  // +optional
-  optional LimitedPriorityLevelConfiguration limited = 2;
-}
-
-// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
-message PriorityLevelConfigurationStatus {
-  // `conditions` is the current state of "request-priority".
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated PriorityLevelConfigurationCondition conditions = 1;
-}
-
-// QueuingConfiguration holds the configuration parameters for queuing
-message QueuingConfiguration {
-  // `queues` is the number of queues for this priority level. The
-  // queues exist independently at each apiserver. The value must be
-  // positive.  Setting it to 1 effectively precludes
-  // shufflesharding and thus makes the distinguisher method of
-  // associated flow schemas irrelevant.  This field has a default
-  // value of 64.
-  // +optional
-  optional int32 queues = 1;
-
-  // `handSize` is a small positive number that configures the
-  // shuffle sharding of requests into queues.  When enqueuing a request
-  // at this priority level the request's flow identifier (a string
-  // pair) is hashed and the hash value is used to shuffle the list
-  // of queues and deal a hand of the size specified here.  The
-  // request is put into one of the shortest queues in that hand.
-  // `handSize` must be no larger than `queues`, and should be
-  // significantly smaller (so that a few heavy flows do not
-  // saturate most of the queues).  See the user-facing
-  // documentation for more extensive guidance on setting this
-  // field.  This field has a default value of 8.
-  // +optional
-  optional int32 handSize = 2;
-
-  // `queueLengthLimit` is the maximum number of requests allowed to
-  // be waiting in a given queue of this priority level at a time;
-  // excess requests are rejected.  This value must be positive.  If
-  // not specified, it will be defaulted to 50.
-  // +optional
-  optional int32 queueLengthLimit = 3;
-}
-
-// ResourcePolicyRule is a predicate that matches some resource
-// requests, testing the request's verb and the target resource. A
-// ResourcePolicyRule matches a resource request if and only if: (a)
-// at least one member of verbs matches the request, (b) at least one
-// member of apiGroups matches the request, (c) at least one member of
-// resources matches the request, and (d) either (d1) the request does
-// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
-// true or (d2) the request specifies a namespace and least one member
-// of namespaces matches the request's namespace.
-message ResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `apiGroups` is a list of matching API groups and may not be empty.
-  // "*" matches all API groups and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string apiGroups = 2;
-
-  // `resources` is a list of matching resources (i.e., lowercase
-  // and plural) with, if desired, subresource.  For example, [
-  // "services", "nodes/status" ].  This list may not be empty.
-  // "*" matches all resources and, if present, must be the only entry.
-  // Required.
-  // +listType=set
-  repeated string resources = 3;
-
-  // `clusterScope` indicates whether to match requests that do not
-  // specify a namespace (which happens either because the resource
-  // is not namespaced or the request targets all namespaces).
-  // If this field is omitted or false then the `namespaces` field
-  // must contain a non-empty list.
-  // +optional
-  optional bool clusterScope = 4;
-
-  // `namespaces` is a list of target namespaces that restricts
-  // matches.  A request that specifies a target namespace matches
-  // only if either (a) this list contains that target namespace or
-  // (b) this list contains "*".  Note that "*" matches any
-  // specified namespace but does not match a request that _does
-  // not specify_ a namespace (see the `clusterScope` field for
-  // that).
-  // This list may be empty, but only if `clusterScope` is true.
-  // +optional
-  // +listType=set
-  repeated string namespaces = 5;
-}
-
-// ServiceAccountSubject holds detailed information for service-account-kind subject.
-message ServiceAccountSubject {
-  // `namespace` is the namespace of matching ServiceAccount objects.
-  // Required.
-  optional string namespace = 1;
-
-  // `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
-  // Required.
-  optional string name = 2;
-}
-
-// Subject matches the originator of a request, as identified by the request authentication system. There are three
-// ways of matching an originator; by user, group, or service account.
-// +union
-message Subject {
-  // `kind` indicates which one of the other fields is non-empty.
-  // Required
-  // +unionDiscriminator
-  optional string kind = 1;
-
-  // `user` matches based on username.
-  // +optional
-  optional UserSubject user = 2;
-
-  // `group` matches based on user group name.
-  // +optional
-  optional GroupSubject group = 3;
-
-  // `serviceAccount` matches ServiceAccounts.
-  // +optional
-  optional ServiceAccountSubject serviceAccount = 4;
-}
-
-// UserSubject holds detailed information for user-kind subject.
-message UserSubject {
-  // `name` is the username that matches, or "*" to match all usernames.
-  // Required.
-  optional string name = 1;
-}
-
--- a/common-protos/k8s.io/api/flowcontrol/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/flowcontrol/v1beta1/generated.proto
@ -1,440 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.flowcontrol.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/flowcontrol/v1beta1";
-
-// FlowDistinguisherMethod specifies the method of a flow distinguisher.
-message FlowDistinguisherMethod {
-  // `type` is the type of flow distinguisher method
-  // The supported types are "ByUser" and "ByNamespace".
-  // Required.
-  optional string type = 1;
-}
-
-// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
-// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
-message FlowSchema {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaSpec spec = 2;
-
-  // `status` is the current status of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaStatus status = 3;
-}
-
-// FlowSchemaCondition describes conditions for a FlowSchema.
-message FlowSchemaCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// FlowSchemaList is a list of FlowSchema objects.
-message FlowSchemaList {
-  // `metadata` is the standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of FlowSchemas.
-  repeated FlowSchema items = 2;
-}
-
-// FlowSchemaSpec describes how the FlowSchema's specification looks like.
-message FlowSchemaSpec {
-  // `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
-  // be resolved, the FlowSchema will be ignored and marked as invalid in its status.
-  // Required.
-  optional PriorityLevelConfigurationReference priorityLevelConfiguration = 1;
-
-  // `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
-  // FlowSchema is among those with the numerically lowest (which we take to be logically highest)
-  // MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
-  // Note that if the precedence is not specified, it will be set to 1000 as default.
-  // +optional
-  optional int32 matchingPrecedence = 2;
-
-  // `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
-  // `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
-  // +optional
-  optional FlowDistinguisherMethod distinguisherMethod = 3;
-
-  // `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
-  // at least one member of rules matches the request.
-  // if it is an empty slice, there will be no requests matching the FlowSchema.
-  // +listType=atomic
-  // +optional
-  repeated PolicyRulesWithSubjects rules = 4;
-}
-
-// FlowSchemaStatus represents the current state of a FlowSchema.
-message FlowSchemaStatus {
-  // `conditions` is a list of the current states of FlowSchema.
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated FlowSchemaCondition conditions = 1;
-}
-
-// GroupSubject holds detailed information for group-kind subject.
-message GroupSubject {
-  // name is the user group that matches, or "*" to match all user groups.
-  // See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
-  // well-known group names.
-  // Required.
-  optional string name = 1;
-}
-
-// LimitResponse defines how to handle requests that can not be executed right now.
-// +union
-message LimitResponse {
-  // `type` is "Queue" or "Reject".
-  // "Queue" means that requests that can not be executed upon arrival
-  // are held in a queue until they can be executed or a queuing limit
-  // is reached.
-  // "Reject" means that requests that can not be executed upon arrival
-  // are rejected.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `queuing` holds the configuration parameters for queuing.
-  // This field may be non-empty only if `type` is `"Queue"`.
-  // +optional
-  optional QueuingConfiguration queuing = 2;
-}
-
-// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
-// It addresses two issues:
-//  * How are requests for this priority level limited?
-//  * What should be done with requests that exceed the limit?
-message LimitedPriorityLevelConfiguration {
-  // `assuredConcurrencyShares` (ACS) configures the execution
-  // limit, which is a limit on the number of requests of this
-  // priority level that may be exeucting at a given time.  ACS must
-  // be a positive number. The server's concurrency limit (SCL) is
-  // divided among the concurrency-controlled priority levels in
-  // proportion to their assured concurrency shares. This produces
-  // the assured concurrency value (ACV) --- the number of requests
-  // that may be executing at a time --- for each such priority
-  // level:
-  //
-  //             ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
-  //
-  // bigger numbers of ACS mean more reserved concurrent requests (at the
-  // expense of every other PL).
-  // This field has a default value of 30.
-  // +optional
-  optional int32 assuredConcurrencyShares = 1;
-
-  // `limitResponse` indicates what to do with requests that can not be executed right now
-  optional LimitResponse limitResponse = 2;
-}
-
-// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
-// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
-// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
-message NonResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs. If it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
-  // For example:
-  //   - "/healthz" is legal
-  //   - "/hea*" is illegal
-  //   - "/hea" is legal but matches nothing
-  //   - "/hea/*" also matches nothing
-  //   - "/healthz/*" matches all per-component health checks.
-  // "*" matches all non-resource urls. if it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string nonResourceURLs = 6;
-}
-
-// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
-// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
-// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
-// of resourceRules or nonResourceRules matches the request.
-message PolicyRulesWithSubjects {
-  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
-  // There must be at least one member in this slice.
-  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
-  // +listType=atomic
-  // Required.
-  repeated Subject subjects = 1;
-
-  // `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
-  // target resource.
-  // At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
-  // +listType=atomic
-  // +optional
-  repeated ResourcePolicyRule resourceRules = 2;
-
-  // `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
-  // and the target non-resource URL.
-  // +listType=atomic
-  // +optional
-  repeated NonResourcePolicyRule nonResourceRules = 3;
-}
-
-// PriorityLevelConfiguration represents the configuration of a priority level.
-message PriorityLevelConfiguration {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationSpec spec = 2;
-
-  // `status` is the current status of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationStatus status = 3;
-}
-
-// PriorityLevelConfigurationCondition defines the condition of priority level.
-message PriorityLevelConfigurationCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.
-message PriorityLevelConfigurationList {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of request-priorities.
-  repeated PriorityLevelConfiguration items = 2;
-}
-
-// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
-message PriorityLevelConfigurationReference {
-  // `name` is the name of the priority level configuration being referenced
-  // Required.
-  optional string name = 1;
-}
-
-// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
-// +union
-message PriorityLevelConfigurationSpec {
-  // `type` indicates whether this priority level is subject to
-  // limitation on request execution.  A value of `"Exempt"` means
-  // that requests of this priority level are not subject to a limit
-  // (and thus are never queued) and do not detract from the
-  // capacity made available to other priority levels.  A value of
-  // `"Limited"` means that (a) requests of this priority level
-  // _are_ subject to limits and (b) some of the server's limited
-  // capacity is made available exclusively to this priority level.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `limited` specifies how requests are handled for a Limited priority level.
-  // This field must be non-empty if and only if `type` is `"Limited"`.
-  // +optional
-  optional LimitedPriorityLevelConfiguration limited = 2;
-}
-
-// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
-message PriorityLevelConfigurationStatus {
-  // `conditions` is the current state of "request-priority".
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated PriorityLevelConfigurationCondition conditions = 1;
-}
-
-// QueuingConfiguration holds the configuration parameters for queuing
-message QueuingConfiguration {
-  // `queues` is the number of queues for this priority level. The
-  // queues exist independently at each apiserver. The value must be
-  // positive.  Setting it to 1 effectively precludes
-  // shufflesharding and thus makes the distinguisher method of
-  // associated flow schemas irrelevant.  This field has a default
-  // value of 64.
-  // +optional
-  optional int32 queues = 1;
-
-  // `handSize` is a small positive number that configures the
-  // shuffle sharding of requests into queues.  When enqueuing a request
-  // at this priority level the request's flow identifier (a string
-  // pair) is hashed and the hash value is used to shuffle the list
-  // of queues and deal a hand of the size specified here.  The
-  // request is put into one of the shortest queues in that hand.
-  // `handSize` must be no larger than `queues`, and should be
-  // significantly smaller (so that a few heavy flows do not
-  // saturate most of the queues).  See the user-facing
-  // documentation for more extensive guidance on setting this
-  // field.  This field has a default value of 8.
-  // +optional
-  optional int32 handSize = 2;
-
-  // `queueLengthLimit` is the maximum number of requests allowed to
-  // be waiting in a given queue of this priority level at a time;
-  // excess requests are rejected.  This value must be positive.  If
-  // not specified, it will be defaulted to 50.
-  // +optional
-  optional int32 queueLengthLimit = 3;
-}
-
-// ResourcePolicyRule is a predicate that matches some resource
-// requests, testing the request's verb and the target resource. A
-// ResourcePolicyRule matches a resource request if and only if: (a)
-// at least one member of verbs matches the request, (b) at least one
-// member of apiGroups matches the request, (c) at least one member of
-// resources matches the request, and (d) either (d1) the request does
-// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
-// true or (d2) the request specifies a namespace and least one member
-// of namespaces matches the request's namespace.
-message ResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `apiGroups` is a list of matching API groups and may not be empty.
-  // "*" matches all API groups and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string apiGroups = 2;
-
-  // `resources` is a list of matching resources (i.e., lowercase
-  // and plural) with, if desired, subresource.  For example, [
-  // "services", "nodes/status" ].  This list may not be empty.
-  // "*" matches all resources and, if present, must be the only entry.
-  // Required.
-  // +listType=set
-  repeated string resources = 3;
-
-  // `clusterScope` indicates whether to match requests that do not
-  // specify a namespace (which happens either because the resource
-  // is not namespaced or the request targets all namespaces).
-  // If this field is omitted or false then the `namespaces` field
-  // must contain a non-empty list.
-  // +optional
-  optional bool clusterScope = 4;
-
-  // `namespaces` is a list of target namespaces that restricts
-  // matches.  A request that specifies a target namespace matches
-  // only if either (a) this list contains that target namespace or
-  // (b) this list contains "*".  Note that "*" matches any
-  // specified namespace but does not match a request that _does
-  // not specify_ a namespace (see the `clusterScope` field for
-  // that).
-  // This list may be empty, but only if `clusterScope` is true.
-  // +optional
-  // +listType=set
-  repeated string namespaces = 5;
-}
-
-// ServiceAccountSubject holds detailed information for service-account-kind subject.
-message ServiceAccountSubject {
-  // `namespace` is the namespace of matching ServiceAccount objects.
-  // Required.
-  optional string namespace = 1;
-
-  // `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
-  // Required.
-  optional string name = 2;
-}
-
-// Subject matches the originator of a request, as identified by the request authentication system. There are three
-// ways of matching an originator; by user, group, or service account.
-// +union
-message Subject {
-  // `kind` indicates which one of the other fields is non-empty.
-  // Required
-  // +unionDiscriminator
-  optional string kind = 1;
-
-  // `user` matches based on username.
-  // +optional
-  optional UserSubject user = 2;
-
-  // `group` matches based on user group name.
-  // +optional
-  optional GroupSubject group = 3;
-
-  // `serviceAccount` matches ServiceAccounts.
-  // +optional
-  optional ServiceAccountSubject serviceAccount = 4;
-}
-
-// UserSubject holds detailed information for user-kind subject.
-message UserSubject {
-  // `name` is the username that matches, or "*" to match all usernames.
-  // Required.
-  optional string name = 1;
-}
-
--- a/common-protos/k8s.io/api/flowcontrol/v1beta2/generated.proto
+++ b/common-protos/k8s.io/api/flowcontrol/v1beta2/generated.proto
@ -1,440 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.flowcontrol.v1beta2;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/flowcontrol/v1beta2";
-
-// FlowDistinguisherMethod specifies the method of a flow distinguisher.
-message FlowDistinguisherMethod {
-  // `type` is the type of flow distinguisher method
-  // The supported types are "ByUser" and "ByNamespace".
-  // Required.
-  optional string type = 1;
-}
-
-// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
-// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
-message FlowSchema {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaSpec spec = 2;
-
-  // `status` is the current status of a FlowSchema.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional FlowSchemaStatus status = 3;
-}
-
-// FlowSchemaCondition describes conditions for a FlowSchema.
-message FlowSchemaCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// FlowSchemaList is a list of FlowSchema objects.
-message FlowSchemaList {
-  // `metadata` is the standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of FlowSchemas.
-  repeated FlowSchema items = 2;
-}
-
-// FlowSchemaSpec describes how the FlowSchema's specification looks like.
-message FlowSchemaSpec {
-  // `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
-  // be resolved, the FlowSchema will be ignored and marked as invalid in its status.
-  // Required.
-  optional PriorityLevelConfigurationReference priorityLevelConfiguration = 1;
-
-  // `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
-  // FlowSchema is among those with the numerically lowest (which we take to be logically highest)
-  // MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
-  // Note that if the precedence is not specified, it will be set to 1000 as default.
-  // +optional
-  optional int32 matchingPrecedence = 2;
-
-  // `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
-  // `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
-  // +optional
-  optional FlowDistinguisherMethod distinguisherMethod = 3;
-
-  // `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
-  // at least one member of rules matches the request.
-  // if it is an empty slice, there will be no requests matching the FlowSchema.
-  // +listType=atomic
-  // +optional
-  repeated PolicyRulesWithSubjects rules = 4;
-}
-
-// FlowSchemaStatus represents the current state of a FlowSchema.
-message FlowSchemaStatus {
-  // `conditions` is a list of the current states of FlowSchema.
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated FlowSchemaCondition conditions = 1;
-}
-
-// GroupSubject holds detailed information for group-kind subject.
-message GroupSubject {
-  // name is the user group that matches, or "*" to match all user groups.
-  // See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
-  // well-known group names.
-  // Required.
-  optional string name = 1;
-}
-
-// LimitResponse defines how to handle requests that can not be executed right now.
-// +union
-message LimitResponse {
-  // `type` is "Queue" or "Reject".
-  // "Queue" means that requests that can not be executed upon arrival
-  // are held in a queue until they can be executed or a queuing limit
-  // is reached.
-  // "Reject" means that requests that can not be executed upon arrival
-  // are rejected.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `queuing` holds the configuration parameters for queuing.
-  // This field may be non-empty only if `type` is `"Queue"`.
-  // +optional
-  optional QueuingConfiguration queuing = 2;
-}
-
-// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
-// It addresses two issues:
-//  * How are requests for this priority level limited?
-//  * What should be done with requests that exceed the limit?
-message LimitedPriorityLevelConfiguration {
-  // `assuredConcurrencyShares` (ACS) configures the execution
-  // limit, which is a limit on the number of requests of this
-  // priority level that may be exeucting at a given time.  ACS must
-  // be a positive number. The server's concurrency limit (SCL) is
-  // divided among the concurrency-controlled priority levels in
-  // proportion to their assured concurrency shares. This produces
-  // the assured concurrency value (ACV) --- the number of requests
-  // that may be executing at a time --- for each such priority
-  // level:
-  //
-  //             ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
-  //
-  // bigger numbers of ACS mean more reserved concurrent requests (at the
-  // expense of every other PL).
-  // This field has a default value of 30.
-  // +optional
-  optional int32 assuredConcurrencyShares = 1;
-
-  // `limitResponse` indicates what to do with requests that can not be executed right now
-  optional LimitResponse limitResponse = 2;
-}
-
-// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
-// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
-// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
-message NonResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs. If it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
-  // For example:
-  //   - "/healthz" is legal
-  //   - "/hea*" is illegal
-  //   - "/hea" is legal but matches nothing
-  //   - "/hea/*" also matches nothing
-  //   - "/healthz/*" matches all per-component health checks.
-  // "*" matches all non-resource urls. if it is present, it must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string nonResourceURLs = 6;
-}
-
-// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
-// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
-// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
-// of resourceRules or nonResourceRules matches the request.
-message PolicyRulesWithSubjects {
-  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
-  // There must be at least one member in this slice.
-  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
-  // +listType=atomic
-  // Required.
-  repeated Subject subjects = 1;
-
-  // `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
-  // target resource.
-  // At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
-  // +listType=atomic
-  // +optional
-  repeated ResourcePolicyRule resourceRules = 2;
-
-  // `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
-  // and the target non-resource URL.
-  // +listType=atomic
-  // +optional
-  repeated NonResourcePolicyRule nonResourceRules = 3;
-}
-
-// PriorityLevelConfiguration represents the configuration of a priority level.
-message PriorityLevelConfiguration {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // `spec` is the specification of the desired behavior of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationSpec spec = 2;
-
-  // `status` is the current status of a "request-priority".
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional PriorityLevelConfigurationStatus status = 3;
-}
-
-// PriorityLevelConfigurationCondition defines the condition of priority level.
-message PriorityLevelConfigurationCondition {
-  // `type` is the type of the condition.
-  // Required.
-  optional string type = 1;
-
-  // `status` is the status of the condition.
-  // Can be True, False, Unknown.
-  // Required.
-  optional string status = 2;
-
-  // `lastTransitionTime` is the last time the condition transitioned from one status to another.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
-
-  // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
-  optional string reason = 4;
-
-  // `message` is a human-readable message indicating details about last transition.
-  optional string message = 5;
-}
-
-// PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.
-message PriorityLevelConfigurationList {
-  // `metadata` is the standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // `items` is a list of request-priorities.
-  repeated PriorityLevelConfiguration items = 2;
-}
-
-// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
-message PriorityLevelConfigurationReference {
-  // `name` is the name of the priority level configuration being referenced
-  // Required.
-  optional string name = 1;
-}
-
-// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
-// +union
-message PriorityLevelConfigurationSpec {
-  // `type` indicates whether this priority level is subject to
-  // limitation on request execution.  A value of `"Exempt"` means
-  // that requests of this priority level are not subject to a limit
-  // (and thus are never queued) and do not detract from the
-  // capacity made available to other priority levels.  A value of
-  // `"Limited"` means that (a) requests of this priority level
-  // _are_ subject to limits and (b) some of the server's limited
-  // capacity is made available exclusively to this priority level.
-  // Required.
-  // +unionDiscriminator
-  optional string type = 1;
-
-  // `limited` specifies how requests are handled for a Limited priority level.
-  // This field must be non-empty if and only if `type` is `"Limited"`.
-  // +optional
-  optional LimitedPriorityLevelConfiguration limited = 2;
-}
-
-// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
-message PriorityLevelConfigurationStatus {
-  // `conditions` is the current state of "request-priority".
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated PriorityLevelConfigurationCondition conditions = 1;
-}
-
-// QueuingConfiguration holds the configuration parameters for queuing
-message QueuingConfiguration {
-  // `queues` is the number of queues for this priority level. The
-  // queues exist independently at each apiserver. The value must be
-  // positive.  Setting it to 1 effectively precludes
-  // shufflesharding and thus makes the distinguisher method of
-  // associated flow schemas irrelevant.  This field has a default
-  // value of 64.
-  // +optional
-  optional int32 queues = 1;
-
-  // `handSize` is a small positive number that configures the
-  // shuffle sharding of requests into queues.  When enqueuing a request
-  // at this priority level the request's flow identifier (a string
-  // pair) is hashed and the hash value is used to shuffle the list
-  // of queues and deal a hand of the size specified here.  The
-  // request is put into one of the shortest queues in that hand.
-  // `handSize` must be no larger than `queues`, and should be
-  // significantly smaller (so that a few heavy flows do not
-  // saturate most of the queues).  See the user-facing
-  // documentation for more extensive guidance on setting this
-  // field.  This field has a default value of 8.
-  // +optional
-  optional int32 handSize = 2;
-
-  // `queueLengthLimit` is the maximum number of requests allowed to
-  // be waiting in a given queue of this priority level at a time;
-  // excess requests are rejected.  This value must be positive.  If
-  // not specified, it will be defaulted to 50.
-  // +optional
-  optional int32 queueLengthLimit = 3;
-}
-
-// ResourcePolicyRule is a predicate that matches some resource
-// requests, testing the request's verb and the target resource. A
-// ResourcePolicyRule matches a resource request if and only if: (a)
-// at least one member of verbs matches the request, (b) at least one
-// member of apiGroups matches the request, (c) at least one member of
-// resources matches the request, and (d) either (d1) the request does
-// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
-// true or (d2) the request specifies a namespace and least one member
-// of namespaces matches the request's namespace.
-message ResourcePolicyRule {
-  // `verbs` is a list of matching verbs and may not be empty.
-  // "*" matches all verbs and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string verbs = 1;
-
-  // `apiGroups` is a list of matching API groups and may not be empty.
-  // "*" matches all API groups and, if present, must be the only entry.
-  // +listType=set
-  // Required.
-  repeated string apiGroups = 2;
-
-  // `resources` is a list of matching resources (i.e., lowercase
-  // and plural) with, if desired, subresource.  For example, [
-  // "services", "nodes/status" ].  This list may not be empty.
-  // "*" matches all resources and, if present, must be the only entry.
-  // Required.
-  // +listType=set
-  repeated string resources = 3;
-
-  // `clusterScope` indicates whether to match requests that do not
-  // specify a namespace (which happens either because the resource
-  // is not namespaced or the request targets all namespaces).
-  // If this field is omitted or false then the `namespaces` field
-  // must contain a non-empty list.
-  // +optional
-  optional bool clusterScope = 4;
-
-  // `namespaces` is a list of target namespaces that restricts
-  // matches.  A request that specifies a target namespace matches
-  // only if either (a) this list contains that target namespace or
-  // (b) this list contains "*".  Note that "*" matches any
-  // specified namespace but does not match a request that _does
-  // not specify_ a namespace (see the `clusterScope` field for
-  // that).
-  // This list may be empty, but only if `clusterScope` is true.
-  // +optional
-  // +listType=set
-  repeated string namespaces = 5;
-}
-
-// ServiceAccountSubject holds detailed information for service-account-kind subject.
-message ServiceAccountSubject {
-  // `namespace` is the namespace of matching ServiceAccount objects.
-  // Required.
-  optional string namespace = 1;
-
-  // `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
-  // Required.
-  optional string name = 2;
-}
-
-// Subject matches the originator of a request, as identified by the request authentication system. There are three
-// ways of matching an originator; by user, group, or service account.
-// +union
-message Subject {
-  // `kind` indicates which one of the other fields is non-empty.
-  // Required
-  // +unionDiscriminator
-  optional string kind = 1;
-
-  // `user` matches based on username.
-  // +optional
-  optional UserSubject user = 2;
-
-  // `group` matches based on user group name.
-  // +optional
-  optional GroupSubject group = 3;
-
-  // `serviceAccount` matches ServiceAccounts.
-  // +optional
-  optional ServiceAccountSubject serviceAccount = 4;
-}
-
-// UserSubject holds detailed information for user-kind subject.
-message UserSubject {
-  // `name` is the username that matches, or "*" to match all usernames.
-  // Required.
-  optional string name = 1;
-}
-
--- a/common-protos/k8s.io/api/imagepolicy/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/imagepolicy/v1alpha1/generated.proto
@ -1,88 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.imagepolicy.v1alpha1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/imagepolicy/v1alpha1";
-
-// ImageReview checks if the set of images in a pod are allowed.
-message ImageReview {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec holds information about the pod being evaluated
-  optional ImageReviewSpec spec = 2;
-
-  // Status is filled in by the backend and indicates whether the pod should be allowed.
-  // +optional
-  optional ImageReviewStatus status = 3;
-}
-
-// ImageReviewContainerSpec is a description of a container within the pod creation request.
-message ImageReviewContainerSpec {
-  // This can be in the form image:tag or image@SHA:012345679abcdef.
-  // +optional
-  optional string image = 1;
-}
-
-// ImageReviewSpec is a description of the pod creation request.
-message ImageReviewSpec {
-  // Containers is a list of a subset of the information in each container of the Pod being created.
-  // +optional
-  repeated ImageReviewContainerSpec containers = 1;
-
-  // Annotations is a list of key-value pairs extracted from the Pod's annotations.
-  // It only includes keys which match the pattern `*.image-policy.k8s.io/*`.
-  // It is up to each webhook backend to determine how to interpret these annotations, if at all.
-  // +optional
-  map<string, string> annotations = 2;
-
-  // Namespace is the namespace the pod is being created in.
-  // +optional
-  optional string namespace = 3;
-}
-
-// ImageReviewStatus is the result of the review for the pod creation request.
-message ImageReviewStatus {
-  // Allowed indicates that all images were allowed to be run.
-  optional bool allowed = 1;
-
-  // Reason should be empty unless Allowed is false in which case it
-  // may contain a short description of what is wrong.  Kubernetes
-  // may truncate excessively long errors when displaying to the user.
-  // +optional
-  optional string reason = 2;
-
-  // AuditAnnotations will be added to the attributes object of the
-  // admission controller request using 'AddAnnotation'.  The keys should
-  // be prefix-less (i.e., the admission controller will add an
-  // appropriate prefix).
-  // +optional
-  map<string, string> auditAnnotations = 3;
-}
-
--- a/common-protos/k8s.io/api/networking/v1/generated.proto
+++ b/common-protos/k8s.io/api/networking/v1/generated.proto
@ -1,501 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.networking.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/networking/v1";
-
-// HTTPIngressPath associates a path with a backend. Incoming urls matching the
-// path are forwarded to the backend.
-message HTTPIngressPath {
-  // Path is matched against the path of an incoming request. Currently it can
-  // contain characters disallowed from the conventional "path" part of a URL
-  // as defined by RFC 3986. Paths must begin with a '/' and must be present
-  // when using PathType with value "Exact" or "Prefix".
-  // +optional
-  optional string path = 1;
-
-  // PathType determines the interpretation of the Path matching. PathType can
-  // be one of the following values:
-  // * Exact: Matches the URL path exactly.
-  // * Prefix: Matches based on a URL path prefix split by '/'. Matching is
-  //   done on a path element by element basis. A path element refers is the
-  //   list of labels in the path split by the '/' separator. A request is a
-  //   match for path p if every p is an element-wise prefix of p of the
-  //   request path. Note that if the last element of the path is a substring
-  //   of the last element in request path, it is not a match (e.g. /foo/bar
-  //   matches /foo/bar/baz, but does not match /foo/barbaz).
-  // * ImplementationSpecific: Interpretation of the Path matching is up to
-  //   the IngressClass. Implementations can treat this as a separate PathType
-  //   or treat it identically to Prefix or Exact path types.
-  // Implementations are required to support all path types.
-  optional string pathType = 3;
-
-  // Backend defines the referenced service endpoint to which the traffic
-  // will be forwarded to.
-  optional IngressBackend backend = 2;
-}
-
-// HTTPIngressRuleValue is a list of http selectors pointing to backends.
-// In the example: http://<host>/<path>?<searchpart> -> backend where
-// where parts of the url correspond to RFC 3986, this resource will be used
-// to match against everything after the last '/' and before the first '?'
-// or '#'.
-message HTTPIngressRuleValue {
-  // A collection of paths that map requests to backends.
-  // +listType=atomic
-  repeated HTTPIngressPath paths = 1;
-}
-
-// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed
-// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
-// that should not be included within this rule.
-message IPBlock {
-  // CIDR is a string representing the IP Block
-  // Valid examples are "192.168.1.1/24" or "2001:db9::/64"
-  optional string cidr = 1;
-
-  // Except is a slice of CIDRs that should not be included within an IP Block
-  // Valid examples are "192.168.1.1/24" or "2001:db9::/64"
-  // Except values will be rejected if they are outside the CIDR range
-  // +optional
-  repeated string except = 2;
-}
-
-// Ingress is a collection of rules that allow inbound connections to reach the
-// endpoints defined by a backend. An Ingress can be configured to give services
-// externally-reachable urls, load balance traffic, terminate SSL, offer name
-// based virtual hosting etc.
-message Ingress {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec is the desired state of the Ingress.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressSpec spec = 2;
-
-  // Status is the current state of the Ingress.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressStatus status = 3;
-}
-
-// IngressBackend describes all endpoints for a given service and port.
-message IngressBackend {
-  // Service references a Service as a Backend.
-  // This is a mutually exclusive setting with "Resource".
-  // +optional
-  optional IngressServiceBackend service = 4;
-
-  // Resource is an ObjectRef to another Kubernetes resource in the namespace
-  // of the Ingress object. If resource is specified, a service.Name and
-  // service.Port must not be specified.
-  // This is a mutually exclusive setting with "Service".
-  // +optional
-  optional k8s.io.api.core.v1.TypedLocalObjectReference resource = 3;
-}
-
-// IngressClass represents the class of the Ingress, referenced by the Ingress
-// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
-// used to indicate that an IngressClass should be considered default. When a
-// single IngressClass resource has this annotation set to true, new Ingress
-// resources without a class specified will be assigned this default class.
-message IngressClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec is the desired state of the IngressClass.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressClassSpec spec = 2;
-}
-
-// IngressClassList is a collection of IngressClasses.
-message IngressClassList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of IngressClasses.
-  repeated IngressClass items = 2;
-}
-
-// IngressClassParametersReference identifies an API object. This can be used
-// to specify a cluster or namespace-scoped resource.
-message IngressClassParametersReference {
-  // APIGroup is the group for the resource being referenced. If APIGroup is
-  // not specified, the specified Kind must be in the core API group. For any
-  // other third-party types, APIGroup is required.
-  // +optional
-  optional string aPIGroup = 1;
-
-  // Kind is the type of resource being referenced.
-  optional string kind = 2;
-
-  // Name is the name of resource being referenced.
-  optional string name = 3;
-
-  // Scope represents if this refers to a cluster or namespace scoped resource.
-  // This may be set to "Cluster" (default) or "Namespace".
-  // +optional
-  optional string scope = 4;
-
-  // Namespace is the namespace of the resource being referenced. This field is
-  // required when scope is set to "Namespace" and must be unset when scope is set to
-  // "Cluster".
-  // +optional
-  optional string namespace = 5;
-}
-
-// IngressClassSpec provides information about the class of an Ingress.
-message IngressClassSpec {
-  // Controller refers to the name of the controller that should handle this
-  // class. This allows for different "flavors" that are controlled by the
-  // same controller. For example, you may have different Parameters for the
-  // same implementing controller. This should be specified as a
-  // domain-prefixed path no more than 250 characters in length, e.g.
-  // "acme.io/ingress-controller". This field is immutable.
-  optional string controller = 1;
-
-  // Parameters is a link to a custom resource containing additional
-  // configuration for the controller. This is optional if the controller does
-  // not require extra parameters.
-  // +optional
-  optional IngressClassParametersReference parameters = 2;
-}
-
-// IngressList is a collection of Ingress.
-message IngressList {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of Ingress.
-  repeated Ingress items = 2;
-}
-
-// IngressRule represents the rules mapping the paths under a specified host to
-// the related backend services. Incoming requests are first evaluated for a host
-// match, then routed to the backend associated with the matching IngressRuleValue.
-message IngressRule {
-  // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
-  // Note the following deviations from the "host" part of the
-  // URI as defined in RFC 3986:
-  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
-  //    the IP in the Spec of the parent Ingress.
-  // 2. The `:` delimiter is not respected because ports are not allowed.
-  // 	  Currently the port of an Ingress is implicitly :80 for http and
-  // 	  :443 for https.
-  // Both these may change in the future.
-  // Incoming requests are matched against the host before the
-  // IngressRuleValue. If the host is unspecified, the Ingress routes all
-  // traffic based on the specified IngressRuleValue.
-  //
-  // Host can be "precise" which is a domain name without the terminating dot of
-  // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
-  // prefixed with a single wildcard label (e.g. "*.foo.com").
-  // The wildcard character '*' must appear by itself as the first DNS label and
-  // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
-  // Requests will be matched against the Host field in the following way:
-  // 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
-  // 2. If Host is a wildcard, then the request matches this rule if the http host header
-  // is to equal to the suffix (removing the first label) of the wildcard rule.
-  // +optional
-  optional string host = 1;
-
-  // IngressRuleValue represents a rule to route requests for this IngressRule.
-  // If unspecified, the rule defaults to a http catch-all. Whether that sends
-  // just traffic matching the host to the default backend or all traffic to the
-  // default backend, is left to the controller fulfilling the Ingress. Http is
-  // currently the only supported IngressRuleValue.
-  // +optional
-  optional IngressRuleValue ingressRuleValue = 2;
-}
-
-// IngressRuleValue represents a rule to apply against incoming requests. If the
-// rule is satisfied, the request is routed to the specified backend. Currently
-// mixing different types of rules in a single Ingress is disallowed, so exactly
-// one of the following must be set.
-message IngressRuleValue {
-  // +optional
-  optional HTTPIngressRuleValue http = 1;
-}
-
-// IngressServiceBackend references a Kubernetes Service as a Backend.
-message IngressServiceBackend {
-  // Name is the referenced service. The service must exist in
-  // the same namespace as the Ingress object.
-  optional string name = 1;
-
-  // Port of the referenced service. A port name or port number
-  // is required for a IngressServiceBackend.
-  optional ServiceBackendPort port = 2;
-}
-
-// IngressSpec describes the Ingress the user wishes to exist.
-message IngressSpec {
-  // IngressClassName is the name of the IngressClass cluster resource. The
-  // associated IngressClass defines which controller will implement the
-  // resource. This replaces the deprecated `kubernetes.io/ingress.class`
-  // annotation. For backwards compatibility, when that annotation is set, it
-  // must be given precedence over this field. The controller may emit a
-  // warning if the field and annotation have different values.
-  // Implementations of this API should ignore Ingresses without a class
-  // specified. An IngressClass resource may be marked as default, which can
-  // be used to set a default value for this field. For more information,
-  // refer to the IngressClass documentation.
-  // +optional
-  optional string ingressClassName = 4;
-
-  // DefaultBackend is the backend that should handle requests that don't
-  // match any rule. If Rules are not specified, DefaultBackend must be specified.
-  // If DefaultBackend is not set, the handling of requests that do not match any
-  // of the rules will be up to the Ingress controller.
-  // +optional
-  optional IngressBackend defaultBackend = 1;
-
-  // TLS configuration. Currently the Ingress only supports a single TLS
-  // port, 443. If multiple members of this list specify different hosts, they
-  // will be multiplexed on the same port according to the hostname specified
-  // through the SNI TLS extension, if the ingress controller fulfilling the
-  // ingress supports SNI.
-  // +listType=atomic
-  // +optional
-  repeated IngressTLS tls = 2;
-
-  // A list of host rules used to configure the Ingress. If unspecified, or
-  // no rule matches, all traffic is sent to the default backend.
-  // +listType=atomic
-  // +optional
-  repeated IngressRule rules = 3;
-}
-
-// IngressStatus describe the current state of the Ingress.
-message IngressStatus {
-  // LoadBalancer contains the current status of the load-balancer.
-  // +optional
-  optional k8s.io.api.core.v1.LoadBalancerStatus loadBalancer = 1;
-}
-
-// IngressTLS describes the transport layer security associated with an Ingress.
-message IngressTLS {
-  // Hosts are a list of hosts included in the TLS certificate. The values in
-  // this list must match the name/s used in the tlsSecret. Defaults to the
-  // wildcard host setting for the loadbalancer controller fulfilling this
-  // Ingress, if left unspecified.
-  // +listType=atomic
-  // +optional
-  repeated string hosts = 1;
-
-  // SecretName is the name of the secret used to terminate TLS traffic on
-  // port 443. Field is left optional to allow TLS routing based on SNI
-  // hostname alone. If the SNI host in a listener conflicts with the "Host"
-  // header field used by an IngressRule, the SNI host is used for termination
-  // and value of the Host header is used for routing.
-  // +optional
-  optional string secretName = 2;
-}
-
-// NetworkPolicy describes what network traffic is allowed for a set of Pods
-message NetworkPolicy {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior for this NetworkPolicy.
-  // +optional
-  optional NetworkPolicySpec spec = 2;
-}
-
-// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
-// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
-// This type is beta-level in 1.8
-message NetworkPolicyEgressRule {
-  // List of destination ports for outgoing traffic.
-  // Each item in this list is combined using a logical OR. If this field is
-  // empty or missing, this rule matches all ports (traffic not restricted by port).
-  // If this field is present and contains at least one item, then this rule allows
-  // traffic only if the traffic matches at least one port in the list.
-  // +optional
-  repeated NetworkPolicyPort ports = 1;
-
-  // List of destinations for outgoing traffic of pods selected for this rule.
-  // Items in this list are combined using a logical OR operation. If this field is
-  // empty or missing, this rule matches all destinations (traffic not restricted by
-  // destination). If this field is present and contains at least one item, this rule
-  // allows traffic only if the traffic matches at least one item in the to list.
-  // +optional
-  repeated NetworkPolicyPeer to = 2;
-}
-
-// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
-// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
-message NetworkPolicyIngressRule {
-  // List of ports which should be made accessible on the pods selected for this
-  // rule. Each item in this list is combined using a logical OR. If this field is
-  // empty or missing, this rule matches all ports (traffic not restricted by port).
-  // If this field is present and contains at least one item, then this rule allows
-  // traffic only if the traffic matches at least one port in the list.
-  // +optional
-  repeated NetworkPolicyPort ports = 1;
-
-  // List of sources which should be able to access the pods selected for this rule.
-  // Items in this list are combined using a logical OR operation. If this field is
-  // empty or missing, this rule matches all sources (traffic not restricted by
-  // source). If this field is present and contains at least one item, this rule
-  // allows traffic only if the traffic matches at least one item in the from list.
-  // +optional
-  repeated NetworkPolicyPeer from = 2;
-}
-
-// NetworkPolicyList is a list of NetworkPolicy objects.
-message NetworkPolicyList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated NetworkPolicy items = 2;
-}
-
-// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
-// fields are allowed
-message NetworkPolicyPeer {
-  // This is a label selector which selects Pods. This field follows standard label
-  // selector semantics; if present but empty, it selects all pods.
-  //
-  // If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
-  // the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
-  // Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
-
-  // Selects Namespaces using cluster-scoped labels. This field follows standard label
-  // selector semantics; if present but empty, it selects all namespaces.
-  //
-  // If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
-  // the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
-  // Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 2;
-
-  // IPBlock defines policy on a particular IPBlock. If this field is set then
-  // neither of the other fields can be.
-  // +optional
-  optional IPBlock ipBlock = 3;
-}
-
-// NetworkPolicyPort describes a port to allow traffic on
-message NetworkPolicyPort {
-  // The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this
-  // field defaults to TCP.
-  // +optional
-  optional string protocol = 1;
-
-  // The port on the given protocol. This can either be a numerical or named
-  // port on a pod. If this field is not provided, this matches all port names and
-  // numbers.
-  // If present, only traffic on the specified protocol AND port will be matched.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2;
-
-  // If set, indicates that the range of ports from port to endPort, inclusive,
-  // should be allowed by the policy. This field cannot be defined if the port field
-  // is not defined or if the port field is defined as a named (string) port.
-  // The endPort must be equal or greater than port.
-  // This feature is in Beta state and is enabled by default.
-  // It can be disabled using the Feature Gate "NetworkPolicyEndPort".
-  // +optional
-  optional int32 endPort = 3;
-}
-
-// NetworkPolicySpec provides the specification of a NetworkPolicy
-message NetworkPolicySpec {
-  // Selects the pods to which this NetworkPolicy object applies. The array of
-  // ingress rules is applied to any pods selected by this field. Multiple network
-  // policies can select the same set of pods. In this case, the ingress rules for
-  // each are combined additively. This field is NOT optional and follows standard
-  // label selector semantics. An empty podSelector matches all pods in this
-  // namespace.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
-
-  // List of ingress rules to be applied to the selected pods. Traffic is allowed to
-  // a pod if there are no NetworkPolicies selecting the pod
-  // (and cluster policy otherwise allows the traffic), OR if the traffic source is
-  // the pod's local node, OR if the traffic matches at least one ingress rule
-  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
-  // this field is empty then this NetworkPolicy does not allow any traffic (and serves
-  // solely to ensure that the pods it selects are isolated by default)
-  // +optional
-  repeated NetworkPolicyIngressRule ingress = 2;
-
-  // List of egress rules to be applied to the selected pods. Outgoing traffic is
-  // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
-  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
-  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
-  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
-  // solely to ensure that the pods it selects are isolated by default).
-  // This field is beta-level in 1.8
-  // +optional
-  repeated NetworkPolicyEgressRule egress = 3;
-
-  // List of rule types that the NetworkPolicy relates to.
-  // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
-  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
-  // policies that contain an Egress section are assumed to affect Egress, and all policies
-  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
-  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
-  // Likewise, if you want to write a policy that specifies that no egress is allowed,
-  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
-  // an Egress section and would otherwise default to just [ "Ingress" ]).
-  // This field is beta-level in 1.8
-  // +optional
-  repeated string policyTypes = 4;
-}
-
-// ServiceBackendPort is the service port being referenced.
-message ServiceBackendPort {
-  // Name is the name of the port on the Service.
-  // This is a mutually exclusive setting with "Number".
-  // +optional
-  optional string name = 1;
-
-  // Number is the numerical port number (e.g. 80) on the Service.
-  // This is a mutually exclusive setting with "Name".
-  // +optional
-  optional int32 number = 2;
-}
-
--- a/common-protos/k8s.io/api/networking/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/networking/v1beta1/generated.proto
@ -1,301 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.networking.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/networking/v1beta1";
-
-// HTTPIngressPath associates a path with a backend. Incoming urls matching the
-// path are forwarded to the backend.
-message HTTPIngressPath {
-  // Path is matched against the path of an incoming request. Currently it can
-  // contain characters disallowed from the conventional "path" part of a URL
-  // as defined by RFC 3986. Paths must begin with a '/' and must be present
-  // when using PathType with value "Exact" or "Prefix".
-  // +optional
-  optional string path = 1;
-
-  // PathType determines the interpretation of the Path matching. PathType can
-  // be one of the following values:
-  // * Exact: Matches the URL path exactly.
-  // * Prefix: Matches based on a URL path prefix split by '/'. Matching is
-  //   done on a path element by element basis. A path element refers is the
-  //   list of labels in the path split by the '/' separator. A request is a
-  //   match for path p if every p is an element-wise prefix of p of the
-  //   request path. Note that if the last element of the path is a substring
-  //   of the last element in request path, it is not a match (e.g. /foo/bar
-  //   matches /foo/bar/baz, but does not match /foo/barbaz).
-  // * ImplementationSpecific: Interpretation of the Path matching is up to
-  //   the IngressClass. Implementations can treat this as a separate PathType
-  //   or treat it identically to Prefix or Exact path types.
-  // Implementations are required to support all path types.
-  // Defaults to ImplementationSpecific.
-  optional string pathType = 3;
-
-  // Backend defines the referenced service endpoint to which the traffic
-  // will be forwarded to.
-  optional IngressBackend backend = 2;
-}
-
-// HTTPIngressRuleValue is a list of http selectors pointing to backends.
-// In the example: http://<host>/<path>?<searchpart> -> backend where
-// where parts of the url correspond to RFC 3986, this resource will be used
-// to match against everything after the last '/' and before the first '?'
-// or '#'.
-message HTTPIngressRuleValue {
-  // A collection of paths that map requests to backends.
-  repeated HTTPIngressPath paths = 1;
-}
-
-// Ingress is a collection of rules that allow inbound connections to reach the
-// endpoints defined by a backend. An Ingress can be configured to give services
-// externally-reachable urls, load balance traffic, terminate SSL, offer name
-// based virtual hosting etc.
-message Ingress {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec is the desired state of the Ingress.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressSpec spec = 2;
-
-  // Status is the current state of the Ingress.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressStatus status = 3;
-}
-
-// IngressBackend describes all endpoints for a given service and port.
-message IngressBackend {
-  // Specifies the name of the referenced service.
-  // +optional
-  optional string serviceName = 1;
-
-  // Specifies the port of the referenced service.
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString servicePort = 2;
-
-  // Resource is an ObjectRef to another Kubernetes resource in the namespace
-  // of the Ingress object. If resource is specified, serviceName and servicePort
-  // must not be specified.
-  // +optional
-  optional k8s.io.api.core.v1.TypedLocalObjectReference resource = 3;
-}
-
-// IngressClass represents the class of the Ingress, referenced by the Ingress
-// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
-// used to indicate that an IngressClass should be considered default. When a
-// single IngressClass resource has this annotation set to true, new Ingress
-// resources without a class specified will be assigned this default class.
-message IngressClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Spec is the desired state of the IngressClass.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  // +optional
-  optional IngressClassSpec spec = 2;
-}
-
-// IngressClassList is a collection of IngressClasses.
-message IngressClassList {
-  // Standard list metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of IngressClasses.
-  repeated IngressClass items = 2;
-}
-
-// IngressClassParametersReference identifies an API object. This can be used
-// to specify a cluster or namespace-scoped resource.
-message IngressClassParametersReference {
-  // APIGroup is the group for the resource being referenced. If APIGroup is
-  // not specified, the specified Kind must be in the core API group. For any
-  // other third-party types, APIGroup is required.
-  // +optional
-  optional string aPIGroup = 1;
-
-  // Kind is the type of resource being referenced.
-  optional string kind = 2;
-
-  // Name is the name of resource being referenced.
-  optional string name = 3;
-
-  // Scope represents if this refers to a cluster or namespace scoped resource.
-  // This may be set to "Cluster" (default) or "Namespace".
-  optional string scope = 4;
-
-  // Namespace is the namespace of the resource being referenced. This field is
-  // required when scope is set to "Namespace" and must be unset when scope is set to
-  // "Cluster".
-  // +optional
-  optional string namespace = 5;
-}
-
-// IngressClassSpec provides information about the class of an Ingress.
-message IngressClassSpec {
-  // Controller refers to the name of the controller that should handle this
-  // class. This allows for different "flavors" that are controlled by the
-  // same controller. For example, you may have different Parameters for the
-  // same implementing controller. This should be specified as a
-  // domain-prefixed path no more than 250 characters in length, e.g.
-  // "acme.io/ingress-controller". This field is immutable.
-  optional string controller = 1;
-
-  // Parameters is a link to a custom resource containing additional
-  // configuration for the controller. This is optional if the controller does
-  // not require extra parameters.
-  // +optional
-  optional IngressClassParametersReference parameters = 2;
-}
-
-// IngressList is a collection of Ingress.
-message IngressList {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of Ingress.
-  repeated Ingress items = 2;
-}
-
-// IngressRule represents the rules mapping the paths under a specified host to
-// the related backend services. Incoming requests are first evaluated for a host
-// match, then routed to the backend associated with the matching IngressRuleValue.
-message IngressRule {
-  // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
-  // Note the following deviations from the "host" part of the
-  // URI as defined in RFC 3986:
-  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
-  //    the IP in the Spec of the parent Ingress.
-  // 2. The `:` delimiter is not respected because ports are not allowed.
-  // 	  Currently the port of an Ingress is implicitly :80 for http and
-  // 	  :443 for https.
-  // Both these may change in the future.
-  // Incoming requests are matched against the host before the
-  // IngressRuleValue. If the host is unspecified, the Ingress routes all
-  // traffic based on the specified IngressRuleValue.
-  //
-  // Host can be "precise" which is a domain name without the terminating dot of
-  // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
-  // prefixed with a single wildcard label (e.g. "*.foo.com").
-  // The wildcard character '*' must appear by itself as the first DNS label and
-  // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
-  // Requests will be matched against the Host field in the following way:
-  // 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
-  // 2. If Host is a wildcard, then the request matches this rule if the http host header
-  // is to equal to the suffix (removing the first label) of the wildcard rule.
-  // +optional
-  optional string host = 1;
-
-  // IngressRuleValue represents a rule to route requests for this IngressRule.
-  // If unspecified, the rule defaults to a http catch-all. Whether that sends
-  // just traffic matching the host to the default backend or all traffic to the
-  // default backend, is left to the controller fulfilling the Ingress. Http is
-  // currently the only supported IngressRuleValue.
-  // +optional
-  optional IngressRuleValue ingressRuleValue = 2;
-}
-
-// IngressRuleValue represents a rule to apply against incoming requests. If the
-// rule is satisfied, the request is routed to the specified backend. Currently
-// mixing different types of rules in a single Ingress is disallowed, so exactly
-// one of the following must be set.
-message IngressRuleValue {
-  // +optional
-  optional HTTPIngressRuleValue http = 1;
-}
-
-// IngressSpec describes the Ingress the user wishes to exist.
-message IngressSpec {
-  // IngressClassName is the name of the IngressClass cluster resource. The
-  // associated IngressClass defines which controller will implement the
-  // resource. This replaces the deprecated `kubernetes.io/ingress.class`
-  // annotation. For backwards compatibility, when that annotation is set, it
-  // must be given precedence over this field. The controller may emit a
-  // warning if the field and annotation have different values.
-  // Implementations of this API should ignore Ingresses without a class
-  // specified. An IngressClass resource may be marked as default, which can
-  // be used to set a default value for this field. For more information,
-  // refer to the IngressClass documentation.
-  // +optional
-  optional string ingressClassName = 4;
-
-  // A default backend capable of servicing requests that don't match any
-  // rule. At least one of 'backend' or 'rules' must be specified. This field
-  // is optional to allow the loadbalancer controller or defaulting logic to
-  // specify a global default.
-  // +optional
-  optional IngressBackend backend = 1;
-
-  // TLS configuration. Currently the Ingress only supports a single TLS
-  // port, 443. If multiple members of this list specify different hosts, they
-  // will be multiplexed on the same port according to the hostname specified
-  // through the SNI TLS extension, if the ingress controller fulfilling the
-  // ingress supports SNI.
-  // +optional
-  repeated IngressTLS tls = 2;
-
-  // A list of host rules used to configure the Ingress. If unspecified, or
-  // no rule matches, all traffic is sent to the default backend.
-  // +optional
-  repeated IngressRule rules = 3;
-}
-
-// IngressStatus describe the current state of the Ingress.
-message IngressStatus {
-  // LoadBalancer contains the current status of the load-balancer.
-  // +optional
-  optional k8s.io.api.core.v1.LoadBalancerStatus loadBalancer = 1;
-}
-
-// IngressTLS describes the transport layer security associated with an Ingress.
-message IngressTLS {
-  // Hosts are a list of hosts included in the TLS certificate. The values in
-  // this list must match the name/s used in the tlsSecret. Defaults to the
-  // wildcard host setting for the loadbalancer controller fulfilling this
-  // Ingress, if left unspecified.
-  // +optional
-  repeated string hosts = 1;
-
-  // SecretName is the name of the secret used to terminate TLS traffic on
-  // port 443. Field is left optional to allow TLS routing based on SNI
-  // hostname alone. If the SNI host in a listener conflicts with the "Host"
-  // header field used by an IngressRule, the SNI host is used for termination
-  // and value of the Host header is used for routing.
-  // +optional
-  optional string secretName = 2;
-}
-
--- a/common-protos/k8s.io/api/node/v1/generated.proto
+++ b/common-protos/k8s.io/api/node/v1/generated.proto
@ -1,110 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.node.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/node/v1";
-
-// Overhead structure represents the resource overhead associated with running a pod.
-message Overhead {
-  // PodFixed represents the fixed resource overhead associated with running a pod.
-  // +optional
-  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> podFixed = 1;
-}
-
-// RuntimeClass defines a class of container runtime supported in the cluster.
-// The RuntimeClass is used to determine which container runtime is used to run
-// all containers in a pod. RuntimeClasses are manually defined by a
-// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
-// responsible for resolving the RuntimeClassName reference before running the
-// pod.  For more details, see
-// https://kubernetes.io/docs/concepts/containers/runtime-class/
-message RuntimeClass {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Handler specifies the underlying runtime and configuration that the CRI
-  // implementation will use to handle pods of this class. The possible values
-  // are specific to the node & CRI configuration.  It is assumed that all
-  // handlers are available on every node, and handlers of the same name are
-  // equivalent on every node.
-  // For example, a handler called "runc" might specify that the runc OCI
-  // runtime (using native Linux containers) will be used to run the containers
-  // in a pod.
-  // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
-  // and is immutable.
-  optional string handler = 2;
-
-  // Overhead represents the resource overhead associated with running a pod for a
-  // given RuntimeClass. For more details, see
-  //  https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
-  // This field is in beta starting v1.18
-  // and is only honored by servers that enable the PodOverhead feature.
-  // +optional
-  optional Overhead overhead = 3;
-
-  // Scheduling holds the scheduling constraints to ensure that pods running
-  // with this RuntimeClass are scheduled to nodes that support it.
-  // If scheduling is nil, this RuntimeClass is assumed to be supported by all
-  // nodes.
-  // +optional
-  optional Scheduling scheduling = 4;
-}
-
-// RuntimeClassList is a list of RuntimeClass objects.
-message RuntimeClassList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated RuntimeClass items = 2;
-}
-
-// Scheduling specifies the scheduling constraints for nodes supporting a
-// RuntimeClass.
-message Scheduling {
-  // nodeSelector lists labels that must be present on nodes that support this
-  // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
-  // node matched by this selector. The RuntimeClass nodeSelector is merged
-  // with a pod's existing nodeSelector. Any conflicts will cause the pod to
-  // be rejected in admission.
-  // +optional
-  // +mapType=atomic
-  map<string, string> nodeSelector = 1;
-
-  // tolerations are appended (excluding duplicates) to pods running with this
-  // RuntimeClass during admission, effectively unioning the set of nodes
-  // tolerated by the pod and the RuntimeClass.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.Toleration tolerations = 2;
-}
-
--- a/common-protos/k8s.io/api/node/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/node/v1alpha1/generated.proto
@ -1,119 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.node.v1alpha1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/node/v1alpha1";
-
-// Overhead structure represents the resource overhead associated with running a pod.
-message Overhead {
-  // PodFixed represents the fixed resource overhead associated with running a pod.
-  // +optional
-  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> podFixed = 1;
-}
-
-// RuntimeClass defines a class of container runtime supported in the cluster.
-// The RuntimeClass is used to determine which container runtime is used to run
-// all containers in a pod. RuntimeClasses are (currently) manually defined by a
-// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
-// responsible for resolving the RuntimeClassName reference before running the
-// pod.  For more details, see
-// https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
-message RuntimeClass {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the RuntimeClass
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-  optional RuntimeClassSpec spec = 2;
-}
-
-// RuntimeClassList is a list of RuntimeClass objects.
-message RuntimeClassList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated RuntimeClass items = 2;
-}
-
-// RuntimeClassSpec is a specification of a RuntimeClass. It contains parameters
-// that are required to describe the RuntimeClass to the Container Runtime
-// Interface (CRI) implementation, as well as any other components that need to
-// understand how the pod will be run. The RuntimeClassSpec is immutable.
-message RuntimeClassSpec {
-  // RuntimeHandler specifies the underlying runtime and configuration that the
-  // CRI implementation will use to handle pods of this class. The possible
-  // values are specific to the node & CRI configuration.  It is assumed that
-  // all handlers are available on every node, and handlers of the same name are
-  // equivalent on every node.
-  // For example, a handler called "runc" might specify that the runc OCI
-  // runtime (using native Linux containers) will be used to run the containers
-  // in a pod.
-  // The RuntimeHandler must be lowercase, conform to the DNS Label (RFC 1123)
-  // requirements, and is immutable.
-  optional string runtimeHandler = 1;
-
-  // Overhead represents the resource overhead associated with running a pod for a
-  // given RuntimeClass. For more details, see
-  // https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
-  // This field is beta-level as of Kubernetes v1.18, and is only honored by servers that enable the PodOverhead feature.
-  // +optional
-  optional Overhead overhead = 2;
-
-  // Scheduling holds the scheduling constraints to ensure that pods running
-  // with this RuntimeClass are scheduled to nodes that support it.
-  // If scheduling is nil, this RuntimeClass is assumed to be supported by all
-  // nodes.
-  // +optional
-  optional Scheduling scheduling = 3;
-}
-
-// Scheduling specifies the scheduling constraints for nodes supporting a
-// RuntimeClass.
-message Scheduling {
-  // nodeSelector lists labels that must be present on nodes that support this
-  // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
-  // node matched by this selector. The RuntimeClass nodeSelector is merged
-  // with a pod's existing nodeSelector. Any conflicts will cause the pod to
-  // be rejected in admission.
-  // +optional
-  // +mapType=atomic
-  map<string, string> nodeSelector = 1;
-
-  // tolerations are appended (excluding duplicates) to pods running with this
-  // RuntimeClass during admission, effectively unioning the set of nodes
-  // tolerated by the pod and the RuntimeClass.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.Toleration tolerations = 2;
-}
-
--- a/common-protos/k8s.io/api/node/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/node/v1beta1/generated.proto
@ -1,109 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.node.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/node/v1beta1";
-
-// Overhead structure represents the resource overhead associated with running a pod.
-message Overhead {
-  // PodFixed represents the fixed resource overhead associated with running a pod.
-  // +optional
-  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> podFixed = 1;
-}
-
-// RuntimeClass defines a class of container runtime supported in the cluster.
-// The RuntimeClass is used to determine which container runtime is used to run
-// all containers in a pod. RuntimeClasses are (currently) manually defined by a
-// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
-// responsible for resolving the RuntimeClassName reference before running the
-// pod.  For more details, see
-// https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
-message RuntimeClass {
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Handler specifies the underlying runtime and configuration that the CRI
-  // implementation will use to handle pods of this class. The possible values
-  // are specific to the node & CRI configuration.  It is assumed that all
-  // handlers are available on every node, and handlers of the same name are
-  // equivalent on every node.
-  // For example, a handler called "runc" might specify that the runc OCI
-  // runtime (using native Linux containers) will be used to run the containers
-  // in a pod.
-  // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
-  // and is immutable.
-  optional string handler = 2;
-
-  // Overhead represents the resource overhead associated with running a pod for a
-  // given RuntimeClass. For more details, see
-  // https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
-  // This field is beta-level as of Kubernetes v1.18, and is only honored by servers that enable the PodOverhead feature.
-  // +optional
-  optional Overhead overhead = 3;
-
-  // Scheduling holds the scheduling constraints to ensure that pods running
-  // with this RuntimeClass are scheduled to nodes that support it.
-  // If scheduling is nil, this RuntimeClass is assumed to be supported by all
-  // nodes.
-  // +optional
-  optional Scheduling scheduling = 4;
-}
-
-// RuntimeClassList is a list of RuntimeClass objects.
-message RuntimeClassList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of schema objects.
-  repeated RuntimeClass items = 2;
-}
-
-// Scheduling specifies the scheduling constraints for nodes supporting a
-// RuntimeClass.
-message Scheduling {
-  // nodeSelector lists labels that must be present on nodes that support this
-  // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
-  // node matched by this selector. The RuntimeClass nodeSelector is merged
-  // with a pod's existing nodeSelector. Any conflicts will cause the pod to
-  // be rejected in admission.
-  // +optional
-  // +mapType=atomic
-  map<string, string> nodeSelector = 1;
-
-  // tolerations are appended (excluding duplicates) to pods running with this
-  // RuntimeClass during admission, effectively unioning the set of nodes
-  // tolerated by the pod and the RuntimeClass.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.Toleration tolerations = 2;
-}
-
--- a/common-protos/k8s.io/api/policy/v1/generated.proto
+++ b/common-protos/k8s.io/api/policy/v1/generated.proto
@ -1,151 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.policy.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/policy/v1";
-
-// Eviction evicts a pod from its node subject to certain policies and safety constraints.
-// This is a subresource of Pod.  A request to cause such an eviction is
-// created by POSTing to .../pods/<pod name>/evictions.
-message Eviction {
-  // ObjectMeta describes the pod that is being evicted.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // DeleteOptions may be provided
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
-}
-
-// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
-message PodDisruptionBudget {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the PodDisruptionBudget.
-  // +optional
-  optional PodDisruptionBudgetSpec spec = 2;
-
-  // Most recently observed status of the PodDisruptionBudget.
-  // +optional
-  optional PodDisruptionBudgetStatus status = 3;
-}
-
-// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
-message PodDisruptionBudgetList {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of PodDisruptionBudgets
-  repeated PodDisruptionBudget items = 2;
-}
-
-// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
-message PodDisruptionBudgetSpec {
-  // An eviction is allowed if at least "minAvailable" pods selected by
-  // "selector" will still be available after the eviction, i.e. even in the
-  // absence of the evicted pod.  So for example you can prevent all voluntary
-  // evictions by specifying "100%".
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString minAvailable = 1;
-
-  // Label query over pods whose evictions are managed by the disruption
-  // budget.
-  // A null selector will match no pods, while an empty ({}) selector will select
-  // all pods within the namespace.
-  // +patchStrategy=replace
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // An eviction is allowed if at most "maxUnavailable" pods selected by
-  // "selector" are unavailable after the eviction, i.e. even in absence of
-  // the evicted pod. For example, one can prevent all voluntary evictions
-  // by specifying 0. This is a mutually exclusive setting with "minAvailable".
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 3;
-}
-
-// PodDisruptionBudgetStatus represents information about the status of a
-// PodDisruptionBudget. Status may trail the actual state of a system.
-message PodDisruptionBudgetStatus {
-  // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
-  // status information is valid only if observedGeneration equals to PDB's object generation.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // DisruptedPods contains information about pods whose eviction was
-  // processed by the API server eviction subresource handler but has not
-  // yet been observed by the PodDisruptionBudget controller.
-  // A pod will be in this map from the time when the API server processed the
-  // eviction request to the time when the pod is seen by PDB controller
-  // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
-  // and the value is the time when the API server processed the eviction request. If
-  // the deletion didn't occur and a pod is still there it will be removed from
-  // the list automatically by PodDisruptionBudget controller after some time.
-  // If everything goes smooth this map should be empty for the most of the time.
-  // Large number of entries in the map may indicate problems with pod deletions.
-  // +optional
-  map<string, k8s.io.apimachinery.pkg.apis.meta.v1.Time> disruptedPods = 2;
-
-  // Number of pod disruptions that are currently allowed.
-  optional int32 disruptionsAllowed = 3;
-
-  // current number of healthy pods
-  optional int32 currentHealthy = 4;
-
-  // minimum desired number of healthy pods
-  optional int32 desiredHealthy = 5;
-
-  // total number of pods counted by this disruption budget
-  optional int32 expectedPods = 6;
-
-  // Conditions contain conditions for PDB. The disruption controller sets the
-  // DisruptionAllowed condition. The following are known values for the reason field
-  // (additional reasons could be added in the future):
-  // - SyncFailed: The controller encountered an error and wasn't able to compute
-  //               the number of allowed disruptions. Therefore no disruptions are
-  //               allowed and the status of the condition will be False.
-  // - InsufficientPods: The number of pods are either at or below the number
-  //                     required by the PodDisruptionBudget. No disruptions are
-  //                     allowed and the status of the condition will be False.
-  // - SufficientPods: There are more pods than required by the PodDisruptionBudget.
-  //                   The condition will be True, and the number of allowed
-  //                   disruptions are provided by the disruptionsAllowed property.
-  //
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 7;
-}
-
--- a/common-protos/k8s.io/api/policy/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/policy/v1beta1/generated.proto
@ -1,429 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.policy.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/policy/v1beta1";
-
-// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.
-message AllowedCSIDriver {
-  // Name is the registered name of the CSI driver
-  optional string name = 1;
-}
-
-// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
-message AllowedFlexVolume {
-  // driver is the name of the Flexvolume driver.
-  optional string driver = 1;
-}
-
-// AllowedHostPath defines the host volume conditions that will be enabled by a policy
-// for pods to use. It requires the path prefix to be defined.
-message AllowedHostPath {
-  // pathPrefix is the path prefix that the host volume must match.
-  // It does not support `*`.
-  // Trailing slashes are trimmed when validating the path prefix with a host path.
-  //
-  // Examples:
-  // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
-  // `/foo` would not allow `/food` or `/etc/foo`
-  optional string pathPrefix = 1;
-
-  // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
-  // +optional
-  optional bool readOnly = 2;
-}
-
-// Eviction evicts a pod from its node subject to certain policies and safety constraints.
-// This is a subresource of Pod.  A request to cause such an eviction is
-// created by POSTing to .../pods/<pod name>/evictions.
-message Eviction {
-  // ObjectMeta describes the pod that is being evicted.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // DeleteOptions may be provided
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
-}
-
-// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
-message FSGroupStrategyOptions {
-  // rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
-  // +optional
-  optional string rule = 1;
-
-  // ranges are the allowed ranges of fs groups.  If you would like to force a single
-  // fs group then supply a single range with the same start and end. Required for MustRunAs.
-  // +optional
-  repeated IDRange ranges = 2;
-}
-
-// HostPortRange defines a range of host ports that will be enabled by a policy
-// for pods to use.  It requires both the start and end to be defined.
-message HostPortRange {
-  // min is the start of the range, inclusive.
-  optional int32 min = 1;
-
-  // max is the end of the range, inclusive.
-  optional int32 max = 2;
-}
-
-// IDRange provides a min/max of an allowed range of IDs.
-message IDRange {
-  // min is the start of the range, inclusive.
-  optional int64 min = 1;
-
-  // max is the end of the range, inclusive.
-  optional int64 max = 2;
-}
-
-// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
-message PodDisruptionBudget {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired behavior of the PodDisruptionBudget.
-  // +optional
-  optional PodDisruptionBudgetSpec spec = 2;
-
-  // Most recently observed status of the PodDisruptionBudget.
-  // +optional
-  optional PodDisruptionBudgetStatus status = 3;
-}
-
-// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
-message PodDisruptionBudgetList {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items list individual PodDisruptionBudget objects
-  repeated PodDisruptionBudget items = 2;
-}
-
-// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
-message PodDisruptionBudgetSpec {
-  // An eviction is allowed if at least "minAvailable" pods selected by
-  // "selector" will still be available after the eviction, i.e. even in the
-  // absence of the evicted pod.  So for example you can prevent all voluntary
-  // evictions by specifying "100%".
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString minAvailable = 1;
-
-  // Label query over pods whose evictions are managed by the disruption
-  // budget.
-  // A null selector selects no pods.
-  // An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods.
-  // In policy/v1, an empty selector will select all pods in the namespace.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
-
-  // An eviction is allowed if at most "maxUnavailable" pods selected by
-  // "selector" are unavailable after the eviction, i.e. even in absence of
-  // the evicted pod. For example, one can prevent all voluntary evictions
-  // by specifying 0. This is a mutually exclusive setting with "minAvailable".
-  // +optional
-  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 3;
-}
-
-// PodDisruptionBudgetStatus represents information about the status of a
-// PodDisruptionBudget. Status may trail the actual state of a system.
-message PodDisruptionBudgetStatus {
-  // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
-  // status information is valid only if observedGeneration equals to PDB's object generation.
-  // +optional
-  optional int64 observedGeneration = 1;
-
-  // DisruptedPods contains information about pods whose eviction was
-  // processed by the API server eviction subresource handler but has not
-  // yet been observed by the PodDisruptionBudget controller.
-  // A pod will be in this map from the time when the API server processed the
-  // eviction request to the time when the pod is seen by PDB controller
-  // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
-  // and the value is the time when the API server processed the eviction request. If
-  // the deletion didn't occur and a pod is still there it will be removed from
-  // the list automatically by PodDisruptionBudget controller after some time.
-  // If everything goes smooth this map should be empty for the most of the time.
-  // Large number of entries in the map may indicate problems with pod deletions.
-  // +optional
-  map<string, k8s.io.apimachinery.pkg.apis.meta.v1.Time> disruptedPods = 2;
-
-  // Number of pod disruptions that are currently allowed.
-  optional int32 disruptionsAllowed = 3;
-
-  // current number of healthy pods
-  optional int32 currentHealthy = 4;
-
-  // minimum desired number of healthy pods
-  optional int32 desiredHealthy = 5;
-
-  // total number of pods counted by this disruption budget
-  optional int32 expectedPods = 6;
-
-  // Conditions contain conditions for PDB. The disruption controller sets the
-  // DisruptionAllowed condition. The following are known values for the reason field
-  // (additional reasons could be added in the future):
-  // - SyncFailed: The controller encountered an error and wasn't able to compute
-  //               the number of allowed disruptions. Therefore no disruptions are
-  //               allowed and the status of the condition will be False.
-  // - InsufficientPods: The number of pods are either at or below the number
-  //                     required by the PodDisruptionBudget. No disruptions are
-  //                     allowed and the status of the condition will be False.
-  // - SufficientPods: There are more pods than required by the PodDisruptionBudget.
-  //                   The condition will be True, and the number of allowed
-  //                   disruptions are provided by the disruptionsAllowed property.
-  //
-  // +optional
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 7;
-}
-
-// PodSecurityPolicy governs the ability to make requests that affect the Security Context
-// that will be applied to a pod and container.
-// Deprecated in 1.21.
-message PodSecurityPolicy {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec defines the policy enforced.
-  // +optional
-  optional PodSecurityPolicySpec spec = 2;
-}
-
-// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
-message PodSecurityPolicyList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is a list of schema objects.
-  repeated PodSecurityPolicy items = 2;
-}
-
-// PodSecurityPolicySpec defines the policy enforced.
-message PodSecurityPolicySpec {
-  // privileged determines if a pod can request to be run as privileged.
-  // +optional
-  optional bool privileged = 1;
-
-  // defaultAddCapabilities is the default set of capabilities that will be added to the container
-  // unless the pod spec specifically drops the capability.  You may not list a capability in both
-  // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
-  // allowed, and need not be included in the allowedCapabilities list.
-  // +optional
-  repeated string defaultAddCapabilities = 2;
-
-  // requiredDropCapabilities are the capabilities that will be dropped from the container.  These
-  // are required to be dropped and cannot be added.
-  // +optional
-  repeated string requiredDropCapabilities = 3;
-
-  // allowedCapabilities is a list of capabilities that can be requested to add to the container.
-  // Capabilities in this field may be added at the pod author's discretion.
-  // You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
-  // +optional
-  repeated string allowedCapabilities = 4;
-
-  // volumes is an allowlist of volume plugins. Empty indicates that
-  // no volumes may be used. To allow all volumes you may use '*'.
-  // +optional
-  repeated string volumes = 5;
-
-  // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-  // +optional
-  optional bool hostNetwork = 6;
-
-  // hostPorts determines which host port ranges are allowed to be exposed.
-  // +optional
-  repeated HostPortRange hostPorts = 7;
-
-  // hostPID determines if the policy allows the use of HostPID in the pod spec.
-  // +optional
-  optional bool hostPID = 8;
-
-  // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-  // +optional
-  optional bool hostIPC = 9;
-
-  // seLinux is the strategy that will dictate the allowable labels that may be set.
-  optional SELinuxStrategyOptions seLinux = 10;
-
-  // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
-  optional RunAsUserStrategyOptions runAsUser = 11;
-
-  // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
-  // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
-  // RunAsGroup feature gate to be enabled.
-  // +optional
-  optional RunAsGroupStrategyOptions runAsGroup = 22;
-
-  // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
-  optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
-
-  // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
-  optional FSGroupStrategyOptions fsGroup = 13;
-
-  // readOnlyRootFilesystem when set to true will force containers to run with a read only root file
-  // system.  If the container specifically requests to run with a non-read only root file system
-  // the PSP should deny the pod.
-  // If set to false the container may run with a read only root file system if it wishes but it
-  // will not be forced to.
-  // +optional
-  optional bool readOnlyRootFilesystem = 14;
-
-  // defaultAllowPrivilegeEscalation controls the default setting for whether a
-  // process can gain more privileges than its parent process.
-  // +optional
-  optional bool defaultAllowPrivilegeEscalation = 15;
-
-  // allowPrivilegeEscalation determines if a pod can request to allow
-  // privilege escalation. If unspecified, defaults to true.
-  // +optional
-  optional bool allowPrivilegeEscalation = 16;
-
-  // allowedHostPaths is an allowlist of host paths. Empty indicates
-  // that all host paths may be used.
-  // +optional
-  repeated AllowedHostPath allowedHostPaths = 17;
-
-  // allowedFlexVolumes is an allowlist of Flexvolumes.  Empty or nil indicates that all
-  // Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
-  // is allowed in the "volumes" field.
-  // +optional
-  repeated AllowedFlexVolume allowedFlexVolumes = 18;
-
-  // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
-  // An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
-  // This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.
-  // +optional
-  repeated AllowedCSIDriver allowedCSIDrivers = 23;
-
-  // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
-  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
-  // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
-  // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
-  //
-  // Examples:
-  // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
-  // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
-  // +optional
-  repeated string allowedUnsafeSysctls = 19;
-
-  // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
-  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
-  // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-  //
-  // Examples:
-  // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
-  // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
-  // +optional
-  repeated string forbiddenSysctls = 20;
-
-  // AllowedProcMountTypes is an allowlist of allowed ProcMountTypes.
-  // Empty or nil indicates that only the DefaultProcMountType may be used.
-  // This requires the ProcMountType feature flag to be enabled.
-  // +optional
-  repeated string allowedProcMountTypes = 21;
-
-  // runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
-  // If this field is omitted, the pod's runtimeClassName field is unrestricted.
-  // Enforcement of this field depends on the RuntimeClass feature gate being enabled.
-  // +optional
-  optional RuntimeClassStrategyOptions runtimeClass = 24;
-}
-
-// RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.
-message RunAsGroupStrategyOptions {
-  // rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
-  optional string rule = 1;
-
-  // ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
-  // then supply a single range with the same start and end. Required for MustRunAs.
-  // +optional
-  repeated IDRange ranges = 2;
-}
-
-// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
-message RunAsUserStrategyOptions {
-  // rule is the strategy that will dictate the allowable RunAsUser values that may be set.
-  optional string rule = 1;
-
-  // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
-  // then supply a single range with the same start and end. Required for MustRunAs.
-  // +optional
-  repeated IDRange ranges = 2;
-}
-
-// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses
-// for a pod.
-message RuntimeClassStrategyOptions {
-  // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod.
-  // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
-  // list. An empty list requires the RuntimeClassName field to be unset.
-  repeated string allowedRuntimeClassNames = 1;
-
-  // defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
-  // The default MUST be allowed by the allowedRuntimeClassNames list.
-  // A value of nil does not mutate the Pod.
-  // +optional
-  optional string defaultRuntimeClassName = 2;
-}
-
-// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
-message SELinuxStrategyOptions {
-  // rule is the strategy that will dictate the allowable labels that may be set.
-  optional string rule = 1;
-
-  // seLinuxOptions required to run as; required for MustRunAs
-  // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  // +optional
-  optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
-}
-
-// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
-message SupplementalGroupsStrategyOptions {
-  // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
-  // +optional
-  optional string rule = 1;
-
-  // ranges are the allowed ranges of supplemental groups.  If you would like to force a single
-  // supplemental group then supply a single range with the same start and end. Required for MustRunAs.
-  // +optional
-  repeated IDRange ranges = 2;
-}
-
--- a/common-protos/k8s.io/api/rbac/v1/generated.proto
+++ b/common-protos/k8s.io/api/rbac/v1/generated.proto
@ -1,201 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.rbac.v1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/rbac/v1";
-
-// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
-message AggregationRule {
-  // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
-  // If any of the selectors match, then the ClusterRole's permissions will be added
-  // +optional
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
-}
-
-// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
-message ClusterRole {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this ClusterRole
-  // +optional
-  repeated PolicyRule rules = 2;
-
-  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
-  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
-  // stomped by the controller.
-  // +optional
-  optional AggregationRule aggregationRule = 3;
-}
-
-// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
-// and adds who information via Subject.
-message ClusterRoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can only reference a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// ClusterRoleBindingList is a collection of ClusterRoleBindings
-message ClusterRoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoleBindings
-  repeated ClusterRoleBinding items = 2;
-}
-
-// ClusterRoleList is a collection of ClusterRoles
-message ClusterRoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoles
-  repeated ClusterRole items = 2;
-}
-
-// PolicyRule holds information that describes a policy rule, but does not contain information
-// about who the rule applies to or which namespace the rule applies to.
-message PolicyRule {
-  // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
-  repeated string verbs = 1;
-
-  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
-  // the enumerated resources in any API group will be allowed.
-  // +optional
-  repeated string apiGroups = 2;
-
-  // Resources is a list of resources this rule applies to. '*' represents all resources.
-  // +optional
-  repeated string resources = 3;
-
-  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
-  // +optional
-  repeated string resourceNames = 4;
-
-  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
-  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
-  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
-  // +optional
-  repeated string nonResourceURLs = 5;
-}
-
-// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
-message Role {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this Role
-  // +optional
-  repeated PolicyRule rules = 2;
-}
-
-// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
-// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
-// namespace only have effect in that namespace.
-message RoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// RoleBindingList is a collection of RoleBindings
-message RoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of RoleBindings
-  repeated RoleBinding items = 2;
-}
-
-// RoleList is a collection of Roles
-message RoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of Roles
-  repeated Role items = 2;
-}
-
-// RoleRef contains information that points to the role being used
-// +structType=atomic
-message RoleRef {
-  // APIGroup is the group for the resource being referenced
-  optional string apiGroup = 1;
-
-  // Kind is the type of resource being referenced
-  optional string kind = 2;
-
-  // Name is the name of resource being referenced
-  optional string name = 3;
-}
-
-// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
-// or a value for non-objects such as user and group names.
-// +structType=atomic
-message Subject {
-  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
-  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
-  optional string kind = 1;
-
-  // APIGroup holds the API group of the referenced subject.
-  // Defaults to "" for ServiceAccount subjects.
-  // Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
-  // +optional
-  optional string apiGroup = 2;
-
-  // Name of the object being referenced.
-  optional string name = 3;
-
-  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
-  // the Authorizer should report an error.
-  // +optional
-  optional string namespace = 4;
-}
-
--- a/common-protos/k8s.io/api/rbac/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/rbac/v1alpha1/generated.proto
@ -1,208 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.rbac.v1alpha1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/rbac/v1alpha1";
-
-// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
-message AggregationRule {
-  // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
-  // If any of the selectors match, then the ClusterRole's permissions will be added
-  // +optional
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
-}
-
-// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
-message ClusterRole {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this ClusterRole
-  // +optional
-  repeated PolicyRule rules = 2;
-
-  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
-  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
-  // stomped by the controller.
-  // +optional
-  optional AggregationRule aggregationRule = 3;
-}
-
-// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
-// and adds who information via Subject.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
-message ClusterRoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can only reference a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// ClusterRoleBindingList is a collection of ClusterRoleBindings.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindings, and will no longer be served in v1.22.
-message ClusterRoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoleBindings
-  repeated ClusterRoleBinding items = 2;
-}
-
-// ClusterRoleList is a collection of ClusterRoles.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.
-message ClusterRoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoles
-  repeated ClusterRole items = 2;
-}
-
-// PolicyRule holds information that describes a policy rule, but does not contain information
-// about who the rule applies to or which namespace the rule applies to.
-message PolicyRule {
-  // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
-  repeated string verbs = 1;
-
-  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
-  // the enumerated resources in any API group will be allowed.
-  // +optional
-  repeated string apiGroups = 3;
-
-  // Resources is a list of resources this rule applies to. '*' represents all resources.
-  // +optional
-  repeated string resources = 4;
-
-  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
-  // +optional
-  repeated string resourceNames = 5;
-
-  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
-  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
-  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
-  // +optional
-  repeated string nonResourceURLs = 6;
-}
-
-// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
-message Role {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this Role
-  // +optional
-  repeated PolicyRule rules = 2;
-}
-
-// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
-// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
-// namespace only have effect in that namespace.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
-message RoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// RoleBindingList is a collection of RoleBindings
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.
-message RoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of RoleBindings
-  repeated RoleBinding items = 2;
-}
-
-// RoleList is a collection of Roles.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.
-message RoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of Roles
-  repeated Role items = 2;
-}
-
-// RoleRef contains information that points to the role being used
-message RoleRef {
-  // APIGroup is the group for the resource being referenced
-  optional string apiGroup = 1;
-
-  // Kind is the type of resource being referenced
-  optional string kind = 2;
-
-  // Name is the name of resource being referenced
-  optional string name = 3;
-}
-
-// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
-// or a value for non-objects such as user and group names.
-message Subject {
-  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
-  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
-  optional string kind = 1;
-
-  // APIVersion holds the API group and version of the referenced subject.
-  // Defaults to "v1" for ServiceAccount subjects.
-  // Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
-  // +k8s:conversion-gen=false
-  // +optional
-  optional string apiVersion = 2;
-
-  // Name of the object being referenced.
-  optional string name = 3;
-
-  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
-  // the Authorizer should report an error.
-  // +optional
-  optional string namespace = 4;
-}
-
--- a/common-protos/k8s.io/api/rbac/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/rbac/v1beta1/generated.proto
@ -1,208 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.rbac.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/rbac/v1beta1";
-
-// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
-message AggregationRule {
-  // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
-  // If any of the selectors match, then the ClusterRole's permissions will be added
-  // +optional
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
-}
-
-// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
-message ClusterRole {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this ClusterRole
-  // +optional
-  repeated PolicyRule rules = 2;
-
-  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
-  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
-  // stomped by the controller.
-  // +optional
-  optional AggregationRule aggregationRule = 3;
-}
-
-// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
-// and adds who information via Subject.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
-message ClusterRoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can only reference a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// ClusterRoleBindingList is a collection of ClusterRoleBindings.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindingList, and will no longer be served in v1.22.
-message ClusterRoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoleBindings
-  repeated ClusterRoleBinding items = 2;
-}
-
-// ClusterRoleList is a collection of ClusterRoles.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.
-message ClusterRoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of ClusterRoles
-  repeated ClusterRole items = 2;
-}
-
-// PolicyRule holds information that describes a policy rule, but does not contain information
-// about who the rule applies to or which namespace the rule applies to.
-message PolicyRule {
-  // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
-  repeated string verbs = 1;
-
-  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
-  // the enumerated resources in any API group will be allowed.
-  // +optional
-  repeated string apiGroups = 2;
-
-  // Resources is a list of resources this rule applies to.  '*' represents all resources in the specified apiGroups.
-  // '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
-  // +optional
-  repeated string resources = 3;
-
-  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
-  // +optional
-  repeated string resourceNames = 4;
-
-  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
-  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
-  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
-  // +optional
-  repeated string nonResourceURLs = 5;
-}
-
-// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
-message Role {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Rules holds all the PolicyRules for this Role
-  // +optional
-  repeated PolicyRule rules = 2;
-}
-
-// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
-// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
-// namespace only have effect in that namespace.
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
-message RoleBinding {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Subjects holds references to the objects the role applies to.
-  // +optional
-  repeated Subject subjects = 2;
-
-  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
-  // If the RoleRef cannot be resolved, the Authorizer must return an error.
-  optional RoleRef roleRef = 3;
-}
-
-// RoleBindingList is a collection of RoleBindings
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.
-message RoleBindingList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of RoleBindings
-  repeated RoleBinding items = 2;
-}
-
-// RoleList is a collection of Roles
-// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.
-message RoleList {
-  // Standard object's metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is a list of Roles
-  repeated Role items = 2;
-}
-
-// RoleRef contains information that points to the role being used
-message RoleRef {
-  // APIGroup is the group for the resource being referenced
-  optional string apiGroup = 1;
-
-  // Kind is the type of resource being referenced
-  optional string kind = 2;
-
-  // Name is the name of resource being referenced
-  optional string name = 3;
-}
-
-// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
-// or a value for non-objects such as user and group names.
-message Subject {
-  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
-  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
-  optional string kind = 1;
-
-  // APIGroup holds the API group of the referenced subject.
-  // Defaults to "" for ServiceAccount subjects.
-  // Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
-  // +optional
-  optional string apiGroup = 2;
-
-  // Name of the object being referenced.
-  optional string name = 3;
-
-  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
-  // the Authorizer should report an error.
-  // +optional
-  optional string namespace = 4;
-}
-
--- a/common-protos/k8s.io/api/scheduling/v1/generated.proto
+++ b/common-protos/k8s.io/api/scheduling/v1/generated.proto
@ -1,74 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.scheduling.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/scheduling/v1";
-
-// PriorityClass defines mapping from a priority class name to the priority
-// integer value. The value can be any valid integer.
-message PriorityClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // The value of this priority class. This is the actual priority that pods
-  // receive when they have the name of this class in their pod spec.
-  optional int32 value = 2;
-
-  // globalDefault specifies whether this PriorityClass should be considered as
-  // the default priority for pods that do not have any priority class.
-  // Only one PriorityClass can be marked as `globalDefault`. However, if more than
-  // one PriorityClasses exists with their `globalDefault` field set to true,
-  // the smallest value of such global default PriorityClasses will be used as the default priority.
-  // +optional
-  optional bool globalDefault = 3;
-
-  // description is an arbitrary string that usually provides guidelines on
-  // when this priority class should be used.
-  // +optional
-  optional string description = 4;
-
-  // PreemptionPolicy is the Policy for preempting pods with lower priority.
-  // One of Never, PreemptLowerPriority.
-  // Defaults to PreemptLowerPriority if unset.
-  // +optional
-  optional string preemptionPolicy = 5;
-}
-
-// PriorityClassList is a collection of priority classes.
-message PriorityClassList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of PriorityClasses
-  repeated PriorityClass items = 2;
-}
-
--- a/common-protos/k8s.io/api/scheduling/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/scheduling/v1alpha1/generated.proto
@ -1,75 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.scheduling.v1alpha1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/scheduling/v1alpha1";
-
-// DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass.
-// PriorityClass defines mapping from a priority class name to the priority
-// integer value. The value can be any valid integer.
-message PriorityClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // The value of this priority class. This is the actual priority that pods
-  // receive when they have the name of this class in their pod spec.
-  optional int32 value = 2;
-
-  // globalDefault specifies whether this PriorityClass should be considered as
-  // the default priority for pods that do not have any priority class.
-  // Only one PriorityClass can be marked as `globalDefault`. However, if more than
-  // one PriorityClasses exists with their `globalDefault` field set to true,
-  // the smallest value of such global default PriorityClasses will be used as the default priority.
-  // +optional
-  optional bool globalDefault = 3;
-
-  // description is an arbitrary string that usually provides guidelines on
-  // when this priority class should be used.
-  // +optional
-  optional string description = 4;
-
-  // PreemptionPolicy is the Policy for preempting pods with lower priority.
-  // One of Never, PreemptLowerPriority.
-  // Defaults to PreemptLowerPriority if unset.
-  // +optional
-  optional string preemptionPolicy = 5;
-}
-
-// PriorityClassList is a collection of priority classes.
-message PriorityClassList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of PriorityClasses
-  repeated PriorityClass items = 2;
-}
-
--- a/common-protos/k8s.io/api/scheduling/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/scheduling/v1beta1/generated.proto
@ -1,75 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.scheduling.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/scheduling/v1beta1";
-
-// DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass.
-// PriorityClass defines mapping from a priority class name to the priority
-// integer value. The value can be any valid integer.
-message PriorityClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // The value of this priority class. This is the actual priority that pods
-  // receive when they have the name of this class in their pod spec.
-  optional int32 value = 2;
-
-  // globalDefault specifies whether this PriorityClass should be considered as
-  // the default priority for pods that do not have any priority class.
-  // Only one PriorityClass can be marked as `globalDefault`. However, if more than
-  // one PriorityClasses exists with their `globalDefault` field set to true,
-  // the smallest value of such global default PriorityClasses will be used as the default priority.
-  // +optional
-  optional bool globalDefault = 3;
-
-  // description is an arbitrary string that usually provides guidelines on
-  // when this priority class should be used.
-  // +optional
-  optional string description = 4;
-
-  // PreemptionPolicy is the Policy for preempting pods with lower priority.
-  // One of Never, PreemptLowerPriority.
-  // Defaults to PreemptLowerPriority if unset.
-  // +optional
-  optional string preemptionPolicy = 5;
-}
-
-// PriorityClassList is a collection of priority classes.
-message PriorityClassList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of PriorityClasses
-  repeated PriorityClass items = 2;
-}
-
--- a/common-protos/k8s.io/api/storage/v1/generated.proto
+++ b/common-protos/k8s.io/api/storage/v1/generated.proto
@ -1,460 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.storage.v1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/storage/v1";
-
-// CSIDriver captures information about a Container Storage Interface (CSI)
-// volume driver deployed on the cluster.
-// Kubernetes attach detach controller uses this object to determine whether attach is required.
-// Kubelet uses this object to determine whether pod information needs to be passed on mount.
-// CSIDriver objects are non-namespaced.
-message CSIDriver {
-  // Standard object metadata.
-  // metadata.Name indicates the name of the CSI driver that this object
-  // refers to; it MUST be the same name returned by the CSI GetPluginName()
-  // call for that driver.
-  // The driver name must be 63 characters or less, beginning and ending with
-  // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
-  // alphanumerics between.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the CSI Driver.
-  optional CSIDriverSpec spec = 2;
-}
-
-// CSIDriverList is a collection of CSIDriver objects.
-message CSIDriverList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CSIDriver
-  repeated CSIDriver items = 2;
-}
-
-// CSIDriverSpec is the specification of a CSIDriver.
-message CSIDriverSpec {
-  // attachRequired indicates this CSI volume driver requires an attach
-  // operation (because it implements the CSI ControllerPublishVolume()
-  // method), and that the Kubernetes attach detach controller should call
-  // the attach volume interface which checks the volumeattachment status
-  // and waits until the volume is attached before proceeding to mounting.
-  // The CSI external-attacher coordinates with CSI volume driver and updates
-  // the volumeattachment status when the attach operation is complete.
-  // If the CSIDriverRegistry feature gate is enabled and the value is
-  // specified to false, the attach operation will be skipped.
-  // Otherwise the attach operation will be called.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  optional bool attachRequired = 1;
-
-  // If set to true, podInfoOnMount indicates this CSI volume driver
-  // requires additional pod information (like podName, podUID, etc.) during
-  // mount operations.
-  // If set to false, pod information will not be passed on mount.
-  // Default is false.
-  // The CSI driver specifies podInfoOnMount as part of driver deployment.
-  // If true, Kubelet will pass pod information as VolumeContext in the CSI
-  // NodePublishVolume() calls.
-  // The CSI driver is responsible for parsing and validating the information
-  // passed in as VolumeContext.
-  // The following VolumeConext will be passed if podInfoOnMount is set to true.
-  // This list might grow, but the prefix will be used.
-  // "csi.storage.k8s.io/pod.name": pod.Name
-  // "csi.storage.k8s.io/pod.namespace": pod.Namespace
-  // "csi.storage.k8s.io/pod.uid": string(pod.UID)
-  // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
-  //                                 defined by a CSIVolumeSource, otherwise "false"
-  //
-  // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
-  // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
-  // Other drivers can leave pod info disabled and/or ignore this field.
-  // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
-  // deployed on such a cluster and the deployment determines which mode that is, for example
-  // via a command line parameter of the driver.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  optional bool podInfoOnMount = 2;
-
-  // volumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
-  // The default if the list is empty is "Persistent", which is the usage
-  // defined by the CSI specification and implemented in Kubernetes via the usual
-  // PV/PVC mechanism.
-  // The other mode is "Ephemeral". In this mode, volumes are defined inline
-  // inside the pod spec with CSIVolumeSource and their lifecycle is tied to
-  // the lifecycle of that pod. A driver has to be aware of this
-  // because it is only going to get a NodePublishVolume call for such a volume.
-  // For more information about implementing this mode, see
-  // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
-  // A driver can support one or more of these modes and
-  // more modes may be added in the future.
-  // This field is beta.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  // +listType=set
-  repeated string volumeLifecycleModes = 3;
-
-  // If set to true, storageCapacity indicates that the CSI
-  // volume driver wants pod scheduling to consider the storage
-  // capacity that the driver deployment will report by creating
-  // CSIStorageCapacity objects with capacity information.
-  //
-  // The check can be enabled immediately when deploying a driver.
-  // In that case, provisioning new volumes with late binding
-  // will pause until the driver deployment has published
-  // some suitable CSIStorageCapacity object.
-  //
-  // Alternatively, the driver can be deployed with the field
-  // unset or false and it can be flipped later when storage
-  // capacity information has been published.
-  //
-  // This field was immutable in Kubernetes <= 1.22 and now is mutable.
-  //
-  // This is a beta field and only available when the CSIStorageCapacity
-  // feature is enabled. The default is false.
-  //
-  // +optional
-  // +featureGate=CSIStorageCapacity
-  optional bool storageCapacity = 4;
-
-  // Defines if the underlying volume supports changing ownership and
-  // permission of the volume before being mounted.
-  // Refer to the specific FSGroupPolicy values for additional details.
-  //
-  // This field is immutable.
-  //
-  // Defaults to ReadWriteOnceWithFSType, which will examine each volume
-  // to determine if Kubernetes should modify ownership and permissions of the volume.
-  // With the default policy the defined fsGroup will only be applied
-  // if a fstype is defined and the volume's access mode contains ReadWriteOnce.
-  // +optional
-  optional string fsGroupPolicy = 5;
-
-  // TokenRequests indicates the CSI driver needs pods' service account
-  // tokens it is mounting volume for to do necessary authentication. Kubelet
-  // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
-  // The CSI driver should parse and validate the following VolumeContext:
-  // "csi.storage.k8s.io/serviceAccount.tokens": {
-  //   "<audience>": {
-  //     "token": <token>,
-  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
-  //   },
-  //   ...
-  // }
-  //
-  // Note: Audience in each TokenRequest should be different and at
-  // most one token is empty string. To receive a new token after expiry,
-  // RequiresRepublish can be used to trigger NodePublishVolume periodically.
-  //
-  // +optional
-  // +listType=atomic
-  repeated TokenRequest tokenRequests = 6;
-
-  // RequiresRepublish indicates the CSI driver wants `NodePublishVolume`
-  // being periodically called to reflect any possible change in the mounted
-  // volume. This field defaults to false.
-  //
-  // Note: After a successful initial NodePublishVolume call, subsequent calls
-  // to NodePublishVolume should only update the contents of the volume. New
-  // mount points will not be seen by a running container.
-  //
-  // +optional
-  optional bool requiresRepublish = 7;
-}
-
-// CSINode holds information about all CSI drivers installed on a node.
-// CSI drivers do not need to create the CSINode object directly. As long as
-// they use the node-driver-registrar sidecar container, the kubelet will
-// automatically populate the CSINode object for the CSI driver as part of
-// kubelet plugin registration.
-// CSINode has the same name as a node. If the object is missing, it means either
-// there are no CSI Drivers available on the node, or the Kubelet version is low
-// enough that it doesn't create this object.
-// CSINode has an OwnerReference that points to the corresponding node object.
-message CSINode {
-  // metadata.name must be the Kubernetes node name.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec is the specification of CSINode
-  optional CSINodeSpec spec = 2;
-}
-
-// CSINodeDriver holds information about the specification of one CSI driver installed on a node
-message CSINodeDriver {
-  // This is the name of the CSI driver that this object refers to.
-  // This MUST be the same name returned by the CSI GetPluginName() call for
-  // that driver.
-  optional string name = 1;
-
-  // nodeID of the node from the driver point of view.
-  // This field enables Kubernetes to communicate with storage systems that do
-  // not share the same nomenclature for nodes. For example, Kubernetes may
-  // refer to a given node as "node1", but the storage system may refer to
-  // the same node as "nodeA". When Kubernetes issues a command to the storage
-  // system to attach a volume to a specific node, it can use this field to
-  // refer to the node name using the ID that the storage system will
-  // understand, e.g. "nodeA" instead of "node1". This field is required.
-  optional string nodeID = 2;
-
-  // topologyKeys is the list of keys supported by the driver.
-  // When a driver is initialized on a cluster, it provides a set of topology
-  // keys that it understands (e.g. "company.com/zone", "company.com/region").
-  // When a driver is initialized on a node, it provides the same topology keys
-  // along with values. Kubelet will expose these topology keys as labels
-  // on its own node object.
-  // When Kubernetes does topology aware provisioning, it can use this list to
-  // determine which labels it should retrieve from the node object and pass
-  // back to the driver.
-  // It is possible for different nodes to use different topology keys.
-  // This can be empty if driver does not support topology.
-  // +optional
-  repeated string topologyKeys = 3;
-
-  // allocatable represents the volume resources of a node that are available for scheduling.
-  // This field is beta.
-  // +optional
-  optional VolumeNodeResources allocatable = 4;
-}
-
-// CSINodeList is a collection of CSINode objects.
-message CSINodeList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CSINode
-  repeated CSINode items = 2;
-}
-
-// CSINodeSpec holds information about the specification of all CSI drivers installed on a node
-message CSINodeSpec {
-  // drivers is a list of information of all CSI Drivers existing on a node.
-  // If all drivers in the list are uninstalled, this can become empty.
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated CSINodeDriver drivers = 1;
-}
-
-// StorageClass describes the parameters for a class of storage for
-// which PersistentVolumes can be dynamically provisioned.
-//
-// StorageClasses are non-namespaced; the name of the storage class
-// according to etcd is in ObjectMeta.Name.
-message StorageClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Provisioner indicates the type of the provisioner.
-  optional string provisioner = 2;
-
-  // Parameters holds the parameters for the provisioner that should
-  // create volumes of this storage class.
-  // +optional
-  map<string, string> parameters = 3;
-
-  // Dynamically provisioned PersistentVolumes of this storage class are
-  // created with this reclaimPolicy. Defaults to Delete.
-  // +optional
-  optional string reclaimPolicy = 4;
-
-  // Dynamically provisioned PersistentVolumes of this storage class are
-  // created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
-  // mount of the PVs will simply fail if one is invalid.
-  // +optional
-  repeated string mountOptions = 5;
-
-  // AllowVolumeExpansion shows whether the storage class allow volume expand
-  // +optional
-  optional bool allowVolumeExpansion = 6;
-
-  // VolumeBindingMode indicates how PersistentVolumeClaims should be
-  // provisioned and bound.  When unset, VolumeBindingImmediate is used.
-  // This field is only honored by servers that enable the VolumeScheduling feature.
-  // +optional
-  optional string volumeBindingMode = 7;
-
-  // Restrict the node topologies where volumes can be dynamically provisioned.
-  // Each volume plugin defines its own supported topology specifications.
-  // An empty TopologySelectorTerm list means there is no topology restriction.
-  // This field is only honored by servers that enable the VolumeScheduling feature.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.TopologySelectorTerm allowedTopologies = 8;
-}
-
-// StorageClassList is a collection of storage classes.
-message StorageClassList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of StorageClasses
-  repeated StorageClass items = 2;
-}
-
-// TokenRequest contains parameters of a service account token.
-message TokenRequest {
-  // Audience is the intended audience of the token in "TokenRequestSpec".
-  // It will default to the audiences of kube apiserver.
-  optional string audience = 1;
-
-  // ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec".
-  // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
-  //
-  // +optional
-  optional int64 expirationSeconds = 2;
-}
-
-// VolumeAttachment captures the intent to attach or detach the specified volume
-// to/from the specified node.
-//
-// VolumeAttachment objects are non-namespaced.
-message VolumeAttachment {
-  // Standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired attach/detach volume behavior.
-  // Populated by the Kubernetes system.
-  optional VolumeAttachmentSpec spec = 2;
-
-  // Status of the VolumeAttachment request.
-  // Populated by the entity completing the attach or detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeAttachmentStatus status = 3;
-}
-
-// VolumeAttachmentList is a collection of VolumeAttachment objects.
-message VolumeAttachmentList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of VolumeAttachments
-  repeated VolumeAttachment items = 2;
-}
-
-// VolumeAttachmentSource represents a volume that should be attached.
-// Right now only PersistenVolumes can be attached via external attacher,
-// in future we may allow also inline volumes in pods.
-// Exactly one member can be set.
-message VolumeAttachmentSource {
-  // Name of the persistent volume to attach.
-  // +optional
-  optional string persistentVolumeName = 1;
-
-  // inlineVolumeSpec contains all the information necessary to attach
-  // a persistent volume defined by a pod's inline VolumeSource. This field
-  // is populated only for the CSIMigration feature. It contains
-  // translated fields from a pod's inline VolumeSource to a
-  // PersistentVolumeSpec. This field is beta-level and is only
-  // honored by servers that enabled the CSIMigration feature.
-  // +optional
-  optional k8s.io.api.core.v1.PersistentVolumeSpec inlineVolumeSpec = 2;
-}
-
-// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
-message VolumeAttachmentSpec {
-  // Attacher indicates the name of the volume driver that MUST handle this
-  // request. This is the name returned by GetPluginName().
-  optional string attacher = 1;
-
-  // Source represents the volume that should be attached.
-  optional VolumeAttachmentSource source = 2;
-
-  // The node that the volume should be attached to.
-  optional string nodeName = 3;
-}
-
-// VolumeAttachmentStatus is the status of a VolumeAttachment request.
-message VolumeAttachmentStatus {
-  // Indicates the volume is successfully attached.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  optional bool attached = 1;
-
-  // Upon successful attach, this field is populated with any
-  // information returned by the attach operation that must be passed
-  // into subsequent WaitForAttach or Mount calls.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  map<string, string> attachmentMetadata = 2;
-
-  // The last error encountered during attach operation, if any.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError attachError = 3;
-
-  // The last error encountered during detach operation, if any.
-  // This field must only be set by the entity completing the detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError detachError = 4;
-}
-
-// VolumeError captures an error encountered during a volume operation.
-message VolumeError {
-  // Time the error was encountered.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time time = 1;
-
-  // String detailing the error encountered during Attach or Detach operation.
-  // This string may be logged, so it should not contain sensitive
-  // information.
-  // +optional
-  optional string message = 2;
-}
-
-// VolumeNodeResources is a set of resource limits for scheduling of volumes.
-message VolumeNodeResources {
-  // Maximum number of unique volumes managed by the CSI driver that can be used on a node.
-  // A volume that is both attached and mounted on a node is considered to be used once, not twice.
-  // The same rule applies for a unique volume that is shared among multiple pods on the same node.
-  // If this field is not specified, then the supported number of volumes on this node is unbounded.
-  // +optional
-  optional int32 count = 1;
-}
-
--- a/common-protos/k8s.io/api/storage/v1alpha1/generated.proto
+++ b/common-protos/k8s.io/api/storage/v1alpha1/generated.proto
@ -1,227 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.storage.v1alpha1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/storage/v1alpha1";
-
-// CSIStorageCapacity stores the result of one CSI GetCapacity call.
-// For a given StorageClass, this describes the available capacity in a
-// particular topology segment.  This can be used when considering where to
-// instantiate new PersistentVolumes.
-//
-// For example this can express things like:
-// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
-// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
-//
-// The following three cases all imply that no capacity is available for
-// a certain combination:
-// - no object exists with suitable topology and storage class name
-// - such an object exists, but the capacity is unset
-// - such an object exists, but the capacity is zero
-//
-// The producer of these objects can decide which approach is more suitable.
-//
-// They are consumed by the kube-scheduler if the CSIStorageCapacity beta feature gate
-// is enabled there and a CSI driver opts into capacity-aware scheduling with
-// CSIDriver.StorageCapacity.
-message CSIStorageCapacity {
-  // Standard object's metadata. The name has no particular meaning. It must be
-  // be a DNS subdomain (dots allowed, 253 characters). To ensure that
-  // there are no conflicts with other CSI drivers on the cluster, the recommendation
-  // is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends
-  // with the unique CSI driver name.
-  //
-  // Objects are namespaced.
-  //
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // NodeTopology defines which nodes have access to the storage
-  // for which capacity was reported. If not set, the storage is
-  // not accessible from any node in the cluster. If empty, the
-  // storage is accessible from all nodes. This field is
-  // immutable.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector nodeTopology = 2;
-
-  // The name of the StorageClass that the reported capacity applies to.
-  // It must meet the same requirements as the name of a StorageClass
-  // object (non-empty, DNS subdomain). If that object no longer exists,
-  // the CSIStorageCapacity object is obsolete and should be removed by its
-  // creator.
-  // This field is immutable.
-  optional string storageClassName = 3;
-
-  // Capacity is the value reported by the CSI driver in its GetCapacityResponse
-  // for a GetCapacityRequest with topology and parameters that match the
-  // previous fields.
-  //
-  // The semantic is currently (CSI spec 1.2) defined as:
-  // The available capacity, in bytes, of the storage that can be used
-  // to provision volumes. If not set, that information is currently
-  // unavailable and treated like zero capacity.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity capacity = 4;
-
-  // MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
-  // for a GetCapacityRequest with topology and parameters that match the
-  // previous fields.
-  //
-  // This is defined since CSI spec 1.4.0 as the largest size
-  // that may be used in a
-  // CreateVolumeRequest.capacity_range.required_bytes field to
-  // create a volume with the same parameters as those in
-  // GetCapacityRequest. The corresponding value in the Kubernetes
-  // API is ResourceRequirements.Requests in a volume claim.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity maximumVolumeSize = 5;
-}
-
-// CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
-message CSIStorageCapacityList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of CSIStorageCapacity objects.
-  // +listType=map
-  // +listMapKey=name
-  repeated CSIStorageCapacity items = 2;
-}
-
-// VolumeAttachment captures the intent to attach or detach the specified volume
-// to/from the specified node.
-//
-// VolumeAttachment objects are non-namespaced.
-message VolumeAttachment {
-  // Standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired attach/detach volume behavior.
-  // Populated by the Kubernetes system.
-  optional VolumeAttachmentSpec spec = 2;
-
-  // Status of the VolumeAttachment request.
-  // Populated by the entity completing the attach or detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeAttachmentStatus status = 3;
-}
-
-// VolumeAttachmentList is a collection of VolumeAttachment objects.
-message VolumeAttachmentList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of VolumeAttachments
-  repeated VolumeAttachment items = 2;
-}
-
-// VolumeAttachmentSource represents a volume that should be attached.
-// Right now only PersistenVolumes can be attached via external attacher,
-// in future we may allow also inline volumes in pods.
-// Exactly one member can be set.
-message VolumeAttachmentSource {
-  // Name of the persistent volume to attach.
-  // +optional
-  optional string persistentVolumeName = 1;
-
-  // inlineVolumeSpec contains all the information necessary to attach
-  // a persistent volume defined by a pod's inline VolumeSource. This field
-  // is populated only for the CSIMigration feature. It contains
-  // translated fields from a pod's inline VolumeSource to a
-  // PersistentVolumeSpec. This field is alpha-level and is only
-  // honored by servers that enabled the CSIMigration feature.
-  // +optional
-  optional k8s.io.api.core.v1.PersistentVolumeSpec inlineVolumeSpec = 2;
-}
-
-// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
-message VolumeAttachmentSpec {
-  // Attacher indicates the name of the volume driver that MUST handle this
-  // request. This is the name returned by GetPluginName().
-  optional string attacher = 1;
-
-  // Source represents the volume that should be attached.
-  optional VolumeAttachmentSource source = 2;
-
-  // The node that the volume should be attached to.
-  optional string nodeName = 3;
-}
-
-// VolumeAttachmentStatus is the status of a VolumeAttachment request.
-message VolumeAttachmentStatus {
-  // Indicates the volume is successfully attached.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  optional bool attached = 1;
-
-  // Upon successful attach, this field is populated with any
-  // information returned by the attach operation that must be passed
-  // into subsequent WaitForAttach or Mount calls.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  map<string, string> attachmentMetadata = 2;
-
-  // The last error encountered during attach operation, if any.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError attachError = 3;
-
-  // The last error encountered during detach operation, if any.
-  // This field must only be set by the entity completing the detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError detachError = 4;
-}
-
-// VolumeError captures an error encountered during a volume operation.
-message VolumeError {
-  // Time the error was encountered.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time time = 1;
-
-  // String detailing the error encountered during Attach or Detach operation.
-  // This string maybe logged, so it should not contain sensitive
-  // information.
-  // +optional
-  optional string message = 2;
-}
-
--- a/common-protos/k8s.io/api/storage/v1beta1/generated.proto
+++ b/common-protos/k8s.io/api/storage/v1beta1/generated.proto
@ -1,553 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.storage.v1beta1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/storage/v1beta1";
-
-// CSIDriver captures information about a Container Storage Interface (CSI)
-// volume driver deployed on the cluster.
-// CSI drivers do not need to create the CSIDriver object directly. Instead they may use the
-// cluster-driver-registrar sidecar container. When deployed with a CSI driver it automatically
-// creates a CSIDriver object representing the driver.
-// Kubernetes attach detach controller uses this object to determine whether attach is required.
-// Kubelet uses this object to determine whether pod information needs to be passed on mount.
-// CSIDriver objects are non-namespaced.
-message CSIDriver {
-  // Standard object metadata.
-  // metadata.Name indicates the name of the CSI driver that this object
-  // refers to; it MUST be the same name returned by the CSI GetPluginName()
-  // call for that driver.
-  // The driver name must be 63 characters or less, beginning and ending with
-  // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
-  // alphanumerics between.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the CSI Driver.
-  optional CSIDriverSpec spec = 2;
-}
-
-// CSIDriverList is a collection of CSIDriver objects.
-message CSIDriverList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CSIDriver
-  repeated CSIDriver items = 2;
-}
-
-// CSIDriverSpec is the specification of a CSIDriver.
-message CSIDriverSpec {
-  // attachRequired indicates this CSI volume driver requires an attach
-  // operation (because it implements the CSI ControllerPublishVolume()
-  // method), and that the Kubernetes attach detach controller should call
-  // the attach volume interface which checks the volumeattachment status
-  // and waits until the volume is attached before proceeding to mounting.
-  // The CSI external-attacher coordinates with CSI volume driver and updates
-  // the volumeattachment status when the attach operation is complete.
-  // If the CSIDriverRegistry feature gate is enabled and the value is
-  // specified to false, the attach operation will be skipped.
-  // Otherwise the attach operation will be called.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  optional bool attachRequired = 1;
-
-  // If set to true, podInfoOnMount indicates this CSI volume driver
-  // requires additional pod information (like podName, podUID, etc.) during
-  // mount operations.
-  // If set to false, pod information will not be passed on mount.
-  // Default is false.
-  // The CSI driver specifies podInfoOnMount as part of driver deployment.
-  // If true, Kubelet will pass pod information as VolumeContext in the CSI
-  // NodePublishVolume() calls.
-  // The CSI driver is responsible for parsing and validating the information
-  // passed in as VolumeContext.
-  // The following VolumeConext will be passed if podInfoOnMount is set to true.
-  // This list might grow, but the prefix will be used.
-  // "csi.storage.k8s.io/pod.name": pod.Name
-  // "csi.storage.k8s.io/pod.namespace": pod.Namespace
-  // "csi.storage.k8s.io/pod.uid": string(pod.UID)
-  // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
-  //                                 defined by a CSIVolumeSource, otherwise "false"
-  //
-  // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
-  // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
-  // Other drivers can leave pod info disabled and/or ignore this field.
-  // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
-  // deployed on such a cluster and the deployment determines which mode that is, for example
-  // via a command line parameter of the driver.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  optional bool podInfoOnMount = 2;
-
-  // VolumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
-  // The default if the list is empty is "Persistent", which is the usage
-  // defined by the CSI specification and implemented in Kubernetes via the usual
-  // PV/PVC mechanism.
-  // The other mode is "Ephemeral". In this mode, volumes are defined inline
-  // inside the pod spec with CSIVolumeSource and their lifecycle is tied to
-  // the lifecycle of that pod. A driver has to be aware of this
-  // because it is only going to get a NodePublishVolume call for such a volume.
-  // For more information about implementing this mode, see
-  // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
-  // A driver can support one or more of these modes and
-  // more modes may be added in the future.
-  //
-  // This field is immutable.
-  //
-  // +optional
-  repeated string volumeLifecycleModes = 3;
-
-  // If set to true, storageCapacity indicates that the CSI
-  // volume driver wants pod scheduling to consider the storage
-  // capacity that the driver deployment will report by creating
-  // CSIStorageCapacity objects with capacity information.
-  //
-  // The check can be enabled immediately when deploying a driver.
-  // In that case, provisioning new volumes with late binding
-  // will pause until the driver deployment has published
-  // some suitable CSIStorageCapacity object.
-  //
-  // Alternatively, the driver can be deployed with the field
-  // unset or false and it can be flipped later when storage
-  // capacity information has been published.
-  //
-  // This field was immutable in Kubernetes <= 1.22 and now is mutable.
-  //
-  // This is a beta field and only available when the CSIStorageCapacity
-  // feature is enabled. The default is false.
-  //
-  // +optional
-  // +featureGate=CSIStorageCapacity
-  optional bool storageCapacity = 4;
-
-  // Defines if the underlying volume supports changing ownership and
-  // permission of the volume before being mounted.
-  // Refer to the specific FSGroupPolicy values for additional details.
-  //
-  // This field is immutable.
-  //
-  // Defaults to ReadWriteOnceWithFSType, which will examine each volume
-  // to determine if Kubernetes should modify ownership and permissions of the volume.
-  // With the default policy the defined fsGroup will only be applied
-  // if a fstype is defined and the volume's access mode contains ReadWriteOnce.
-  // +optional
-  optional string fsGroupPolicy = 5;
-
-  // TokenRequests indicates the CSI driver needs pods' service account
-  // tokens it is mounting volume for to do necessary authentication. Kubelet
-  // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
-  // The CSI driver should parse and validate the following VolumeContext:
-  // "csi.storage.k8s.io/serviceAccount.tokens": {
-  //   "<audience>": {
-  //     "token": <token>,
-  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
-  //   },
-  //   ...
-  // }
-  //
-  // Note: Audience in each TokenRequest should be different and at
-  // most one token is empty string. To receive a new token after expiry,
-  // RequiresRepublish can be used to trigger NodePublishVolume periodically.
-  //
-  // +optional
-  // +listType=atomic
-  repeated TokenRequest tokenRequests = 6;
-
-  // RequiresRepublish indicates the CSI driver wants `NodePublishVolume`
-  // being periodically called to reflect any possible change in the mounted
-  // volume. This field defaults to false.
-  //
-  // Note: After a successful initial NodePublishVolume call, subsequent calls
-  // to NodePublishVolume should only update the contents of the volume. New
-  // mount points will not be seen by a running container.
-  //
-  // +optional
-  optional bool requiresRepublish = 7;
-}
-
-// DEPRECATED - This group version of CSINode is deprecated by storage/v1/CSINode.
-// See the release notes for more information.
-// CSINode holds information about all CSI drivers installed on a node.
-// CSI drivers do not need to create the CSINode object directly. As long as
-// they use the node-driver-registrar sidecar container, the kubelet will
-// automatically populate the CSINode object for the CSI driver as part of
-// kubelet plugin registration.
-// CSINode has the same name as a node. If the object is missing, it means either
-// there are no CSI Drivers available on the node, or the Kubelet version is low
-// enough that it doesn't create this object.
-// CSINode has an OwnerReference that points to the corresponding node object.
-message CSINode {
-  // metadata.name must be the Kubernetes node name.
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec is the specification of CSINode
-  optional CSINodeSpec spec = 2;
-}
-
-// CSINodeDriver holds information about the specification of one CSI driver installed on a node
-message CSINodeDriver {
-  // This is the name of the CSI driver that this object refers to.
-  // This MUST be the same name returned by the CSI GetPluginName() call for
-  // that driver.
-  optional string name = 1;
-
-  // nodeID of the node from the driver point of view.
-  // This field enables Kubernetes to communicate with storage systems that do
-  // not share the same nomenclature for nodes. For example, Kubernetes may
-  // refer to a given node as "node1", but the storage system may refer to
-  // the same node as "nodeA". When Kubernetes issues a command to the storage
-  // system to attach a volume to a specific node, it can use this field to
-  // refer to the node name using the ID that the storage system will
-  // understand, e.g. "nodeA" instead of "node1". This field is required.
-  optional string nodeID = 2;
-
-  // topologyKeys is the list of keys supported by the driver.
-  // When a driver is initialized on a cluster, it provides a set of topology
-  // keys that it understands (e.g. "company.com/zone", "company.com/region").
-  // When a driver is initialized on a node, it provides the same topology keys
-  // along with values. Kubelet will expose these topology keys as labels
-  // on its own node object.
-  // When Kubernetes does topology aware provisioning, it can use this list to
-  // determine which labels it should retrieve from the node object and pass
-  // back to the driver.
-  // It is possible for different nodes to use different topology keys.
-  // This can be empty if driver does not support topology.
-  // +optional
-  repeated string topologyKeys = 3;
-
-  // allocatable represents the volume resources of a node that are available for scheduling.
-  // +optional
-  optional VolumeNodeResources allocatable = 4;
-}
-
-// CSINodeList is a collection of CSINode objects.
-message CSINodeList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is the list of CSINode
-  repeated CSINode items = 2;
-}
-
-// CSINodeSpec holds information about the specification of all CSI drivers installed on a node
-message CSINodeSpec {
-  // drivers is a list of information of all CSI Drivers existing on a node.
-  // If all drivers in the list are uninstalled, this can become empty.
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated CSINodeDriver drivers = 1;
-}
-
-// CSIStorageCapacity stores the result of one CSI GetCapacity call.
-// For a given StorageClass, this describes the available capacity in a
-// particular topology segment.  This can be used when considering where to
-// instantiate new PersistentVolumes.
-//
-// For example this can express things like:
-// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
-// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
-//
-// The following three cases all imply that no capacity is available for
-// a certain combination:
-// - no object exists with suitable topology and storage class name
-// - such an object exists, but the capacity is unset
-// - such an object exists, but the capacity is zero
-//
-// The producer of these objects can decide which approach is more suitable.
-//
-// They are consumed by the kube-scheduler if the CSIStorageCapacity beta feature gate
-// is enabled there and a CSI driver opts into capacity-aware scheduling with
-// CSIDriver.StorageCapacity.
-message CSIStorageCapacity {
-  // Standard object's metadata. The name has no particular meaning. It must be
-  // be a DNS subdomain (dots allowed, 253 characters). To ensure that
-  // there are no conflicts with other CSI drivers on the cluster, the recommendation
-  // is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends
-  // with the unique CSI driver name.
-  //
-  // Objects are namespaced.
-  //
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // NodeTopology defines which nodes have access to the storage
-  // for which capacity was reported. If not set, the storage is
-  // not accessible from any node in the cluster. If empty, the
-  // storage is accessible from all nodes. This field is
-  // immutable.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector nodeTopology = 2;
-
-  // The name of the StorageClass that the reported capacity applies to.
-  // It must meet the same requirements as the name of a StorageClass
-  // object (non-empty, DNS subdomain). If that object no longer exists,
-  // the CSIStorageCapacity object is obsolete and should be removed by its
-  // creator.
-  // This field is immutable.
-  optional string storageClassName = 3;
-
-  // Capacity is the value reported by the CSI driver in its GetCapacityResponse
-  // for a GetCapacityRequest with topology and parameters that match the
-  // previous fields.
-  //
-  // The semantic is currently (CSI spec 1.2) defined as:
-  // The available capacity, in bytes, of the storage that can be used
-  // to provision volumes. If not set, that information is currently
-  // unavailable and treated like zero capacity.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity capacity = 4;
-
-  // MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
-  // for a GetCapacityRequest with topology and parameters that match the
-  // previous fields.
-  //
-  // This is defined since CSI spec 1.4.0 as the largest size
-  // that may be used in a
-  // CreateVolumeRequest.capacity_range.required_bytes field to
-  // create a volume with the same parameters as those in
-  // GetCapacityRequest. The corresponding value in the Kubernetes
-  // API is ResourceRequirements.Requests in a volume claim.
-  //
-  // +optional
-  optional k8s.io.apimachinery.pkg.api.resource.Quantity maximumVolumeSize = 5;
-}
-
-// CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
-message CSIStorageCapacityList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of CSIStorageCapacity objects.
-  // +listType=map
-  // +listMapKey=name
-  repeated CSIStorageCapacity items = 2;
-}
-
-// StorageClass describes the parameters for a class of storage for
-// which PersistentVolumes can be dynamically provisioned.
-//
-// StorageClasses are non-namespaced; the name of the storage class
-// according to etcd is in ObjectMeta.Name.
-message StorageClass {
-  // Standard object's metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Provisioner indicates the type of the provisioner.
-  optional string provisioner = 2;
-
-  // Parameters holds the parameters for the provisioner that should
-  // create volumes of this storage class.
-  // +optional
-  map<string, string> parameters = 3;
-
-  // Dynamically provisioned PersistentVolumes of this storage class are
-  // created with this reclaimPolicy. Defaults to Delete.
-  // +optional
-  optional string reclaimPolicy = 4;
-
-  // Dynamically provisioned PersistentVolumes of this storage class are
-  // created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
-  // mount of the PVs will simply fail if one is invalid.
-  // +optional
-  repeated string mountOptions = 5;
-
-  // AllowVolumeExpansion shows whether the storage class allow volume expand
-  // +optional
-  optional bool allowVolumeExpansion = 6;
-
-  // VolumeBindingMode indicates how PersistentVolumeClaims should be
-  // provisioned and bound.  When unset, VolumeBindingImmediate is used.
-  // This field is only honored by servers that enable the VolumeScheduling feature.
-  // +optional
-  optional string volumeBindingMode = 7;
-
-  // Restrict the node topologies where volumes can be dynamically provisioned.
-  // Each volume plugin defines its own supported topology specifications.
-  // An empty TopologySelectorTerm list means there is no topology restriction.
-  // This field is only honored by servers that enable the VolumeScheduling feature.
-  // +optional
-  // +listType=atomic
-  repeated k8s.io.api.core.v1.TopologySelectorTerm allowedTopologies = 8;
-}
-
-// StorageClassList is a collection of storage classes.
-message StorageClassList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of StorageClasses
-  repeated StorageClass items = 2;
-}
-
-// TokenRequest contains parameters of a service account token.
-message TokenRequest {
-  // Audience is the intended audience of the token in "TokenRequestSpec".
-  // It will default to the audiences of kube apiserver.
-  optional string audience = 1;
-
-  // ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec".
-  // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec"
-  //
-  // +optional
-  optional int64 expirationSeconds = 2;
-}
-
-// VolumeAttachment captures the intent to attach or detach the specified volume
-// to/from the specified node.
-//
-// VolumeAttachment objects are non-namespaced.
-message VolumeAttachment {
-  // Standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the desired attach/detach volume behavior.
-  // Populated by the Kubernetes system.
-  optional VolumeAttachmentSpec spec = 2;
-
-  // Status of the VolumeAttachment request.
-  // Populated by the entity completing the attach or detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeAttachmentStatus status = 3;
-}
-
-// VolumeAttachmentList is a collection of VolumeAttachment objects.
-message VolumeAttachmentList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of VolumeAttachments
-  repeated VolumeAttachment items = 2;
-}
-
-// VolumeAttachmentSource represents a volume that should be attached.
-// Right now only PersistenVolumes can be attached via external attacher,
-// in future we may allow also inline volumes in pods.
-// Exactly one member can be set.
-message VolumeAttachmentSource {
-  // Name of the persistent volume to attach.
-  // +optional
-  optional string persistentVolumeName = 1;
-
-  // inlineVolumeSpec contains all the information necessary to attach
-  // a persistent volume defined by a pod's inline VolumeSource. This field
-  // is populated only for the CSIMigration feature. It contains
-  // translated fields from a pod's inline VolumeSource to a
-  // PersistentVolumeSpec. This field is beta-level and is only
-  // honored by servers that enabled the CSIMigration feature.
-  // +optional
-  optional k8s.io.api.core.v1.PersistentVolumeSpec inlineVolumeSpec = 2;
-}
-
-// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
-message VolumeAttachmentSpec {
-  // Attacher indicates the name of the volume driver that MUST handle this
-  // request. This is the name returned by GetPluginName().
-  optional string attacher = 1;
-
-  // Source represents the volume that should be attached.
-  optional VolumeAttachmentSource source = 2;
-
-  // The node that the volume should be attached to.
-  optional string nodeName = 3;
-}
-
-// VolumeAttachmentStatus is the status of a VolumeAttachment request.
-message VolumeAttachmentStatus {
-  // Indicates the volume is successfully attached.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  optional bool attached = 1;
-
-  // Upon successful attach, this field is populated with any
-  // information returned by the attach operation that must be passed
-  // into subsequent WaitForAttach or Mount calls.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  map<string, string> attachmentMetadata = 2;
-
-  // The last error encountered during attach operation, if any.
-  // This field must only be set by the entity completing the attach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError attachError = 3;
-
-  // The last error encountered during detach operation, if any.
-  // This field must only be set by the entity completing the detach
-  // operation, i.e. the external-attacher.
-  // +optional
-  optional VolumeError detachError = 4;
-}
-
-// VolumeError captures an error encountered during a volume operation.
-message VolumeError {
-  // Time the error was encountered.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time time = 1;
-
-  // String detailing the error encountered during Attach or Detach operation.
-  // This string may be logged, so it should not contain sensitive
-  // information.
-  // +optional
-  optional string message = 2;
-}
-
-// VolumeNodeResources is a set of resource limits for scheduling of volumes.
-message VolumeNodeResources {
-  // Maximum number of unique volumes managed by the CSI driver that can be used on a node.
-  // A volume that is both attached and mounted on a node is considered to be used once, not twice.
-  // The same rule applies for a unique volume that is shared among multiple pods on the same node.
-  // If this field is nil, then the supported number of volumes on this node is unbounded.
-  // +optional
-  optional int32 count = 1;
-}
-
--- a/common-protos/k8s.io/apimachinery/pkg/api/resource/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/api/resource/generated.proto
@ -1,100 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.apimachinery.pkg.api.resource;
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/apimachinery/pkg/api/resource";
-
-// Quantity is a fixed-point representation of a number.
-// It provides convenient marshaling/unmarshaling in JSON and YAML,
-// in addition to String() and AsInt64() accessors.
-//
-// The serialization format is:
-//
-// <quantity>        ::= <signedNumber><suffix>
-//   (Note that <suffix> may be empty, from the "" case in <decimalSI>.)
-// <digit>           ::= 0 | 1 | ... | 9
-// <digits>          ::= <digit> | <digit><digits>
-// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
-// <sign>            ::= "+" | "-"
-// <signedNumber>    ::= <number> | <sign><number>
-// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
-// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
-//   (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
-// <decimalSI>       ::= m | "" | k | M | G | T | P | E
-//   (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
-// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
-//
-// No matter which of the three exponent forms is used, no quantity may represent
-// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
-// places. Numbers larger or more precise will be capped or rounded up.
-// (E.g.: 0.1m will rounded up to 1m.)
-// This may be extended in the future if we require larger or smaller quantities.
-//
-// When a Quantity is parsed from a string, it will remember the type of suffix
-// it had, and will use the same type again when it is serialized.
-//
-// Before serializing, Quantity will be put in "canonical form".
-// This means that Exponent/suffix will be adjusted up or down (with a
-// corresponding increase or decrease in Mantissa) such that:
-//   a. No precision is lost
-//   b. No fractional digits will be emitted
-//   c. The exponent (or suffix) is as large as possible.
-// The sign will be omitted unless the number is negative.
-//
-// Examples:
-//   1.5 will be serialized as "1500m"
-//   1.5Gi will be serialized as "1536Mi"
-//
-// Note that the quantity will NEVER be internally represented by a
-// floating point number. That is the whole point of this exercise.
-//
-// Non-canonical values will still parse as long as they are well formed,
-// but will be re-emitted in their canonical form. (So always use canonical
-// form, or don't diff.)
-//
-// This format is intended to make it difficult to use these numbers without
-// writing some sort of special handling code in the hopes that that will
-// cause implementors to also use a fixed point implementation.
-//
-// +protobuf=true
-// +protobuf.embed=string
-// +protobuf.options.marshal=false
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-// +k8s:deepcopy-gen=true
-// +k8s:openapi-gen=true
-message Quantity {
-  optional string string = 1;
-}
-
-// QuantityValue makes it possible to use a Quantity as value for a command
-// line parameter.
-//
-// +protobuf=true
-// +protobuf.embed=string
-// +protobuf.options.marshal=false
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-// +k8s:deepcopy-gen=true
-message QuantityValue {
-  optional string string = 1;
-}
-
--- a/common-protos/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
--- a/common-protos/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.proto
@ -1,41 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.apimachinery.pkg.apis.meta.v1beta1;
-
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/apimachinery/pkg/apis/meta/v1beta1";
-
-// PartialObjectMetadataList contains a list of objects containing only their metadata.
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-message PartialObjectMetadataList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 2;
-
-  // items contains each of the included items.
-  repeated k8s.io.apimachinery.pkg.apis.meta.v1.PartialObjectMetadata items = 1;
-}
-
--- a/common-protos/k8s.io/apimachinery/pkg/runtime/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/runtime/generated.proto
@ -1,127 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.apimachinery.pkg.runtime;
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/apimachinery/pkg/runtime";
-
-// RawExtension is used to hold extensions in external versions.
-//
-// To use this, make a field which has RawExtension as its type in your external, versioned
-// struct, and Object in your internal struct. You also need to register your
-// various plugin types.
-//
-// // Internal package:
-// type MyAPIObject struct {
-// 	runtime.TypeMeta `json:",inline"`
-// 	MyPlugin runtime.Object `json:"myPlugin"`
-// }
-// type PluginA struct {
-// 	AOption string `json:"aOption"`
-// }
-//
-// // External package:
-// type MyAPIObject struct {
-// 	runtime.TypeMeta `json:",inline"`
-// 	MyPlugin runtime.RawExtension `json:"myPlugin"`
-// }
-// type PluginA struct {
-// 	AOption string `json:"aOption"`
-// }
-//
-// // On the wire, the JSON will look something like this:
-// {
-// 	"kind":"MyAPIObject",
-// 	"apiVersion":"v1",
-// 	"myPlugin": {
-// 		"kind":"PluginA",
-// 		"aOption":"foo",
-// 	},
-// }
-//
-// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
-// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
-// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
-// package's DefaultScheme has conversion functions installed which will unpack the
-// JSON stored in RawExtension, turning it into the correct object type, and storing it
-// in the Object. (TODO: In the case where the object is of an unknown type, a
-// runtime.Unknown object will be created and stored.)
-//
-// +k8s:deepcopy-gen=true
-// +protobuf=true
-// +k8s:openapi-gen=true
-message RawExtension {
-  // Raw is the underlying serialization of this object.
-  //
-  // TODO: Determine how to detect ContentType and ContentEncoding of 'Raw' data.
-  optional bytes raw = 1;
-}
-
-// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
-// like this:
-// type MyAwesomeAPIObject struct {
-//      runtime.TypeMeta    `json:",inline"`
-//      ... // other fields
-// }
-// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
-//
-// TypeMeta is provided here for convenience. You may use it directly from this package or define
-// your own with the same fields.
-//
-// +k8s:deepcopy-gen=false
-// +protobuf=true
-// +k8s:openapi-gen=true
-message TypeMeta {
-  // +optional
-  optional string apiVersion = 1;
-
-  // +optional
-  optional string kind = 2;
-}
-
-// Unknown allows api objects with unknown types to be passed-through. This can be used
-// to deal with the API objects from a plug-in. Unknown objects still have functioning
-// TypeMeta features-- kind, version, etc.
-// TODO: Make this object have easy access to field based accessors and settors for
-// metadata and field mutatation.
-//
-// +k8s:deepcopy-gen=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +protobuf=true
-// +k8s:openapi-gen=true
-message Unknown {
-  optional TypeMeta typeMeta = 1;
-
-  // Raw will hold the complete serialized object which couldn't be matched
-  // with a registered type. Most likely, nothing should be done with this
-  // except for passing it through the system.
-  optional bytes raw = 2;
-
-  // ContentEncoding is encoding used to encode 'Raw' data.
-  // Unspecified means no encoding.
-  optional string contentEncoding = 3;
-
-  // ContentType  is serialization method used to serialize 'Raw'.
-  // Unspecified means ContentTypeJSON.
-  optional string contentType = 4;
-}
-
--- a/common-protos/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
@ -1,26 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.apimachinery.pkg.runtime.schema;
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/apimachinery/pkg/runtime/schema";
-
--- a/common-protos/k8s.io/apimachinery/pkg/util/intstr/generated.proto
+++ b/common-protos/k8s.io/apimachinery/pkg/util/intstr/generated.proto
@ -1,43 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.apimachinery.pkg.util.intstr;
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/apimachinery/pkg/util/intstr";
-
-// IntOrString is a type that can hold an int32 or a string.  When used in
-// JSON or YAML marshalling and unmarshalling, it produces or consumes the
-// inner type.  This allows you to have, for example, a JSON field that can
-// accept a name or number.
-// TODO: Rename to Int32OrString
-//
-// +protobuf=true
-// +protobuf.options.(gogoproto.goproto_stringer)=false
-// +k8s:openapi-gen=true
-message IntOrString {
-  optional int64 type = 1;
-
-  optional int32 intVal = 2;
-
-  optional string strVal = 3;
-}
-
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@ -1 +1 @@
-cbe0f69e442f6d1d19c702d931b39048abd833c2
+d46067e1a8ba3db4abe2635af5807f00ba1981e6
--- a/common/Makefile.common.mk
+++ b/common/Makefile.common.mk
@ -106,13 +106,11 @@ update-common:
 	@if [ "$(CONTRIB_OVERRIDE)" != "CONTRIBUTING.md" ]; then\
 		rm $(TMP)/common-files/files/CONTRIBUTING.md;\
 	fi
-# istio/istio.io uses the  Creative Commons Attribution 4.0 license. Don't update LICENSE with the common Apache license.
-	@LICENSE_OVERRIDE=$(shell grep -l "Creative Commons Attribution 4.0 International Public License" LICENSE)
-	@if [ "$(LICENSE_OVERRIDE)" != "LICENSE" ]; then\
-		rm $(TMP)/common-files/files/LICENSE;\
-	fi
 	@cp -a $(TMP)/common-files/files/* $(TMP)/common-files/files/.devcontainer $(TMP)/common-files/files/.gitattributes $(shell pwd)
 	@rm -fr $(TMP)/common-files
+	@if [ "$(AUTOMATOR_REPO)" == "proxy" ]; then\
+		sed -i -e 's/build-tools:/build-tools-proxy:/g' .devcontainer/devcontainer.json;\
+	fi
 	@$(or $(COMMONFILES_POSTPROCESS), true)

 check-clean-repo:
--- a/common/config/.golangci-format.yml
+++ b/common/config/.golangci-format.yml
@ -1,56 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
-run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
-  build-tags:
-  - integ
-  - integfuzz
-linters:
-  disable-all: true
-  enable:
-  - goimports
-  - gofumpt
-  - gci
-  fast: false
-linters-settings:
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-issues:
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
-  max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
--- a/common/config/.golangci.yml
+++ b/common/config/.golangci.yml
@ -1,262 +1,221 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
+version: "2"
 run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
  build-tags:
    - integ
    - integfuzz
 linters:
-  disable-all: true
+  default: none
  enable:
-    - errcheck
-    - exportloopref
+    - copyloopvar
    - depguard
+    - errcheck
    - gocritic
-    - gofumpt
-    - goimports
-    - revive
-    - gosimple
+    - gosec
    - govet
    - ineffassign
    - lll
    - misspell
+    - revive
    - staticcheck
-    - stylecheck
-    - typecheck
    - unconvert
    - unparam
    - unused
-    - gci
-    - gosec
-  fast: false
-linters-settings:
-  errcheck:
-    # report about not checking of errors in type assertions: `a := b.(MyStruct)`;
-    # default is false: such cases aren't reported by default.
-    check-type-assertions: false
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: false
-  govet:
-    disable:
-      # report about shadowed variables
-      - shadow
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-  misspell:
-    # Correct spellings using locale preferences for US or UK.
-    # Default is to use a neutral variety of English.
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-    locale: US
-    ignore-words:
-      - cancelled
-  lll:
-    # max line length, lines longer will be reported. Default is 120.
-    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
-    line-length: 160
-    # tab width in spaces. Default to 1.
-    tab-width: 1
-  revive:
-    ignore-generated-header: false
-    severity: "warning"
-    confidence: 0.0
+  settings:
+    depguard:
+      rules:
+        DenyGogoProtobuf:
+          files:
+            - $all
+          deny:
+            - pkg: github.com/gogo/protobuf
+              desc: gogo/protobuf is deprecated, use golang/protobuf
+    errcheck:
+      check-type-assertions: false
+      check-blank: false
+    gocritic:
+      disable-all: true
+      enabled-checks:
+        - appendCombine
+        - argOrder
+        - assignOp
+        - badCond
+        - boolExprSimplify
+        - builtinShadow
+        - captLocal
+        - caseOrder
+        - codegenComment
+        - commentedOutCode
+        - commentedOutImport
+        - defaultCaseOrder
+        - deprecatedComment
+        - docStub
+        - dupArg
+        - dupBranchBody
+        - dupCase
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - flagDeref
+        - flagName
+        - hexLiteral
+        - indexAlloc
+        - initClause
+        - methodExprCall
+        - nilValReturn
+        - octalLiteral
+        - offBy1
+        - rangeExprCopy
+        - regexpMust
+        - sloppyLen
+        - stringXbytes
+        - switchTrue
+        - typeAssertChain
+        - typeSwitchVar
+        - typeUnparen
+        - underef
+        - unlambda
+        - unnecessaryBlock
+        - unslice
+        - valSwap
+        - weakCond
+    gosec:
+      includes:
+        - G401
+        - G402
+        - G404
+    govet:
+      disable:
+        - shadow
+    lll:
+      line-length: 160
+      tab-width: 1
+    misspell:
+      locale: US
+      ignore-rules:
+        - cancelled
+    revive:
+      confidence: 0
+      severity: warning
+      rules:
+        - name: blank-imports
+        - name: context-keys-type
+        - name: time-naming
+        - name: var-declaration
+        - name: unexported-return
+        - name: errorf
+        - name: context-as-argument
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: increment-decrement
+        - name: var-naming
+        - name: package-comments
+        - name: range
+        - name: receiver-naming
+        - name: indent-error-flow
+        - name: superfluous-else
+        - name: modifies-parameter
+        - name: unreachable-code
+        - name: struct-tag
+        - name: constant-logical-expr
+        - name: bool-literal-in-expr
+        - name: redefines-builtin-id
+        - name: imports-blocklist
+        - name: range-val-in-closure
+        - name: range-val-address
+        - name: waitgroup-by-value
+        - name: atomic
+        - name: call-to-gc
+        - name: duplicated-imports
+        - name: string-of-int
+        - name: defer
+          arguments:
+            - - call-chain
+        - name: unconditional-recursion
+        - name: identical-branches
+    unparam:
+      check-exported: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: blank-imports
-      - name: context-keys-type
-      - name: time-naming
-      - name: var-declaration
-      - name: unexported-return
-      - name: errorf
-      - name: context-as-argument
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: increment-decrement
-      - name: var-naming
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: indent-error-flow
-      - name: superfluous-else
-      - name: modifies-parameter
-      - name: unreachable-code
-      - name: struct-tag
-      - name: constant-logical-expr
-      - name: bool-literal-in-expr
-      - name: redefines-builtin-id
-      - name: imports-blacklist
-      - name: range-val-in-closure
-      - name: range-val-address
-      - name: waitgroup-by-value
-      - name: atomic
-      - name: call-to-gc
-      - name: duplicated-imports
-      - name: string-of-int
-      - name: defer
-        arguments:
-          - - "call-chain"
-      - name: unconditional-recursion
-      - name: identical-branches
-        # the following rules can be enabled in the future
-        # - name: empty-lines
-        # - name: confusing-results
-        # - name: empty-block
-        # - name: get-return
-        # - name: confusing-naming
-        # - name: unexported-naming
-        # - name: early-return
-        # - name: unused-parameter
-        # - name: unnecessary-stmt
-        # - name: deep-exit
-        # - name: import-shadowing
-        # - name: modifies-value-receiver
-        # - name: unused-receiver
-        # - name: bare-return
-        # - name: flag-parameter
-        # - name: unhandled-error
-        # - name: if-return
-  unparam:
-    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
-    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  gocritic:
-    # Disable all checks.
-    # Default: false
-    disable-all: true
-    # Which checks should be enabled in addition to default checks. Since we don't want
-    # all of the default checks, we do the disable-all first.
-    enabled-checks:
-      - appendCombine
-      - argOrder
-      - assignOp
-      - badCond
-      - boolExprSimplify
-      - builtinShadow
-      - captLocal
-      - caseOrder
-      - codegenComment
-      - commentedOutCode
-      - commentedOutImport
-      - defaultCaseOrder
-      - deprecatedComment
-      - docStub
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - elseif
-      - emptyFallthrough
-      - equalFold
-      - flagDeref
-      - flagName
-      - hexLiteral
-      - indexAlloc
-      - initClause
-      - methodExprCall
-      - nilValReturn
-      - octalLiteral
-      - offBy1
-      - rangeExprCopy
-      - regexpMust
-      - sloppyLen
-      - stringXbytes
-      - switchTrue
-      - typeAssertChain
-      - typeSwitchVar
-      - typeUnparen
-      - underef
-      - unlambda
-      - unnecessaryBlock
-      - unslice
-      - valSwap
-      - weakCond
-  depguard:
-    rules:
-      DenyGogoProtobuf:
-        files:
-          - $all
-        deny:
-          - pkg: github.com/gogo/protobuf
-            desc: "gogo/protobuf is deprecated, use golang/protobuf"
-  gosec:
-    includes:
-      - G401
-      - G402
-      - G404
+      - linters:
+          - errcheck
+          - maligned
+        path: _test\.go$|tests/|samples/
+      - path: _test\.go$
+        text: 'dot-imports: should not use dot imports'
+      - linters:
+          - staticcheck
+        text: 'SA1019: package github.com/golang/protobuf/jsonpb'
+      - linters:
+          - staticcheck
+        text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithBlock is deprecated'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.FailOnNonTempDialError'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithReturnConnectionError'
+      - path: (.+)\.go$
+        text: composite literal uses unkeyed fields
+      # TODO: remove following rule in the future
+      - linters:
+          - staticcheck
+        text: 'QF'
+      - linters:
+          - staticcheck
+        text: 'ST1005'
+      - linters:
+          - staticcheck
+        text: 'S1007'
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # List of regexps of issue texts to exclude, empty list by default.
-  # But independently from this option we use default exclude patterns,
-  # it can be disabled by `exclude-use-default: false`. To list all
-  # excluded by default patterns execute `golangci-lint run --help`
-  exclude:
-    - composite literal uses unkeyed fields
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  exclude-rules:
-    # Exclude some linters from running on test files.
-    - path: _test\.go$|^tests/|^samples/
-      linters:
-        - errcheck
-        - maligned
-    - path: _test\.go$
-      text: "dot-imports: should not use dot imports"
-    # We need to use the deprecated module since the jsonpb replacement is not backwards compatible.
-    - linters: [staticcheck]
-      text: "SA1019: package github.com/golang/protobuf/jsonpb"
-    - linters: [staticcheck]
-      text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
-    # This is not helpful. The new function is not very usable and the current function will not be removed
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithBlock is deprecated"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.FailOnNonTempDialError"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithReturnConnectionError"
-  # Independently from option `exclude` we use default exclude patterns,
-  # it can be disabled by this option. To list all
-  # excluded by default patterns execute `golangci-lint run --help`.
-  # Default value for this option is true.
-  exclude-use-default: true
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
  max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
  max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(istio.io/)
+    goimports:
+      local-prefixes:
+        - istio.io/
+  exclusions:
+    generated: lax
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$
--- a/common/config/license-lint.yml
+++ b/common/config/license-lint.yml
@ -125,4 +125,21 @@ allowlisted_modules:

 # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt
 - github.com/russross/blackfriday
- github.com/russross/blackfriday/v2
+- github.com/russross/blackfriday/v2
+
+# W3C Test Suite License, W3C 3-clause BSD License
+# gonum uses this for its some of its test files
+# gonum.org/v1/gonum/graph/formats/rdf/testdata/LICENSE.md
+- gonum.org/v1/gonum
+
+# BSD 3-clause: https://github.com/go-inf/inf/blob/v0.9.1/LICENSE
+- gopkg.in/inf.v0
+
+# BSD 3-clause: https://github.com/go-git/gcfg/blob/main/LICENSE
+- github.com/go-git/gcfg
+
+# Apache 2.0
+- github.com/aws/smithy-go
+
+# Simplified BSD License: https://github.com/gomarkdown/markdown/blob/master/LICENSE.txt
+- github.com/gomarkdown/markdown
--- a/common/scripts/format_go.sh
+++ b/common/scripts/format_go.sh
@ -21,4 +21,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-golangci-lint run --fix -c ./common/config/.golangci-format.yml
+golangci-lint run --fix -c ./common/config/.golangci.yml
--- a/common/scripts/kind_provisioner.sh
+++ b/common/scripts/kind_provisioner.sh
@ -32,7 +32,10 @@ set -x
 ####################################################################

 # DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s)
-DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4"
+DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.33.1"
+
+# the default kind cluster should be ipv4 if not otherwise specified
+KIND_IP_FAMILY="${KIND_IP_FAMILY:-ipv4}"

 # COMMON_SCRIPTS contains the directory this file is in.
 COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}")
@ -144,7 +147,7 @@ function setup_kind_cluster_retry() {
 # 1. NAME: Name of the Kind cluster (optional)
 # 2. IMAGE: Node image used by KinD (optional)
 # 3. CONFIG: KinD cluster configuration YAML file. If not specified then DEFAULT_CLUSTER_YAML is used
-# 4. NOMETALBINSTALL: Dont install matllb if set.
+# 4. NOMETALBINSTALL: Dont install metalb if set.
 # This function returns 0 when everything goes well, or 1 otherwise
 # If Kind cluster was already created then it would be cleaned up in case of errors
 function setup_kind_cluster() {
@ -174,11 +177,6 @@ function setup_kind_cluster() {
    CONFIG=${DEFAULT_CLUSTER_YAML}
  fi

-  # Configure the ipFamily of the cluster
-  if [ -n "${IP_FAMILY}" ]; then
-      yq eval ".networking.ipFamily = \"${IP_FAMILY}\"" -i "${CONFIG}"
-  fi
-
  KIND_WAIT_FLAG="--wait=180s"
  KIND_DISABLE_CNI="false"
  if [[ -n "${KUBERNETES_CNI:-}" ]]; then
@ -187,16 +185,26 @@ function setup_kind_cluster() {
  fi

  # Create KinD cluster
-  if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" | \
+  if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \
+    --expression ".networking.ipFamily = \"${KIND_IP_FAMILY}\"" | \
    kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then
    echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs."
    return 9
+    # kubectl config set clusters.kind-istio-testing.server https://istio-testing-control-plane:6443
  fi
+
+  if [[ -n "${DEVCONTAINER:-}" ]]; then
+    # identify our docker container id using proc and regex
+    containerid=$(grep 'resolv.conf' /proc/self/mountinfo | sed 's/.*\/docker\/containers\/\([0-9a-f]*\).*/\1/')
+    docker network connect kind "$containerid"
+    kind export kubeconfig --name="${NAME}" --internal
+  fi
+
  # Workaround kind issue causing taints to not be removed in 1.24
  kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true

  # Determine what CNI to install
-  case "${KUBERNETES_CNI:-}" in 
+  case "${KUBERNETES_CNI:-}" in

    "calico")
      echo "Installing Calico CNI"
@ -231,7 +239,7 @@ function setup_kind_cluster() {
  # https://github.com/coredns/coredns/issues/2494#issuecomment-457215452
  # CoreDNS should handle those domains and answer with NXDOMAIN instead of SERVFAIL
  # otherwise pods stops trying to resolve the domain.
-  if [ "${IP_FAMILY}" = "ipv6" ] || [ "${IP_FAMILY}" = "dual" ]; then
+  if [ "${KIND_IP_FAMILY}" = "ipv6" ] || [ "${KIND_IP_FAMILY}" = "dual" ]; then
    # Get the current config
    original_coredns=$(kubectl get -oyaml -n=kube-system configmap/coredns)
    echo "Original CoreDNS config:"
@ -268,14 +276,14 @@ function cleanup_kind_clusters() {
 # setup_kind_clusters sets up a given number of kind clusters with given topology
 # as specified in cluster topology configuration file.
 # 1. IMAGE = docker image used as node by KinD
-# 2. IP_FAMILY = either ipv4 or ipv6
+# 2. KIND_IP_FAMILY = either ipv4 or ipv6 or dual
 #
 # NOTE: Please call load_cluster_topology before calling this method as it expects
 # cluster topology information to be loaded in advance
 function setup_kind_clusters() {
  IMAGE="${1:-"${DEFAULT_KIND_IMAGE}"}"
  KUBECONFIG_DIR="${ARTIFACTS:-$(mktemp -d)}/kubeconfig"
-  IP_FAMILY="${2:-ipv4}"
+  KIND_IP_FAMILY="${2:-ipv4}"

  check_default_cluster_yaml

--- a/common/scripts/lint_go.sh
+++ b/common/scripts/lint_go.sh
@ -21,8 +21,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+GOLANGCILINT_RUN_ARGS=(--output.text.path stdout --output.junit-xml.path "${ARTIFACTS}"/junit-lint.xml)
+
 if [[ "${ARTIFACTS}" != "" ]]; then
-  golangci-lint run -v -c ./common/config/.golangci.yml --out-format colored-line-number,junit-xml:"${ARTIFACTS}"/junit-lint.xml
+  golangci-lint run -v -c ./common/config/.golangci.yml "${GOLANGCILINT_RUN_ARGS[@]}"
 else
  golangci-lint run -v -c ./common/config/.golangci.yml
 fi
--- a/common/scripts/run.sh
+++ b/common/scripts/run.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash

 # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
 #
@ -36,7 +36,7 @@ MOUNT_DEST="${MOUNT_DEST:-/work}"

 read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"

-[[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it")
+[[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it")
 [[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}")

 # $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the
@ -47,7 +47,9 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
    "${DOCKER_RUN_OPTIONS[@]}" \
    --init \
    --sig-proxy=true \
+    --cap-add=SYS_ADMIN \
    ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
+    -e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \
    $CONTAINER_OPTIONS \
    --env-file <(env | grep -v ${ENV_BLOCKLIST}) \
    -e IN_BUILD_CONTAINER=1 \
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # shellcheck disable=SC2034

 # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-3a1982fd09c72f345f85d394d5cce906b5484b76
+  IMAGE_VERSION=master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
  IMAGE_NAME=build-tools
--- a/envoy/config/filter/http/alpn/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/alpn/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/http/alpn/v2alpha1/config.proto

@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -88,21 +89,18 @@ func (FilterConfig_Protocol) EnumDescriptor() ([]byte, []int) {

 // FilterConfig is the config for Istio-specific filter.
 type FilterConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Map from upstream protocol to list of ALPN
-	AlpnOverride []*FilterConfig_AlpnOverride `protobuf:"bytes,1,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	AlpnOverride  []*FilterConfig_AlpnOverride `protobuf:"bytes,1,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *FilterConfig) Reset() {
 	*x = FilterConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *FilterConfig) String() string {
@ -113,7 +111,7 @@ func (*FilterConfig) ProtoMessage() {}

 func (x *FilterConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -136,23 +134,20 @@ func (x *FilterConfig) GetAlpnOverride() []*FilterConfig_AlpnOverride {
 }

 type FilterConfig_AlpnOverride struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Upstream protocol
 	UpstreamProtocol FilterConfig_Protocol `protobuf:"varint,1,opt,name=upstream_protocol,json=upstreamProtocol,proto3,enum=istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig_Protocol" json:"upstream_protocol,omitempty"`
 	// A list of ALPN that will override the ALPN for upstream TLS connections.
-	AlpnOverride []string `protobuf:"bytes,2,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	AlpnOverride  []string `protobuf:"bytes,2,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *FilterConfig_AlpnOverride) Reset() {
 	*x = FilterConfig_AlpnOverride{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *FilterConfig_AlpnOverride) String() string {
@ -163,7 +158,7 @@ func (*FilterConfig_AlpnOverride) ProtoMessage() {}

 func (x *FilterConfig_AlpnOverride) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -194,49 +189,29 @@ func (x *FilterConfig_AlpnOverride) GetAlpnOverride() []string {

 var File_envoy_config_filter_http_alpn_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x33, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x6c, 0x70, 0x6e, 0x2f,
-	0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2c, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76,
-	0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72,
-	0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x6c, 0x70, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x22, 0xd3, 0x02, 0x0a, 0x0c, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x6c, 0x0a, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x6f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x47, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x6c, 0x70,
-	0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x41, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72,
-	0x72, 0x69, 0x64, 0x65, 0x52, 0x0c, 0x61, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69,
-	0x64, 0x65, 0x1a, 0xa5, 0x01, 0x0a, 0x0c, 0x41, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72,
-	0x69, 0x64, 0x65, 0x12, 0x70, 0x0a, 0x11, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x43,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e,
-	0x61, 0x6c, 0x70, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x46, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x52, 0x10, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x6f, 0x76,
-	0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x61, 0x6c,
-	0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x22, 0x2d, 0x0a, 0x08, 0x50, 0x72,
-	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x54, 0x54, 0x50, 0x31, 0x30,
-	0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x54, 0x54, 0x50, 0x31, 0x31, 0x10, 0x01, 0x12, 0x09,
-	0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x02, 0x42, 0x35, 0x5a, 0x33, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f,
-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74,
-	0x74, 0x70, 0x2f, 0x61, 0x6c, 0x70, 0x6e, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"3envoy/config/filter/http/alpn/v2alpha1/config.proto\x12,istio.envoy.config.filter.http.alpn.v2alpha1\"\xd3\x02\n" +
+	"\fFilterConfig\x12l\n" +
+	"\ralpn_override\x18\x01 \x03(\v2G.istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig.AlpnOverrideR\falpnOverride\x1a\xa5\x01\n" +
+	"\fAlpnOverride\x12p\n" +
+	"\x11upstream_protocol\x18\x01 \x01(\x0e2C.istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig.ProtocolR\x10upstreamProtocol\x12#\n" +
+	"\ralpn_override\x18\x02 \x03(\tR\falpnOverride\"-\n" +
+	"\bProtocol\x12\n" +
+	"\n" +
+	"\x06HTTP10\x10\x00\x12\n" +
+	"\n" +
+	"\x06HTTP11\x10\x01\x12\t\n" +
+	"\x05HTTP2\x10\x02B5Z3istio.io/api/envoy/config/filter/http/alpn/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData
 }
@ -263,37 +238,11 @@ func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_init() {
 	if File_envoy_config_filter_http_alpn_v2alpha1_config_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*FilterConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*FilterConfig_AlpnOverride); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   2,
 			NumExtensions: 0,
@ -305,7 +254,6 @@ func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_http_alpn_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/config/filter/http/authn/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/authn/v2alpha1/config.pb.go
@ -1,258 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.34.2
-// 	protoc        (unknown)
-// source: envoy/config/filter/http/authn/v2alpha1/config.proto
-
-// $title: Internal API for authentication implementation on Envoy.
-
-package v2alpha1
-
-import (
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	v1alpha1 "istio.io/api/authentication/v1alpha1"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-// FilterConfig is the config for Istio-specific filter that is used to enforce
-// authentication policy on Envoy.
-type FilterConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Policy is the original copy of the policy.
-	Policy *v1alpha1.Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
-	// Map from issuer to location of the payload that is emitted by Jwt filter.
-	// This information is added by pilot when construct and add Jwt and
-	// authN filters.
-	JwtOutputPayloadLocations map[string]string `protobuf:"bytes,2,rep,name=jwt_output_payload_locations,json=jwtOutputPayloadLocations,proto3" json:"jwt_output_payload_locations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	// Skips validating the peer's trust domain.
-	// By default, the istio authn filter will reject the request if the peer and
-	// the local service is not in the same trust domain.
-	// Set this field to true to skip the validation and allows peers from any
-	// trust domains.
-	// Note, the istio authn filter only validates the trust domain when mTLS is
-	// used, In other words, this field has no effect for plaintext traffic.
-	// TODO(incfly): deprecate this after allowed_trust_domains is shipped.
-	SkipValidateTrustDomain bool `protobuf:"varint,3,opt,name=skip_validate_trust_domain,json=skipValidateTrustDomain,proto3" json:"skip_validate_trust_domain,omitempty"`
-	// allowed_trust_domains contains a list of trust domains the authn
-	// filter should validate against. When configured, only requests with a
-	// peer from one of the allowed trust domain will be admitted.
-	// An empty list means all trust domains are allowed.
-	// When this field is set, the skip_validate_trust_domain field is ignored.
-	// This field has no effect for plaintext traffic.
-	AllowedTrustDomains []string `protobuf:"bytes,4,rep,name=allowed_trust_domains,json=allowedTrustDomains,proto3" json:"allowed_trust_domains,omitempty"`
-	// By default the authn filter will clear the route cache so that the validated
-	// JWT token claims can be used in routing.
-	// Advanced users can set this to true to disable the behavior if they do not
-	// want the authn filter to clear the route cache for any reasons.
-	// Warning: setting this to true will break the JWT claim based routing.
-	DisableClearRouteCache bool `protobuf:"varint,5,opt,name=disable_clear_route_cache,json=disableClearRouteCache,proto3" json:"disable_clear_route_cache,omitempty"`
-}
-
-func (x *FilterConfig) Reset() {
-	*x = FilterConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *FilterConfig) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*FilterConfig) ProtoMessage() {}
-
-func (x *FilterConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use FilterConfig.ProtoReflect.Descriptor instead.
-func (*FilterConfig) Descriptor() ([]byte, []int) {
-	return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *FilterConfig) GetPolicy() *v1alpha1.Policy {
-	if x != nil {
-		return x.Policy
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetJwtOutputPayloadLocations() map[string]string {
-	if x != nil {
-		return x.JwtOutputPayloadLocations
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetSkipValidateTrustDomain() bool {
-	if x != nil {
-		return x.SkipValidateTrustDomain
-	}
-	return false
-}
-
-func (x *FilterConfig) GetAllowedTrustDomains() []string {
-	if x != nil {
-		return x.AllowedTrustDomains
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetDisableClearRouteCache() bool {
-	if x != nil {
-		return x.DisableClearRouteCache
-	}
-	return false
-}
-
-var File_envoy_config_filter_http_authn_v2alpha1_config_proto protoreflect.FileDescriptor
-
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x34, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6e,
-	0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e,
-	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x24, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe5, 0x03, 0x0a, 0x0c,
-	0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3d, 0x0a, 0x06,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x9b, 0x01, 0x0a, 0x1c,
-	0x6a, 0x77, 0x74, 0x5f, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x5a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68,
-	0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
-	0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x19,
-	0x6a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
-	0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3b, 0x0a, 0x1a, 0x73, 0x6b, 0x69,
-	0x70, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74,
-	0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x17, 0x73,
-	0x6b, 0x69, 0x70, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x72, 0x75, 0x73, 0x74,
-	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65,
-	0x64, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18,
-	0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x54, 0x72,
-	0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x39, 0x0a, 0x19, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x63, 0x6c, 0x65, 0x61, 0x72, 0x5f, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x16, 0x64,
-	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x43, 0x61, 0x63, 0x68, 0x65, 0x1a, 0x4c, 0x0a, 0x1e, 0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70,
-	0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
-	0x02, 0x38, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74,
-	0x68, 0x6e, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x33,
-}
-
-var (
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc
-)
-
-func file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP() []byte {
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData)
-	})
-	return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData
-}
-
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = []any{
-	(*FilterConfig)(nil),    // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
-	nil,                     // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry
-	(*v1alpha1.Policy)(nil), // 2: istio.authentication.v1alpha1.Policy
-}
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = []int32{
-	2, // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.policy:type_name -> istio.authentication.v1alpha1.Policy
-	1, // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.jwt_output_payload_locations:type_name -> istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
-}
-
-func init() { file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() }
-func file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() {
-	if File_envoy_config_filter_http_authn_v2alpha1_config_proto != nil {
-		return
-	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*FilterConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   2,
-			NumExtensions: 0,
-			NumServices:   0,
-		},
-		GoTypes:           file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes,
-		DependencyIndexes: file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs,
-		MessageInfos:      file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes,
-	}.Build()
-	File_envoy_config_filter_http_authn_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = nil
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = nil
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = nil
-}
--- a/envoy/config/filter/http/authn/v2alpha1/config.proto
+++ b/envoy/config/filter/http/authn/v2alpha1/config.proto
@ -1,60 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-syntax = "proto3";
-
-import "authentication/v1alpha1/policy.proto";
-
-// $title: Internal API for authentication implementation on Envoy.
-
-package istio.envoy.config.filter.http.authn.v2alpha1;
-
-option go_package = "istio.io/api/envoy/config/filter/http/authn/v2alpha1";
-
-// FilterConfig is the config for Istio-specific filter that is used to enforce
-// authentication policy on Envoy.
-message FilterConfig {
-  // Policy is the original copy of the policy.
-  istio.authentication.v1alpha1.Policy policy = 1;
-
-  // Map from issuer to location of the payload that is emitted by Jwt filter.
-  // This information is added by pilot when construct and add Jwt and
-  // authN filters.
-  map<string, string> jwt_output_payload_locations = 2;
-
-  // Skips validating the peer's trust domain.
-  // By default, the istio authn filter will reject the request if the peer and
-  // the local service is not in the same trust domain.
-  // Set this field to true to skip the validation and allows peers from any
-  // trust domains.
-  // Note, the istio authn filter only validates the trust domain when mTLS is
-  // used, In other words, this field has no effect for plaintext traffic.
-  // TODO(incfly): deprecate this after allowed_trust_domains is shipped.
-  bool skip_validate_trust_domain = 3;
-
-  // allowed_trust_domains contains a list of trust domains the authn
-  // filter should validate against. When configured, only requests with a
-  // peer from one of the allowed trust domain will be admitted.
-  // An empty list means all trust domains are allowed.
-  // When this field is set, the skip_validate_trust_domain field is ignored.
-  // This field has no effect for plaintext traffic.
-  repeated string allowed_trust_domains = 4;
-
-  // By default the authn filter will clear the route cache so that the validated
-  // JWT token claims can be used in routing.
-  // Advanced users can set this to true to disable the behavior if they do not
-  // want the authn filter to clear the route cache for any reasons.
-  // Warning: setting this to true will break the JWT claim based routing.
-  bool disable_clear_route_cache = 5;
-}
--- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/http/jwt_auth/v2alpha1/config.proto

@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -38,10 +39,7 @@ const (
 // Copied from @envoy/api/envoy/api/v2/core/http_uri.proto
 // Envoy external URI descriptor
 type HttpUri struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP server URI. It should be a full FQDN with protocol, host and path.
 	//
 	// Example:
@ -55,21 +53,21 @@ type HttpUri struct {
 	// inline DNS resolution. See `issue
 	// <https://github.com/envoyproxy/envoy/issues/1606>`_.
 	//
-	// Types that are assignable to HttpUpstreamType:
+	// Types that are valid to be assigned to HttpUpstreamType:
 	//
 	//	*HttpUri_Cluster
 	HttpUpstreamType isHttpUri_HttpUpstreamType `protobuf_oneof:"http_upstream_type"`
 	// Sets the maximum duration in milliseconds that a response can take to arrive upon request.
-	Timeout *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	Timeout       *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *HttpUri) Reset() {
 	*x = HttpUri{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *HttpUri) String() string {
@ -80,7 +78,7 @@ func (*HttpUri) ProtoMessage() {}

 func (x *HttpUri) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -102,16 +100,18 @@ func (x *HttpUri) GetUri() string {
 	return ""
 }

-func (m *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType {
-	if m != nil {
-		return m.HttpUpstreamType
+func (x *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType {
+	if x != nil {
+		return x.HttpUpstreamType
 	}
 	return nil
 }

 func (x *HttpUri) GetCluster() string {
-	if x, ok := x.GetHttpUpstreamType().(*HttpUri_Cluster); ok {
-		return x.Cluster
+	if x != nil {
+		if x, ok := x.HttpUpstreamType.(*HttpUri_Cluster); ok {
+			return x.Cluster
+		}
 	}
 	return ""
 }
@ -144,25 +144,22 @@ func (*HttpUri_Cluster) isHttpUri_HttpUpstreamType() {}
 // Copied from @envoy/api/envoy/api/v2/core/base.proto
 // Data source consisting of either a file or an inline value.
 type DataSource struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Specifier:
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Specifier:
 	//
 	//	*DataSource_Filename
 	//	*DataSource_InlineBytes
 	//	*DataSource_InlineString
-	Specifier isDataSource_Specifier `protobuf_oneof:"specifier"`
+	Specifier     isDataSource_Specifier `protobuf_oneof:"specifier"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *DataSource) Reset() {
 	*x = DataSource{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DataSource) String() string {
@ -173,7 +170,7 @@ func (*DataSource) ProtoMessage() {}

 func (x *DataSource) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -188,30 +185,36 @@ func (*DataSource) Descriptor() ([]byte, []int) {
 	return file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescGZIP(), []int{1}
 }

-func (m *DataSource) GetSpecifier() isDataSource_Specifier {
-	if m != nil {
-		return m.Specifier
+func (x *DataSource) GetSpecifier() isDataSource_Specifier {
+	if x != nil {
+		return x.Specifier
 	}
 	return nil
 }

 func (x *DataSource) GetFilename() string {
-	if x, ok := x.GetSpecifier().(*DataSource_Filename); ok {
-		return x.Filename
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_Filename); ok {
+			return x.Filename
+		}
 	}
 	return ""
 }

 func (x *DataSource) GetInlineBytes() []byte {
-	if x, ok := x.GetSpecifier().(*DataSource_InlineBytes); ok {
-		return x.InlineBytes
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_InlineBytes); ok {
+			return x.InlineBytes
+		}
 	}
 	return nil
 }

 func (x *DataSource) GetInlineString() string {
-	if x, ok := x.GetSpecifier().(*DataSource_InlineString); ok {
-		return x.InlineString
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_InlineString); ok {
+			return x.InlineString
+		}
 	}
 	return ""
 }
@ -263,10 +266,7 @@ func (*DataSource_InlineString) isDataSource_Specifier() {}
 //
 // ```
 type JwtRule struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Identifies the principal that issued the JWT. See `here
 	//
 	//	<https://tools.ietf.org/html/rfc7519#section-4.1.1>`_. Usually a URL or an email address.
@ -289,7 +289,7 @@ type JwtRule struct {
 	// `JSON Web Key Set <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed. to validate
 	// signature of the JWT. This field specifies where to fetch JWKS.
 	//
-	// Types that are assignable to JwksSourceSpecifier:
+	// Types that are valid to be assigned to JwksSourceSpecifier:
 	//
 	//	*JwtRule_RemoteJwks
 	//	*JwtRule_LocalJwks
@ -332,15 +332,15 @@ type JwtRule struct {
 	// multiple JWTs from different issuers want to forward their payloads, their
 	// `forward_payload_header` should be different.
 	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
+	unknownFields        protoimpl.UnknownFields
+	sizeCache            protoimpl.SizeCache
 }

 func (x *JwtRule) Reset() {
 	*x = JwtRule{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *JwtRule) String() string {
@ -351,7 +351,7 @@ func (*JwtRule) ProtoMessage() {}

 func (x *JwtRule) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -380,23 +380,27 @@ func (x *JwtRule) GetAudiences() []string {
 	return nil
 }

-func (m *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier {
-	if m != nil {
-		return m.JwksSourceSpecifier
+func (x *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier {
+	if x != nil {
+		return x.JwksSourceSpecifier
 	}
 	return nil
 }

 func (x *JwtRule) GetRemoteJwks() *RemoteJwks {
-	if x, ok := x.GetJwksSourceSpecifier().(*JwtRule_RemoteJwks); ok {
-		return x.RemoteJwks
+	if x != nil {
+		if x, ok := x.JwksSourceSpecifier.(*JwtRule_RemoteJwks); ok {
+			return x.RemoteJwks
+		}
 	}
 	return nil
 }

 func (x *JwtRule) GetLocalJwks() *DataSource {
-	if x, ok := x.GetJwksSourceSpecifier().(*JwtRule_LocalJwks); ok {
-		return x.LocalJwks
+	if x != nil {
+		if x, ok := x.JwksSourceSpecifier.(*JwtRule_LocalJwks); ok {
+			return x.LocalJwks
+		}
 	}
 	return nil
 }
@ -476,10 +480,7 @@ func (*JwtRule_LocalJwks) isJwtRule_JwksSourceSpecifier() {}

 // This message specifies how to fetch JWKS from remote and how to cache it.
 type RemoteJwks struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP URI to fetch the JWKS. For example:
 	//
 	// .. code-block:: yaml
@ -491,15 +492,15 @@ type RemoteJwks struct {
 	// Duration after which the cached JWKS should be expired. If not specified, default cache
 	// duration is 5 minutes.
 	CacheDuration *duration.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *RemoteJwks) Reset() {
 	*x = RemoteJwks{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RemoteJwks) String() string {
@ -510,7 +511,7 @@ func (*RemoteJwks) ProtoMessage() {}

 func (x *RemoteJwks) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -541,25 +542,22 @@ func (x *RemoteJwks) GetCacheDuration() *duration.Duration {

 // This message specifies a header location to extract JWT token.
 type JwtHeader struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP header name.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// The value prefix. The value format is "value_prefix<token>"
 	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
 	// end.
-	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
+	ValuePrefix   string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *JwtHeader) Reset() {
 	*x = JwtHeader{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *JwtHeader) String() string {
@ -570,7 +568,7 @@ func (*JwtHeader) ProtoMessage() {}

 func (x *JwtHeader) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -602,24 +600,21 @@ func (x *JwtHeader) GetValuePrefix() string {
 // This is the Envoy HTTP filter config for JWT authentication.
 // [#not-implemented-hide:]
 type JwtAuthentication struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// List of JWT rules to valide.
 	Rules []*JwtRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
 	// If true, the request is allowed if JWT is missing or JWT verification fails.
 	// Default is false, a request without JWT or failed JWT verification is not allowed.
 	AllowMissingOrFailed bool `protobuf:"varint,2,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3" json:"allow_missing_or_failed,omitempty"`
+	unknownFields        protoimpl.UnknownFields
+	sizeCache            protoimpl.SizeCache
 }

 func (x *JwtAuthentication) Reset() {
 	*x = JwtAuthentication{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *JwtAuthentication) String() string {
@ -630,7 +625,7 @@ func (*JwtAuthentication) ProtoMessage() {}

 func (x *JwtAuthentication) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -661,102 +656,52 @@ func (x *JwtAuthentication) GetAllowMissingOrFailed() bool {

 var File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x37, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x6a, 0x77, 0x74, 0x5f, 0x61,
-	0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x30, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x82, 0x01, 0x0a, 0x07,
-	0x48, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x1a, 0x0a, 0x07, 0x63, 0x6c, 0x75,
-	0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x07, 0x63, 0x6c,
-	0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x14, 0x0a, 0x12, 0x68, 0x74,
-	0x74, 0x70, 0x5f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x74, 0x79, 0x70, 0x65,
-	0x22, 0x83, 0x01, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
-	0x1c, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x48, 0x00, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a,
-	0x0c, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x0b, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x42, 0x79, 0x74,
-	0x65, 0x73, 0x12, 0x25, 0x0a, 0x0d, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x73, 0x74, 0x72,
-	0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c, 0x69, 0x6e, 0x6c,
-	0x69, 0x6e, 0x65, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, 0x0b, 0x0a, 0x09, 0x73, 0x70, 0x65,
-	0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x22, 0xe9, 0x03, 0x0a, 0x07, 0x4a, 0x77, 0x74, 0x52, 0x75,
-	0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75,
-	0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09, 0x61,
-	0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x5f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a,
-	0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x72,
-	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x5d, 0x0a, 0x0a, 0x6c, 0x6f, 0x63,
-	0x61, 0x6c, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a,
-	0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6c,
-	0x6f, 0x63, 0x61, 0x6c, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x66, 0x6f, 0x72, 0x77,
-	0x61, 0x72, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x66, 0x6f, 0x72, 0x77, 0x61,
-	0x72, 0x64, 0x12, 0x5e, 0x0a, 0x0c, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65,
-	0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x48,
-	0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65,
-	0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d,
-	0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66, 0x72, 0x6f, 0x6d, 0x50, 0x61, 0x72,
-	0x61, 0x6d, 0x73, 0x12, 0x34, 0x0a, 0x16, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x70,
-	0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x14, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x50, 0x61, 0x79, 0x6c,
-	0x6f, 0x61, 0x64, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0x17, 0x0a, 0x15, 0x6a, 0x77, 0x6b,
-	0x73, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69,
-	0x65, 0x72, 0x22, 0xa4, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b,
-	0x73, 0x12, 0x54, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f,
-	0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
-	0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x52, 0x07,
-	0x68, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x12, 0x40, 0x0a, 0x0e, 0x63, 0x61, 0x63, 0x68, 0x65,
-	0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x63, 0x61, 0x63, 0x68,
-	0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x42, 0x0a, 0x09, 0x4a, 0x77, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0b, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x9b, 0x01,
-	0x0a, 0x11, 0x4a, 0x77, 0x74, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x4f, 0x0a, 0x05, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68,
-	0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x05, 0x72,
-	0x75, 0x6c, 0x65, 0x73, 0x12, 0x35, 0x0a, 0x17, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x6d, 0x69,
-	0x73, 0x73, 0x69, 0x6e, 0x67, 0x5f, 0x6f, 0x72, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x4d, 0x69, 0x73, 0x73,
-	0x69, 0x6e, 0x67, 0x4f, 0x72, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x42, 0x39, 0x5a, 0x37, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f,
-	0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f,
-	0x68, 0x74, 0x74, 0x70, 0x2f, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"7envoy/config/filter/http/jwt_auth/v2alpha1/config.proto\x120istio.envoy.config.filter.http.jwt_auth.v2alpha1\x1a\x1egoogle/protobuf/duration.proto\"\x82\x01\n" +
+	"\aHttpUri\x12\x10\n" +
+	"\x03uri\x18\x01 \x01(\tR\x03uri\x12\x1a\n" +
+	"\acluster\x18\x02 \x01(\tH\x00R\acluster\x123\n" +
+	"\atimeout\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\atimeoutB\x14\n" +
+	"\x12http_upstream_type\"\x83\x01\n" +
+	"\n" +
+	"DataSource\x12\x1c\n" +
+	"\bfilename\x18\x01 \x01(\tH\x00R\bfilename\x12#\n" +
+	"\finline_bytes\x18\x02 \x01(\fH\x00R\vinlineBytes\x12%\n" +
+	"\rinline_string\x18\x03 \x01(\tH\x00R\finlineStringB\v\n" +
+	"\tspecifier\"\xe9\x03\n" +
+	"\aJwtRule\x12\x16\n" +
+	"\x06issuer\x18\x01 \x01(\tR\x06issuer\x12\x1c\n" +
+	"\taudiences\x18\x02 \x03(\tR\taudiences\x12_\n" +
+	"\vremote_jwks\x18\x03 \x01(\v2<.istio.envoy.config.filter.http.jwt_auth.v2alpha1.RemoteJwksH\x00R\n" +
+	"remoteJwks\x12]\n" +
+	"\n" +
+	"local_jwks\x18\x04 \x01(\v2<.istio.envoy.config.filter.http.jwt_auth.v2alpha1.DataSourceH\x00R\tlocalJwks\x12\x18\n" +
+	"\aforward\x18\x05 \x01(\bR\aforward\x12^\n" +
+	"\ffrom_headers\x18\x06 \x03(\v2;.istio.envoy.config.filter.http.jwt_auth.v2alpha1.JwtHeaderR\vfromHeaders\x12\x1f\n" +
+	"\vfrom_params\x18\a \x03(\tR\n" +
+	"fromParams\x124\n" +
+	"\x16forward_payload_header\x18\b \x01(\tR\x14forwardPayloadHeaderB\x17\n" +
+	"\x15jwks_source_specifier\"\xa4\x01\n" +
+	"\n" +
+	"RemoteJwks\x12T\n" +
+	"\bhttp_uri\x18\x01 \x01(\v29.istio.envoy.config.filter.http.jwt_auth.v2alpha1.HttpUriR\ahttpUri\x12@\n" +
+	"\x0ecache_duration\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\rcacheDuration\"B\n" +
+	"\tJwtHeader\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12!\n" +
+	"\fvalue_prefix\x18\x02 \x01(\tR\vvaluePrefix\"\x9b\x01\n" +
+	"\x11JwtAuthentication\x12O\n" +
+	"\x05rules\x18\x01 \x03(\v29.istio.envoy.config.filter.http.jwt_auth.v2alpha1.JwtRuleR\x05rules\x125\n" +
+	"\x17allow_missing_or_failed\x18\x02 \x01(\bR\x14allowMissingOrFailedB9Z7istio.io/api/envoy/config/filter/http/jwt_auth/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData
 }
@ -791,80 +736,6 @@ func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_init() {
 	if File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*HttpUri); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*DataSource); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*JwtRule); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*RemoteJwks); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*JwtHeader); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*JwtAuthentication); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes[0].OneofWrappers = []any{
 		(*HttpUri_Cluster)(nil),
 	}
@ -881,7 +752,7 @@ func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -892,7 +763,6 @@ func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto
+++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto
@ -14,10 +14,10 @@

 syntax = "proto3";

-import "google/protobuf/duration.proto";
-
 package istio.envoy.config.filter.http.jwt_auth.v2alpha1;

+import "google/protobuf/duration.proto";
+
 option go_package = "istio.io/api/envoy/config/filter/http/jwt_auth/v2alpha1";

 // Copied from @envoy/api/envoy/api/v2/core/http_uri.proto
--- a/envoy/config/filter/network/metadata_exchange/metadata_exchange.pb.go
+++ b/envoy/config/filter/network/metadata_exchange/metadata_exchange.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/network/metadata_exchange/metadata_exchange.proto

@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -37,24 +38,21 @@ const (
 // [#protodoc-title: MetadataExchange protocol match and data transfer]
 // MetadataExchange protocol match and data transfer
 type MetadataExchange struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Protocol that Alpn should support on the server.
 	// [#comment:TODO(GargNupur): Make it a list.]
 	Protocol string `protobuf:"bytes,1,opt,name=protocol,proto3" json:"protocol,omitempty"`
 	// If true, will attempt to use WDS in case the prefix peer metadata is not available.
 	EnableDiscovery bool `protobuf:"varint,2,opt,name=enable_discovery,json=enableDiscovery,proto3" json:"enable_discovery,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *MetadataExchange) Reset() {
 	*x = MetadataExchange{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MetadataExchange) String() string {
@ -65,7 +63,7 @@ func (*MetadataExchange) ProtoMessage() {}

 func (x *MetadataExchange) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -96,39 +94,22 @@ func (x *MetadataExchange) GetEnableDiscovery() bool {

 var File_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = []byte{
-	0x0a, 0x45, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x6d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2f,
-	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x21, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74,
-	0x63, 0x70, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x65, 0x78, 0x63, 0x68, 0x61,
-	0x6e, 0x67, 0x65, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x59, 0x0a, 0x10, 0x4d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x1a,
-	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x29, 0x0a, 0x10, 0x65, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x44, 0x69, 0x73, 0x63,
-	0x6f, 0x76, 0x65, 0x72, 0x79, 0x42, 0x86, 0x01, 0x0a, 0x2f, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76,
-	0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74, 0x63,
-	0x70, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e,
-	0x67, 0x65, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x15, 0x4d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x50, 0x01, 0x5a, 0x3a, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = "" +
+	"\n" +
+	"Eenvoy/config/filter/network/metadata_exchange/metadata_exchange.proto\x12!envoy.tcp.metadataexchange.config\"Y\n" +
+	"\x10MetadataExchange\x12\x1a\n" +
+	"\bprotocol\x18\x01 \x01(\tR\bprotocol\x12)\n" +
+	"\x10enable_discovery\x18\x02 \x01(\bR\x0fenableDiscoveryB\x86\x01\n" +
+	"/io.envoyproxy.envoy.tcp.metadataexchange.configB\x15MetadataExchangeProtoP\x01Z:istio.io/api/envoy/config/filter/network/metadata_exchangeb\x06proto3"

 var (
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc
+	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData []byte
 )

 func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData)
+		file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc), len(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData
 }
@ -150,25 +131,11 @@ func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_
 	if File_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*MetadataExchange); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc), len(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@ -179,7 +146,6 @@ func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_
 		MessageInfos:      file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto = out.File
-	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = nil
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_goTypes = nil
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_depIdxs = nil
 }
--- a/envoy/config/filter/network/metadata_exchange/metadata_exchange.proto
+++ b/envoy/config/filter/network/metadata_exchange/metadata_exchange.proto
@ -17,10 +17,10 @@ syntax = "proto3";

 package envoy.tcp.metadataexchange.config;

-option java_outer_classname = "MetadataExchangeProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";
 option go_package = "istio.io/api/envoy/config/filter/network/metadata_exchange";
+option java_multiple_files = true;
+option java_outer_classname = "MetadataExchangeProto";
+option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";

 // [#protodoc-title: MetadataExchange protocol match and data transfer]
 // MetadataExchange protocol match and data transfer
--- a/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.pb.go
+++ b/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.proto

@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -38,23 +39,20 @@ const (

 // TcpClusterRewrite is the config for the TCP cluster rewrite filter.
 type TcpClusterRewrite struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Specifies the regex pattern to be matched in the cluster name.
 	ClusterPattern string `protobuf:"bytes,1,opt,name=cluster_pattern,json=clusterPattern,proto3" json:"cluster_pattern,omitempty"`
 	// Specifies the replacement for the matched cluster pattern.
 	ClusterReplacement string `protobuf:"bytes,2,opt,name=cluster_replacement,json=clusterReplacement,proto3" json:"cluster_replacement,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }

 func (x *TcpClusterRewrite) Reset() {
 	*x = TcpClusterRewrite{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *TcpClusterRewrite) String() string {
@ -65,7 +63,7 @@ func (*TcpClusterRewrite) ProtoMessage() {}

 func (x *TcpClusterRewrite) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -96,38 +94,21 @@ func (x *TcpClusterRewrite) GetClusterReplacement() string {

 var File_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x45, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x74, 0x63,
-	0x70, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74,
-	0x65, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x3e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65,
-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x74, 0x63, 0x70, 0x5f, 0x63,
-	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x2e, 0x76,
-	0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x6d, 0x0a, 0x11, 0x54, 0x63, 0x70, 0x43, 0x6c,
-	0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x0f,
-	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x70, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x50, 0x61,
-	0x74, 0x74, 0x65, 0x72, 0x6e, 0x12, 0x2f, 0x0a, 0x13, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
-	0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x12, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x65, 0x70, 0x6c, 0x61,
-	0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x47, 0x5a, 0x45, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x2f, 0x74, 0x63, 0x70, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72,
-	0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"Eenvoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.proto\x12>istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1\"m\n" +
+	"\x11TcpClusterRewrite\x12'\n" +
+	"\x0fcluster_pattern\x18\x01 \x01(\tR\x0eclusterPattern\x12/\n" +
+	"\x13cluster_replacement\x18\x02 \x01(\tR\x12clusterReplacementBGZEistio.io/api/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData
 }
@ -149,25 +130,11 @@ func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_
 	if File_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*TcpClusterRewrite); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@ -178,7 +145,6 @@ func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_
 		MessageInfos:      file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stackdriver/config/v1alpha1/config.pb.go
+++ b/envoy/extensions/stackdriver/config/v1alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/extensions/stackdriver/config/v1alpha1/config.proto

@ -34,6 +34,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -101,27 +102,24 @@ func (PluginConfig_AccessLogging) EnumDescriptor() ([]byte, []int) {
 // Custom instance configuration overrides.
 // Provides a way to customize logs.
 type CustomConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// (Optional) Collection of tag names and tag expressions to include in the
 	// instance. Conflicts are resolved by the tag name by overriding previously
 	// supplied values.
-	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// (Optional) A list of tags to remove.
 	// Not implemented yet.
 	// $hide_from_docs
-	TagsToRemove []string `protobuf:"bytes,2,rep,name=tags_to_remove,json=tagsToRemove,proto3" json:"tags_to_remove,omitempty"`
+	TagsToRemove  []string `protobuf:"bytes,2,rep,name=tags_to_remove,json=tagsToRemove,proto3" json:"tags_to_remove,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *CustomConfig) Reset() {
 	*x = CustomConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CustomConfig) String() string {
@ -132,7 +130,7 @@ func (*CustomConfig) ProtoMessage() {}

 func (x *CustomConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -163,10 +161,7 @@ func (x *CustomConfig) GetTagsToRemove() []string {

 // next id: 17
 type PluginConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Optional. Controls whether to export server access log.
 	// This is deprecated in favor of AccessLogging enum.
 	//
@ -263,16 +258,16 @@ type PluginConfig struct {
 	// Optional. Allows altering metrics behavior.
 	// Metric names for specifying overloads drop the `istio.io/service` prefix.
 	// Examples: `server/request_count`, `client/roundtrip_latencies`
-	MetricsOverrides map[string]*MetricsOverride `protobuf:"bytes,16,rep,name=metrics_overrides,json=metricsOverrides,proto3" json:"metrics_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	MetricsOverrides map[string]*MetricsOverride `protobuf:"bytes,16,rep,name=metrics_overrides,json=metricsOverrides,proto3" json:"metrics_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }

 func (x *PluginConfig) Reset() {
 	*x = PluginConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *PluginConfig) String() string {
@ -283,7 +278,7 @@ func (*PluginConfig) ProtoMessage() {}

 func (x *PluginConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -423,26 +418,23 @@ func (x *PluginConfig) GetMetricsOverrides() map[string]*MetricsOverride {

 // Provides behavior modifications for Cloud Monitoring metrics.
 type MetricsOverride struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Optional. If true, no data for the associated metric will be collected or
 	// exported.
 	Drop bool `protobuf:"varint,1,opt,name=drop,proto3" json:"drop,omitempty"`
 	// Optional. Maps tag names to value expressions that will be used at
 	// reporting time. If the tag name does not match a well-known tag for the
 	// istio Cloud Monitoring metrics, the configuration will have no effect.
-	TagOverrides map[string]string `protobuf:"bytes,2,rep,name=tag_overrides,json=tagOverrides,proto3" json:"tag_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	TagOverrides  map[string]string `protobuf:"bytes,2,rep,name=tag_overrides,json=tagOverrides,proto3" json:"tag_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricsOverride) Reset() {
 	*x = MetricsOverride{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MetricsOverride) String() string {
@ -453,7 +445,7 @@ func (*MetricsOverride) ProtoMessage() {}

 func (x *MetricsOverride) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -484,145 +476,58 @@ func (x *MetricsOverride) GetTagOverrides() map[string]string {

 var File_envoy_extensions_stackdriver_config_v1alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x39, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x73, 0x74, 0x61,
-	0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65,
-	0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xce, 0x01, 0x0a, 0x0c, 0x43, 0x75, 0x73,
-	0x74, 0x6f, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x59, 0x0a, 0x0a, 0x64, 0x69, 0x6d,
-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x39, 0x2e,
-	0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x75, 0x73, 0x74,
-	0x6f, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69,
-	0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0e, 0x74, 0x61, 0x67, 0x73, 0x5f, 0x74, 0x6f, 0x5f,
-	0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x74, 0x61,
-	0x67, 0x73, 0x54, 0x6f, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x1a, 0x3d, 0x0a, 0x0f, 0x44, 0x69,
-	0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
-	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x80, 0x0b, 0x0a, 0x0c, 0x50, 0x6c,
-	0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x45, 0x0a, 0x1d, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x61, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x1a, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e,
-	0x67, 0x12, 0x3b, 0x0a, 0x1b, 0x6d, 0x61, 0x78, 0x5f, 0x6c, 0x6f, 0x67, 0x5f, 0x62, 0x61, 0x74,
-	0x63, 0x68, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x5f, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73,
-	0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x16, 0x6d, 0x61, 0x78, 0x4c, 0x6f, 0x67, 0x42, 0x61,
-	0x74, 0x63, 0x68, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x49,
-	0x0a, 0x13, 0x6c, 0x6f, 0x67, 0x5f, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x64, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x6c, 0x6f, 0x67, 0x52, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x28, 0x0a, 0x10, 0x65, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x5f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x0b, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x75, 0x64, 0x69, 0x74,
-	0x4c, 0x6f, 0x67, 0x12, 0x38, 0x0a, 0x18, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a,
-	0x1b, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x65, 0x64, 0x67,
-	0x65, 0x73, 0x5f, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x18, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x65,
-	0x73, 0x68, 0x45, 0x64, 0x67, 0x65, 0x73, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67,
-	0x12, 0x60, 0x0a, 0x1d, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x65, 0x64, 0x67, 0x65, 0x73, 0x5f, 0x72,
-	0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x42, 0x02, 0x18, 0x01, 0x52, 0x1a, 0x6d, 0x65, 0x73, 0x68, 0x45, 0x64, 0x67, 0x65,
-	0x73, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x13, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63,
-	0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52,
-	0x10, 0x6d, 0x61, 0x78, 0x50, 0x65, 0x65, 0x72, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a,
-	0x65, 0x12, 0x3f, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68, 0x6f, 0x73,
-	0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x66, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63,
-	0x6b, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
-	0x48, 0x6f, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61,
-	0x63, 0x6b, 0x12, 0x2f, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, 0x65, 0x64, 0x67, 0x65, 0x73, 0x5f,
-	0x62, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x11, 0x6d, 0x61, 0x78, 0x45, 0x64, 0x67, 0x65, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x53,
-	0x69, 0x7a, 0x65, 0x12, 0x3d, 0x0a, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68,
-	0x74, 0x74, 0x70, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x16, 0x64, 0x69, 0x73, 0x61,
-	0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x53, 0x69, 0x7a, 0x65, 0x4d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x73, 0x12, 0x50, 0x0a, 0x16, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x6c, 0x6f, 0x67,
-	0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14,
-	0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4c, 0x6f, 0x67, 0x43, 0x6f, 0x6d, 0x70, 0x72, 0x65, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x5e, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c,
-	0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x73,
-	0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f,
-	0x67, 0x67, 0x69, 0x6e, 0x67, 0x52, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67,
-	0x67, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x20, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c,
-	0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x5f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x65, 0x78,
-	0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1d,
-	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x46, 0x69, 0x6c,
-	0x74, 0x65, 0x72, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x55, 0x0a,
-	0x11, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x6c, 0x6f, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x73, 0x74, 0x61, 0x63, 0x6b,
-	0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x52, 0x0f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4c, 0x6f, 0x67, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x4f, 0x0a, 0x16, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x5f, 0x65,
-	0x78, 0x70, 0x69, 0x72, 0x79, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52,
-	0x14, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x44, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6c, 0x0a, 0x11, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x5f, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x3f, 0x2e, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x4d, 0x65, 0x74, 0x72,
-	0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x10, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69,
-	0x64, 0x65, 0x73, 0x1a, 0x71, 0x0a, 0x15, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76,
-	0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x42,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e,
-	0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72,
-	0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x34, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10,
-	0x00, 0x12, 0x08, 0x0a, 0x04, 0x46, 0x55, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x45,
-	0x52, 0x52, 0x4f, 0x52, 0x53, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x02, 0x22, 0xcb, 0x01, 0x0a,
-	0x0f, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65,
-	0x12, 0x12, 0x0a, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04,
-	0x64, 0x72, 0x6f, 0x70, 0x12, 0x63, 0x0a, 0x0d, 0x74, 0x61, 0x67, 0x5f, 0x6f, 0x76, 0x65, 0x72,
-	0x72, 0x69, 0x64, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x73, 0x74,
-	0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x2e, 0x54, 0x61, 0x67, 0x4f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x74, 0x61, 0x67,
-	0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x1a, 0x3f, 0x0a, 0x11, 0x54, 0x61, 0x67,
-	0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3b, 0x5a, 0x39, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x63,
-	0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"9envoy/extensions/stackdriver/config/v1alpha1/config.proto\x12\x1bstackdriver.config.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xce\x01\n" +
+	"\fCustomConfig\x12Y\n" +
+	"\n" +
+	"dimensions\x18\x01 \x03(\v29.stackdriver.config.v1alpha1.CustomConfig.DimensionsEntryR\n" +
+	"dimensions\x12$\n" +
+	"\x0etags_to_remove\x18\x02 \x03(\tR\ftagsToRemove\x1a=\n" +
+	"\x0fDimensionsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x80\v\n" +
+	"\fPluginConfig\x12E\n" +
+	"\x1ddisable_server_access_logging\x18\x01 \x01(\bB\x02\x18\x01R\x1adisableServerAccessLogging\x12;\n" +
+	"\x1bmax_log_batch_size_in_bytes\x18\f \x01(\x05R\x16maxLogBatchSizeInBytes\x12I\n" +
+	"\x13log_report_duration\x18\r \x01(\v2\x19.google.protobuf.DurationR\x11logReportDuration\x12(\n" +
+	"\x10enable_audit_log\x18\v \x01(\bR\x0eenableAuditLog\x128\n" +
+	"\x18destination_service_name\x18\x02 \x01(\tR\x16destinationServiceName\x12A\n" +
+	"\x1benable_mesh_edges_reporting\x18\x03 \x01(\bB\x02\x18\x01R\x18enableMeshEdgesReporting\x12`\n" +
+	"\x1dmesh_edges_reporting_duration\x18\x04 \x01(\v2\x19.google.protobuf.DurationB\x02\x18\x01R\x1ameshEdgesReportingDuration\x12-\n" +
+	"\x13max_peer_cache_size\x18\x05 \x01(\x05R\x10maxPeerCacheSize\x12?\n" +
+	"\x1cdisable_host_header_fallback\x18\x06 \x01(\bR\x19disableHostHeaderFallback\x12/\n" +
+	"\x14max_edges_batch_size\x18\a \x01(\x05R\x11maxEdgesBatchSize\x12=\n" +
+	"\x19disable_http_size_metrics\x18\b \x01(\bB\x02\x18\x01R\x16disableHttpSizeMetrics\x12P\n" +
+	"\x16enable_log_compression\x18\t \x01(\v2\x1a.google.protobuf.BoolValueR\x14enableLogCompression\x12^\n" +
+	"\x0eaccess_logging\x18\n" +
+	" \x01(\x0e27.stackdriver.config.v1alpha1.PluginConfig.AccessLoggingR\raccessLogging\x12G\n" +
+	" access_logging_filter_expression\x18\x11 \x01(\tR\x1daccessLoggingFilterExpression\x12U\n" +
+	"\x11custom_log_config\x18\x0e \x01(\v2).stackdriver.config.v1alpha1.CustomConfigR\x0fcustomLogConfig\x12O\n" +
+	"\x16metric_expiry_duration\x18\x0f \x01(\v2\x19.google.protobuf.DurationR\x14metricExpiryDuration\x12l\n" +
+	"\x11metrics_overrides\x18\x10 \x03(\v2?.stackdriver.config.v1alpha1.PluginConfig.MetricsOverridesEntryR\x10metricsOverrides\x1aq\n" +
+	"\x15MetricsOverridesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12B\n" +
+	"\x05value\x18\x02 \x01(\v2,.stackdriver.config.v1alpha1.MetricsOverrideR\x05value:\x028\x01\"4\n" +
+	"\rAccessLogging\x12\b\n" +
+	"\x04NONE\x10\x00\x12\b\n" +
+	"\x04FULL\x10\x01\x12\x0f\n" +
+	"\vERRORS_ONLY\x10\x02\"\xcb\x01\n" +
+	"\x0fMetricsOverride\x12\x12\n" +
+	"\x04drop\x18\x01 \x01(\bR\x04drop\x12c\n" +
+	"\rtag_overrides\x18\x02 \x03(\v2>.stackdriver.config.v1alpha1.MetricsOverride.TagOverridesEntryR\ftagOverrides\x1a?\n" +
+	"\x11TagOverridesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B;Z9istio.io/api/envoy/extensions/stackdriver/config/v1alpha1b\x06proto3"

 var (
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc
+	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData)
+		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc), len(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData
 }
@ -663,49 +568,11 @@ func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_init() {
 	if File_envoy_extensions_stackdriver_config_v1alpha1_config_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*CustomConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*PluginConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*MetricsOverride); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc), len(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -717,7 +584,6 @@ func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_extensions_stackdriver_config_v1alpha1_config_proto = out.File
-	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = nil
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_goTypes = nil
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stackdriver/config/v1alpha1/config.proto
+++ b/envoy/extensions/stackdriver/config/v1alpha1/config.proto
@ -24,11 +24,11 @@ syntax = "proto3";

 package stackdriver.config.v1alpha1;

-option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
-
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
+
 // Custom instance configuration overrides.
 // Provides a way to customize logs.
 message CustomConfig {
@ -55,11 +55,11 @@ message PluginConfig {
    // logs. A request is classified as error when `status>=400 or
    // response_flag != "-"`
    ERRORS_ONLY = 2;
-  };
+  }

  // Optional. Controls whether to export server access log.
  // This is deprecated in favor of AccessLogging enum.
-  bool disable_server_access_logging = 1 [ deprecated = true ];
+  bool disable_server_access_logging = 1 [deprecated = true];

  // Optional. Allows configuration of the size of the LogWrite request. The
  // size is in bytes, so that it allows for better performance. Default is 4MB.
@ -84,7 +84,7 @@ message PluginConfig {
  // service. This is disabled by default.
  // Deprecated -- Mesh edge reporting is no longer supported and this setting
  // is no-op.
-  bool enable_mesh_edges_reporting = 3 [ deprecated = true ];
+  bool enable_mesh_edges_reporting = 3 [deprecated = true];

  // Optional. Allows configuration of the time between calls out to the mesh
  // edges service to report *NEW* edges. The minimum configurable duration is
@ -95,8 +95,7 @@ message PluginConfig {
  // reporting every `10m`.
  // Deprecated -- Mesh edge reporting is no longer supported and this setting
  // is no-op.
-  google.protobuf.Duration mesh_edges_reporting_duration = 4
-      [ deprecated = true ];
+  google.protobuf.Duration mesh_edges_reporting_duration = 4 [deprecated = true];

  // maximum size of the peer metadata cache.
  // A long lived proxy that connects with many transient peers can build up a
@ -117,7 +116,7 @@ message PluginConfig {
  // metrics are enabled).
  // Deprecated -- use `metrics_overrides` instead.
  // if `metrics_overrides` is used, this value will be ignored.
-  bool disable_http_size_metrics = 8 [ deprecated = true ];
+  bool disable_http_size_metrics = 8 [deprecated = true];

  // Optional. Allows enabling log compression for stackdriver access logs.
  google.protobuf.BoolValue enable_log_compression = 9;
@ -128,18 +127,18 @@ message PluginConfig {
  // CEL expression for filtering access logging. If the expression evaluates
  // to true, an access log entry will be generated. Otherwise, no access log
  // entry will be generated. If there are any type errors, the CEL expression
-  // is evaluated as false. More details on type checking can be found 
+  // is evaluated as false. More details on type checking can be found
  // at https://kubernetes.io/docs/reference/using-api/cel/#type-checking.
  // A common error is referring to a non-existent field in the log entry.
  // It's crucial to note that in Envoy, the fields that appear in access log
  // entries can vary. This variation is influenced by several factors,
  // including the protocol in use (such as HTTP or TCP), the applied filters,
-  // and the specific configuration of the Envoy instance. Therefore, when 
+  // and the specific configuration of the Envoy instance. Therefore, when
  // using CEL expressions for filtering access logs, it's essential to ensure
  // that the expressions accurately refer to existing fields in the log entry.
-  // The has() macro in CEL may be used in CEL expressions to check if a field 
-  // is accessible before attempting to access the field's value. 
-  // You can also quickly test CEL expressions at the CEL Playground 
+  // The has() macro in CEL may be used in CEL expressions to check if a field
+  // is accessible before attempting to access the field's value.
+  // You can also quickly test CEL expressions at the CEL Playground
  // at https://playcel.undistro.io/.
  // NOTE: Audit logs ignore configured filters.
  string access_logging_filter_expression = 17;
--- a/envoy/extensions/stats/config.pb.go
+++ b/envoy/extensions/stats/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/extensions/stats/config.proto

@ -31,6 +31,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -146,14 +147,11 @@ func (Reporter) EnumDescriptor() ([]byte, []int) {
 // The customizations allow full configurability, at the cost of a "slower"
 // path.
 type MetricConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// (Optional) Collection of tag names and tag expressions to include in the
 	// metric. Conflicts are resolved by the tag name by overriding previously
 	// supplied values.
-	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// (Optional) Metric name to restrict the override to a metric. If not
 	// specified, applies to all.
 	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
@ -163,16 +161,16 @@ type MetricConfig struct {
 	Match string `protobuf:"bytes,4,opt,name=match,proto3" json:"match,omitempty"`
 	// (Optional) If this is set to true, the metric(s) selected by this
 	// configuration will not be generated or reported.
-	Drop bool `protobuf:"varint,5,opt,name=drop,proto3" json:"drop,omitempty"`
+	Drop          bool `protobuf:"varint,5,opt,name=drop,proto3" json:"drop,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricConfig) Reset() {
 	*x = MetricConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stats_config_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stats_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MetricConfig) String() string {
@ -183,7 +181,7 @@ func (*MetricConfig) ProtoMessage() {}

 func (x *MetricConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stats_config_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -234,25 +232,22 @@ func (x *MetricConfig) GetDrop() bool {
 }

 type MetricDefinition struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Metric name.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// Metric value expression.
 	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
 	// NOT IMPLEMENTED (Optional) Metric type.
-	Type MetricType `protobuf:"varint,3,opt,name=type,proto3,enum=stats.MetricType" json:"type,omitempty"`
+	Type          MetricType `protobuf:"varint,3,opt,name=type,proto3,enum=stats.MetricType" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricDefinition) Reset() {
 	*x = MetricDefinition{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stats_config_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stats_config_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MetricDefinition) String() string {
@ -263,7 +258,7 @@ func (*MetricDefinition) ProtoMessage() {}

 func (x *MetricDefinition) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stats_config_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -300,10 +295,7 @@ func (x *MetricDefinition) GetType() MetricType {
 }

 type PluginConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// next id: 7
 	// The following settings should be rarely used.
 	// Enable debug for this filter.
@ -345,15 +337,15 @@ type PluginConfig struct {
 	// Defaults to 5m. Must be >=1s.
 	// $hide_from_docs
 	GracefulDeletionInterval *duration.Duration `protobuf:"bytes,12,opt,name=graceful_deletion_interval,json=gracefulDeletionInterval,proto3" json:"graceful_deletion_interval,omitempty"`
+	unknownFields            protoimpl.UnknownFields
+	sizeCache                protoimpl.SizeCache
 }

 func (x *PluginConfig) Reset() {
 	*x = PluginConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_envoy_extensions_stats_config_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_envoy_extensions_stats_config_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *PluginConfig) String() string {
@ -364,7 +356,7 @@ func (*PluginConfig) ProtoMessage() {}

 func (x *PluginConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_envoy_extensions_stats_config_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -465,95 +457,56 @@ func (x *PluginConfig) GetGracefulDeletionInterval() *duration.Duration {

 var File_envoy_extensions_stats_config_proto protoreflect.FileDescriptor

-var file_envoy_extensions_stats_config_proto_rawDesc = []byte{
-	0x0a, 0x23, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x73, 0x74, 0x61, 0x74, 0x73, 0x1a, 0x1e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf6, 0x01, 0x0a,
-	0x0c, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x43, 0x0a,
-	0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x23, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x74, 0x61, 0x67, 0x73, 0x5f, 0x74,
-	0x6f, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c,
-	0x74, 0x61, 0x67, 0x73, 0x54, 0x6f, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x12, 0x14, 0x0a, 0x05,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74,
-	0x63, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x1a, 0x3d, 0x0a, 0x0f, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x63, 0x0a, 0x10, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x44,
-	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x11, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x90, 0x05, 0x0a, 0x0c, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x14, 0x0a, 0x05, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x64, 0x65, 0x62, 0x75,
-	0x67, 0x12, 0x2d, 0x0a, 0x13, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x61,
-	0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10,
-	0x6d, 0x61, 0x78, 0x50, 0x65, 0x65, 0x72, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65,
-	0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69,
-	0x78, 0x12, 0x27, 0x0a, 0x0f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72,
-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x66, 0x69, 0x65, 0x6c,
-	0x64, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x27, 0x0a, 0x0f, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61,
-	0x74, 0x6f, 0x72, 0x12, 0x3f, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68,
-	0x6f, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x66, 0x61, 0x6c, 0x6c, 0x62,
-	0x61, 0x63, 0x6b, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62,
-	0x6c, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x46, 0x61, 0x6c, 0x6c,
-	0x62, 0x61, 0x63, 0x6b, 0x12, 0x4f, 0x0a, 0x16, 0x74, 0x63, 0x70, 0x5f, 0x72, 0x65, 0x70, 0x6f,
-	0x72, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52,
-	0x14, 0x74, 0x63, 0x70, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x44, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d,
-	0x65, 0x74, 0x72, 0x69, 0x63, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x07, 0x6d, 0x65, 0x74,
-	0x72, 0x69, 0x63, 0x73, 0x12, 0x39, 0x0a, 0x0b, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74,
-	0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x0b, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12,
-	0x2b, 0x0a, 0x08, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x0f, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
-	0x65, 0x72, 0x52, 0x08, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x11,
-	0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61,
-	0x6c, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x10, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x74, 0x65,
-	0x72, 0x76, 0x61, 0x6c, 0x12, 0x57, 0x0a, 0x1a, 0x67, 0x72, 0x61, 0x63, 0x65, 0x66, 0x75, 0x6c,
-	0x5f, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76,
-	0x61, 0x6c, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x18, 0x67, 0x72, 0x61, 0x63, 0x65, 0x66, 0x75, 0x6c, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x2a, 0x33, 0x0a,
-	0x0a, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x43,
-	0x4f, 0x55, 0x4e, 0x54, 0x45, 0x52, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x47, 0x41, 0x55, 0x47,
-	0x45, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x48, 0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d,
-	0x10, 0x02, 0x2a, 0x2f, 0x0a, 0x08, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x12, 0x0f,
-	0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12,
-	0x12, 0x0a, 0x0e, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x5f, 0x47, 0x41, 0x54, 0x45, 0x57, 0x41,
-	0x59, 0x10, 0x01, 0x42, 0x25, 0x5a, 0x23, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-}
+const file_envoy_extensions_stats_config_proto_rawDesc = "" +
+	"\n" +
+	"#envoy/extensions/stats/config.proto\x12\x05stats\x1a\x1egoogle/protobuf/duration.proto\"\xf6\x01\n" +
+	"\fMetricConfig\x12C\n" +
+	"\n" +
+	"dimensions\x18\x01 \x03(\v2#.stats.MetricConfig.DimensionsEntryR\n" +
+	"dimensions\x12\x12\n" +
+	"\x04name\x18\x02 \x01(\tR\x04name\x12$\n" +
+	"\x0etags_to_remove\x18\x03 \x03(\tR\ftagsToRemove\x12\x14\n" +
+	"\x05match\x18\x04 \x01(\tR\x05match\x12\x12\n" +
+	"\x04drop\x18\x05 \x01(\bR\x04drop\x1a=\n" +
+	"\x0fDimensionsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"c\n" +
+	"\x10MetricDefinition\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value\x12%\n" +
+	"\x04type\x18\x03 \x01(\x0e2\x11.stats.MetricTypeR\x04type\"\x90\x05\n" +
+	"\fPluginConfig\x12\x14\n" +
+	"\x05debug\x18\x01 \x01(\bR\x05debug\x12-\n" +
+	"\x13max_peer_cache_size\x18\x02 \x01(\x05R\x10maxPeerCacheSize\x12\x1f\n" +
+	"\vstat_prefix\x18\x03 \x01(\tR\n" +
+	"statPrefix\x12'\n" +
+	"\x0ffield_separator\x18\x04 \x01(\tR\x0efieldSeparator\x12'\n" +
+	"\x0fvalue_separator\x18\x05 \x01(\tR\x0evalueSeparator\x12?\n" +
+	"\x1cdisable_host_header_fallback\x18\x06 \x01(\bR\x19disableHostHeaderFallback\x12O\n" +
+	"\x16tcp_reporting_duration\x18\a \x01(\v2\x19.google.protobuf.DurationR\x14tcpReportingDuration\x12-\n" +
+	"\ametrics\x18\b \x03(\v2\x13.stats.MetricConfigR\ametrics\x129\n" +
+	"\vdefinitions\x18\t \x03(\v2\x17.stats.MetricDefinitionR\vdefinitions\x12+\n" +
+	"\breporter\x18\n" +
+	" \x01(\x0e2\x0f.stats.ReporterR\breporter\x12F\n" +
+	"\x11rotation_interval\x18\v \x01(\v2\x19.google.protobuf.DurationR\x10rotationInterval\x12W\n" +
+	"\x1agraceful_deletion_interval\x18\f \x01(\v2\x19.google.protobuf.DurationR\x18gracefulDeletionInterval*3\n" +
+	"\n" +
+	"MetricType\x12\v\n" +
+	"\aCOUNTER\x10\x00\x12\t\n" +
+	"\x05GAUGE\x10\x01\x12\r\n" +
+	"\tHISTOGRAM\x10\x02*/\n" +
+	"\bReporter\x12\x0f\n" +
+	"\vUNSPECIFIED\x10\x00\x12\x12\n" +
+	"\x0eSERVER_GATEWAY\x10\x01B%Z#istio.io/api/envoy/extensions/statsb\x06proto3"

 var (
 	file_envoy_extensions_stats_config_proto_rawDescOnce sync.Once
-	file_envoy_extensions_stats_config_proto_rawDescData = file_envoy_extensions_stats_config_proto_rawDesc
+	file_envoy_extensions_stats_config_proto_rawDescData []byte
 )

 func file_envoy_extensions_stats_config_proto_rawDescGZIP() []byte {
 	file_envoy_extensions_stats_config_proto_rawDescOnce.Do(func() {
-		file_envoy_extensions_stats_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_stats_config_proto_rawDescData)
+		file_envoy_extensions_stats_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_extensions_stats_config_proto_rawDesc), len(file_envoy_extensions_stats_config_proto_rawDesc)))
 	})
 	return file_envoy_extensions_stats_config_proto_rawDescData
 }
@ -590,49 +543,11 @@ func file_envoy_extensions_stats_config_proto_init() {
 	if File_envoy_extensions_stats_config_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_envoy_extensions_stats_config_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*MetricConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_extensions_stats_config_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*MetricDefinition); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_envoy_extensions_stats_config_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*PluginConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_extensions_stats_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_extensions_stats_config_proto_rawDesc), len(file_envoy_extensions_stats_config_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   4,
 			NumExtensions: 0,
@ -644,7 +559,6 @@ func file_envoy_extensions_stats_config_proto_init() {
 		MessageInfos:      file_envoy_extensions_stats_config_proto_msgTypes,
 	}.Build()
 	File_envoy_extensions_stats_config_proto = out.File
-	file_envoy_extensions_stats_config_proto_rawDesc = nil
 	file_envoy_extensions_stats_config_proto_goTypes = nil
 	file_envoy_extensions_stats_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stats/config.proto
+++ b/envoy/extensions/stats/config.proto
@ -22,10 +22,10 @@ syntax = "proto3";

 package stats;

-option go_package = "istio.io/api/envoy/extensions/stats";
-
 import "google/protobuf/duration.proto";

+option go_package = "istio.io/api/envoy/extensions/stats";
+
 // Metric instance configuration overrides.
 // The metric value and the metric type are optional and permit changing the
 // reported value for an existing metric.
@ -95,14 +95,14 @@ message PluginConfig {

  // prefix to add to stats emitted by the plugin.
  // DEPRECATED.
-  string stat_prefix = 3;  // default: "istio_"
+  string stat_prefix = 3; // default: "istio_"

  // Stats api squashes dimensions in a single string.
  // The squashed string is parsed at prometheus scrape time to recover
  // dimensions. The following 2 fields set the field and value separators {key:
  // value} -->  key{value_separator}value{field_separator}
-  string field_separator = 4;  // default: ";;"
-  string value_separator = 5;  // default: "=="
+  string field_separator = 4; // default: ";;"
+  string value_separator = 5; // default: "=="

  // Optional: Disable using host header as a fallback if destination service is
  // not available from the controlplane. Disable the fallback if the host
--- a/extensions/v1alpha1/wasm.pb.go
+++ b/extensions/v1alpha1/wasm.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: extensions/v1alpha1/wasm.proto

@ -27,7 +27,7 @@
 // WasmPlugins provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
-// Order of execution (as part of Envoy's filter chain) is determined by
+// The order of execution (as part of Envoy's filter chain) is determined by
 // phase and priority settings, allowing the configuration of complex
 // interactions between user-supplied WasmPlugins and Istio's internal
 // filters.
@ -216,6 +216,7 @@ import (
 	v1beta1 "istio.io/api/type/v1beta1"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -417,7 +418,7 @@ type EnvValueSource int32
 const (
 	// Explicitly given key-value pairs to be injected to this VM
 	EnvValueSource_INLINE EnvValueSource = 0
-	// *Istio-proxy's* environment variables exposed to this VM.
+	// Proxy environment variables exposed to this VM.
 	EnvValueSource_HOST EnvValueSource = 1
 )

@ -471,6 +472,10 @@ const (
 	// binary, an exception, or abort() on the VM. This flag is not recommended
 	// for the authentication or the authorization plugins.
 	FailStrategy_FAIL_OPEN FailStrategy = 1
+	// New plugin instance will be created for the new request if the Wasm plugin
+	// has failed. This only applies for “proxy_wasm::FailState::RuntimeError“.
+	// For all other error types this will fallback to “FAIL_CLOSED“.
+	FailStrategy_FAIL_RELOAD FailStrategy = 2
 )

 // Enum value maps for FailStrategy.
@ -478,10 +483,12 @@ var (
 	FailStrategy_name = map[int32]string{
 		0: "FAIL_CLOSE",
 		1: "FAIL_OPEN",
+		2: "FAIL_RELOAD",
 	}
 	FailStrategy_value = map[string]int32{
-		"FAIL_CLOSE": 0,
-		"FAIL_OPEN":  1,
+		"FAIL_CLOSE":  0,
+		"FAIL_OPEN":   1,
+		"FAIL_RELOAD": 2,
 	}
 )

@ -512,7 +519,7 @@ func (FailStrategy) EnumDescriptor() ([]byte, []int) {
 	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{4}
 }

-// WasmPlugins provides a mechanism to extend the functionality provided by
+// WasmPlugin provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
 // <!-- crd generation tags
@ -539,11 +546,9 @@ func (FailStrategy) EnumDescriptor() ([]byte, []int) {
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="oneof(self.selector, self.targetRef, self.targetRefs)"
 type WasmPlugin struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria used to select the specific set of pods/VMs on which
 	// this plugin configuration should be applied. If omitted, this
 	// configuration will be applied to all workload instances in the same
@ -561,7 +566,9 @@ type WasmPlugin struct {
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
-	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
+	// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
+	// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
+	// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
@ -572,6 +579,7 @@ type WasmPlugin struct {
 	// from misinterpreting the policy as namespace-wide during the upgrade process.
 	//
 	// NOTE: Waypoint proxies are required to use this field for policies to apply; `selector` policies will be ignored.
+	// +kubebuilder:validation:MaxItems=16
 	TargetRefs []*v1beta1.PolicyTargetReference `protobuf:"bytes,16,rep,name=targetRefs,proto3" json:"targetRefs,omitempty"`
 	// URL of a Wasm module or OCI container. If no scheme is present,
 	// defaults to `oci://`, referencing an OCI image. Other valid schemes
@ -650,16 +658,16 @@ type WasmPlugin struct {
 	// the traffic passes the WasmPlugin.
 	Match []*WasmPlugin_TrafficSelector `protobuf:"bytes,12,rep,name=match,proto3" json:"match,omitempty"`
 	// Specifies the type of Wasm Extension to be used.
-	Type PluginType `protobuf:"varint,14,opt,name=type,proto3,enum=istio.extensions.v1alpha1.PluginType" json:"type,omitempty"`
+	Type          PluginType `protobuf:"varint,14,opt,name=type,proto3,enum=istio.extensions.v1alpha1.PluginType" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *WasmPlugin) Reset() {
 	*x = WasmPlugin{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *WasmPlugin) String() string {
@ -670,7 +678,7 @@ func (*WasmPlugin) ProtoMessage() {}

 func (x *WasmPlugin) ProtoReflect() protoreflect.Message {
 	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -800,25 +808,22 @@ func (x *WasmPlugin) GetType() PluginType {
 // Configuration for a Wasm VM.
 // more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
 type VmConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Specifies environment variables to be injected to this VM.
 	// Note that if a key does not exist, it will be ignored.
 	// +kubebuilder:validation:MaxItems=256
 	// +listType=map
 	// +listMapKey=name
-	Env []*EnvVar `protobuf:"bytes,1,rep,name=env,proto3" json:"env,omitempty"`
+	Env           []*EnvVar `protobuf:"bytes,1,rep,name=env,proto3" json:"env,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *VmConfig) Reset() {
 	*x = VmConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *VmConfig) String() string {
@ -829,7 +834,7 @@ func (*VmConfig) ProtoMessage() {}

 func (x *VmConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -851,12 +856,9 @@ func (x *VmConfig) GetEnv() []*EnvVar {
 	return nil
 }

-// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="(has(self.valueFrom) ? self.valueFrom : ”) != 'HOST' || !has(self.value)"
+// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="default(self.valueFrom, ”) != 'HOST' || !has(self.value)"
 type EnvVar struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Name of the environment variable.
 	// Must be a C_IDENTIFIER.
 	// +kubebuilder:validation:MaxLength=256
@ -868,16 +870,16 @@ type EnvVar struct {
 	// Only applicable if `valueFrom` is `HOST`.
 	// Defaults to "".
 	// +kubebuilder:validation:MaxLength=2048
-	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	Value         string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvVar) Reset() {
 	*x = EnvVar{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *EnvVar) String() string {
@ -888,7 +890,7 @@ func (*EnvVar) ProtoMessage() {}

 func (x *EnvVar) ProtoReflect() protoreflect.Message {
 	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -929,10 +931,7 @@ func (x *EnvVar) GetValue() string {
 // When all the sub conditions in the TrafficSelector are satisfied, the
 // traffic will be selected.
 type WasmPlugin_TrafficSelector struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria for selecting traffic by their direction.
 	// Note that `CLIENT` and `SERVER` are analogous to OUTBOUND and INBOUND,
 	// respectively.
@ -948,16 +947,16 @@ type WasmPlugin_TrafficSelector struct {
 	// If not specified, this condition is evaluated to true for any port.
 	// +listType=map
 	// +listMapKey=number
-	Ports []*v1beta1.PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
+	Ports         []*v1beta1.PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *WasmPlugin_TrafficSelector) Reset() {
 	*x = WasmPlugin_TrafficSelector{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *WasmPlugin_TrafficSelector) String() string {
@ -968,7 +967,7 @@ func (*WasmPlugin_TrafficSelector) ProtoMessage() {}

 func (x *WasmPlugin_TrafficSelector) ProtoReflect() protoreflect.Message {
 	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -999,129 +998,75 @@ func (x *WasmPlugin_TrafficSelector) GetPorts() []*v1beta1.PortSelector {

 var File_extensions_v1alpha1_wasm_proto protoreflect.FileDescriptor

-var file_extensions_v1alpha1_wasm_proto_rawDesc = []byte{
-	0x0a, 0x1e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x77, 0x61, 0x73, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72,
-	0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65, 0x2f,
-	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61,
-	0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f,
-	0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xab, 0x08, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d,
-	0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74,
-	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f,
-	0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x08,
-	0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x47, 0x0a, 0x09, 0x74, 0x61, 0x72, 0x67,
-	0x65, 0x74, 0x52, 0x65, 0x66, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66,
-	0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65,
-	0x66, 0x12, 0x49, 0x0a, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x18,
-	0x10, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79,
-	0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
-	0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x12, 0x16, 0x0a, 0x03,
-	0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52,
-	0x03, 0x75, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x12, 0x51, 0x0a, 0x11,
-	0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2e, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f,
-	0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
-	0x2a, 0x0a, 0x11, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x73, 0x65,
-	0x63, 0x72, 0x65, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67,
-	0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x76,
-	0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
-	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x0c, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x3c, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x09,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74,
-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68,
-	0x61, 0x73, 0x65, 0x12, 0x37, 0x0a, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18,
-	0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c,
-	0x75, 0x65, 0x52, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x4c, 0x0a, 0x0d,
-	0x66, 0x61, 0x69, 0x6c, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x0d, 0x20,
-	0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65,
-	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0c, 0x66, 0x61,
-	0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x40, 0x0a, 0x09, 0x76, 0x6d,
-	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x52, 0x08, 0x76, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x4b, 0x0a, 0x05,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67,
-	0x69, 0x6e, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74,
-	0x6f, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x39, 0x0a, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
-	0x74, 0x79, 0x70, 0x65, 0x1a, 0x7f, 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79,
-	0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c,
-	0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x36, 0x0a,
-	0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
-	0x31, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05,
-	0x70, 0x6f, 0x72, 0x74, 0x73, 0x22, 0x3f, 0x0a, 0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x12, 0x33, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61,
-	0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, 0x82, 0x01, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61,
-	0x72, 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42,
-	0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x48, 0x0a, 0x0a, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x40, 0x0a, 0x0a, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x55, 0x4e, 0x53,
-	0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4c, 0x55, 0x47, 0x49, 0x4e, 0x5f,
-	0x54, 0x59, 0x50, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x01,
-	0x12, 0x0b, 0x0a, 0x07, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x10, 0x02, 0x2a, 0x45, 0x0a,
-	0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x11,
-	0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41, 0x53,
-	0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12, 0x09,
-	0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54, 0x41,
-	0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
-	0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x66,
-	0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06,
-	0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x4e,
-	0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10, 0x01,
-	0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79,
-	0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x00,
-	0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e, 0x10, 0x01, 0x42,
-	0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_extensions_v1alpha1_wasm_proto_rawDesc = "" +
+	"\n" +
+	"\x1eextensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\b\n" +
+	"\n" +
+	"WasmPlugin\x12@\n" +
+	"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12G\n" +
+	"\ttargetRef\x18\x0f \x01(\v2).istio.type.v1beta1.PolicyTargetReferenceR\ttargetRef\x12I\n" +
+	"\n" +
+	"targetRefs\x18\x10 \x03(\v2).istio.type.v1beta1.PolicyTargetReferenceR\n" +
+	"targetRefs\x12\x16\n" +
+	"\x03url\x18\x02 \x01(\tB\x04\xe2A\x01\x02R\x03url\x12\x16\n" +
+	"\x06sha256\x18\x03 \x01(\tR\x06sha256\x12Q\n" +
+	"\x11image_pull_policy\x18\x04 \x01(\x0e2%.istio.extensions.v1alpha1.PullPolicyR\x0fimagePullPolicy\x12*\n" +
+	"\x11image_pull_secret\x18\x05 \x01(\tR\x0fimagePullSecret\x12)\n" +
+	"\x10verification_key\x18\x06 \x01(\tR\x0fverificationKey\x12<\n" +
+	"\rplugin_config\x18\a \x01(\v2\x17.google.protobuf.StructR\fpluginConfig\x12\x1f\n" +
+	"\vplugin_name\x18\b \x01(\tR\n" +
+	"pluginName\x12<\n" +
+	"\x05phase\x18\t \x01(\x0e2&.istio.extensions.v1alpha1.PluginPhaseR\x05phase\x127\n" +
+	"\bpriority\x18\n" +
+	" \x01(\v2\x1b.google.protobuf.Int32ValueR\bpriority\x12L\n" +
+	"\rfail_strategy\x18\r \x01(\x0e2'.istio.extensions.v1alpha1.FailStrategyR\ffailStrategy\x12@\n" +
+	"\tvm_config\x18\v \x01(\v2#.istio.extensions.v1alpha1.VmConfigR\bvmConfig\x12K\n" +
+	"\x05match\x18\f \x03(\v25.istio.extensions.v1alpha1.WasmPlugin.TrafficSelectorR\x05match\x129\n" +
+	"\x04type\x18\x0e \x01(\x0e2%.istio.extensions.v1alpha1.PluginTypeR\x04type\x1a\x7f\n" +
+	"\x0fTrafficSelector\x124\n" +
+	"\x04mode\x18\x01 \x01(\x0e2 .istio.type.v1beta1.WorkloadModeR\x04mode\x126\n" +
+	"\x05ports\x18\x02 \x03(\v2 .istio.type.v1beta1.PortSelectorR\x05ports\"?\n" +
+	"\bVmConfig\x123\n" +
+	"\x03env\x18\x01 \x03(\v2!.istio.extensions.v1alpha1.EnvVarR\x03env\"\x82\x01\n" +
+	"\x06EnvVar\x12\x18\n" +
+	"\x04name\x18\x01 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12H\n" +
+	"\n" +
+	"value_from\x18\x03 \x01(\x0e2).istio.extensions.v1alpha1.EnvValueSourceR\tvalueFrom\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value*@\n" +
+	"\n" +
+	"PluginType\x12\x1b\n" +
+	"\x17UNSPECIFIED_PLUGIN_TYPE\x10\x00\x12\b\n" +
+	"\x04HTTP\x10\x01\x12\v\n" +
+	"\aNETWORK\x10\x02*E\n" +
+	"\vPluginPhase\x12\x15\n" +
+	"\x11UNSPECIFIED_PHASE\x10\x00\x12\t\n" +
+	"\x05AUTHN\x10\x01\x12\t\n" +
+	"\x05AUTHZ\x10\x02\x12\t\n" +
+	"\x05STATS\x10\x03*B\n" +
+	"\n" +
+	"PullPolicy\x12\x16\n" +
+	"\x12UNSPECIFIED_POLICY\x10\x00\x12\x10\n" +
+	"\fIfNotPresent\x10\x01\x12\n" +
+	"\n" +
+	"\x06Always\x10\x02*&\n" +
+	"\x0eEnvValueSource\x12\n" +
+	"\n" +
+	"\x06INLINE\x10\x00\x12\b\n" +
+	"\x04HOST\x10\x01*>\n" +
+	"\fFailStrategy\x12\x0e\n" +
+	"\n" +
+	"FAIL_CLOSE\x10\x00\x12\r\n" +
+	"\tFAIL_OPEN\x10\x01\x12\x0f\n" +
+	"\vFAIL_RELOAD\x10\x02B\"Z istio.io/api/extensions/v1alpha1b\x06proto3"

 var (
 	file_extensions_v1alpha1_wasm_proto_rawDescOnce sync.Once
-	file_extensions_v1alpha1_wasm_proto_rawDescData = file_extensions_v1alpha1_wasm_proto_rawDesc
+	file_extensions_v1alpha1_wasm_proto_rawDescData []byte
 )

 func file_extensions_v1alpha1_wasm_proto_rawDescGZIP() []byte {
 	file_extensions_v1alpha1_wasm_proto_rawDescOnce.Do(func() {
-		file_extensions_v1alpha1_wasm_proto_rawDescData = protoimpl.X.CompressGZIP(file_extensions_v1alpha1_wasm_proto_rawDescData)
+		file_extensions_v1alpha1_wasm_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_extensions_v1alpha1_wasm_proto_rawDesc), len(file_extensions_v1alpha1_wasm_proto_rawDesc)))
 	})
 	return file_extensions_v1alpha1_wasm_proto_rawDescData
 }
@ -1173,61 +1118,11 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 	if File_extensions_v1alpha1_wasm_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_extensions_v1alpha1_wasm_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*WasmPlugin); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*VmConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*EnvVar); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*WasmPlugin_TrafficSelector); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_extensions_v1alpha1_wasm_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_extensions_v1alpha1_wasm_proto_rawDesc), len(file_extensions_v1alpha1_wasm_proto_rawDesc)),
 			NumEnums:      5,
 			NumMessages:   4,
 			NumExtensions: 0,
@ -1239,7 +1134,6 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 		MessageInfos:      file_extensions_v1alpha1_wasm_proto_msgTypes,
 	}.Build()
 	File_extensions_v1alpha1_wasm_proto = out.File
-	file_extensions_v1alpha1_wasm_proto_rawDesc = nil
 	file_extensions_v1alpha1_wasm_proto_goTypes = nil
 	file_extensions_v1alpha1_wasm_proto_depIdxs = nil
 }
--- a/extensions/v1alpha1/wasm.pb.html
+++ b/extensions/v1alpha1/wasm.pb.html
@ -10,7 +10,7 @@ number_of_entries: 9
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
-<p>Order of execution (as part of Envoy&rsquo;s filter chain) is determined by
+<p>The order of execution (as part of Envoy&rsquo;s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
 interactions between user-supplied WasmPlugins and Istio&rsquo;s internal
 filters.</p>
@ -169,22 +169,21 @@ spec:

 <h2 id="WasmPlugin">WasmPlugin</h2>
 <section>
-<p>WasmPlugins provides a mechanism to extend the functionality provided by
+<p>WasmPlugin provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>

 <table class="message-fields">
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="WasmPlugin-selector">
-<td><code>selector</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadSelector">WorkloadSelector</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-selector">selector</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadSelector">WorkloadSelector</a></div>
+</div></td>
 <td>
 <p>Criteria used to select the specific set of pods/VMs on which
 this plugin configuration should be applied. If omitted, this
@ -194,22 +193,22 @@ namespace, it will be applied to all applicable workloads in any
 namespace.</p>
 <p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-targetRefs">
-<td><code>targetRefs</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></div>
+</div></td>
 <td>
-<p>Optional. The targetRefs specifies a list of resources the policy should be
+<p>The targetRefs specifies a list of resources the policy should be
 applied to. The targeted resources specified will determine which workloads
 the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
-<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
+<li><code>kind: GatewayClass</code> with <code>group: gateway.networking.k8s.io</code> in the root namespace.</li>
+<li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
+<li><code>kind: ServiceEntry</code> with <code>group: networking.istio.io</code> in the same namespace.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
@ -219,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
 from misinterpreting the policy as namespace-wide during the upgrade process.</p>
 <p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-url">
-<td><code>url</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-url">url</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>URL of a Wasm module or OCI container. If no scheme is present,
 defaults to <code>oci://</code>, referencing an OCI image. Other valid schemes
@ -234,14 +232,12 @@ are <code>file://</code> for referencing .wasm module files present locally
 within the proxy container, and <code>http[s]://</code> for <code>.wasm</code> module files
 hosted remotely.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="WasmPlugin-sha256">
-<td><code>sha256</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-sha256">sha256</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>SHA256 checksum that will be used to verify Wasm module or OCI container.
 If the <code>url</code> field already references a SHA256 (using the <code>@sha256:</code>
@ -249,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is
 referenced by tag and this field is set, its checksum will be verified
 against the contents of this field after pulling.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-image_pull_policy">
-<td><code>imagePullPolicy</code></td>
-<td><code><a href="#PullPolicy">PullPolicy</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></div>
+<div class="type"><a href="#PullPolicy">PullPolicy</a></div>
+</div></td>
 <td>
 <p>The pull behaviour to be applied when fetching Wasm module by either
 OCI image or <code>http/https</code>. Only relevant when referencing Wasm module without
@ -265,63 +259,53 @@ Defaults to <code>IfNotPresent</code>, except when an OCI image is referenced in
 and the <code>latest</code> tag is used, in which case <code>Always</code> is the default,
 mirroring Kubernetes behaviour.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-image_pull_secret">
-<td><code>imagePullSecret</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Credentials to use for OCI image pulling.
 Name of a Kubernetes Secret in the same namespace as the <code>WasmPlugin</code> that
 contains a Docker pull secret which is to be used to authenticate
 against the registry when pulling the image.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-plugin_config">
-<td><code>pluginConfig</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
+</div></td>
 <td>
 <p>The configuration that will be passed on to the plugin.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-plugin_name">
-<td><code>pluginName</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The plugin name to be used in the Envoy configuration (used to be called
 <code>rootID</code>). Some .wasm modules might require this value to select the Wasm
 plugin to execute.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-phase">
-<td><code>phase</code></td>
-<td><code><a href="#PluginPhase">PluginPhase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-phase">phase</a></code></div>
+<div class="type"><a href="#PluginPhase">PluginPhase</a></div>
+</div></td>
 <td>
 <p>Determines where in the filter chain this <code>WasmPlugin</code> is to be injected.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-priority">
-<td><code>priority</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-priority">priority</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
+</div></td>
 <td>
 <p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
 When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -330,56 +314,90 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
 value, the ordering will be deterministically derived from name and
 namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-fail_strategy">
-<td><code>failStrategy</code></td>
-<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></div>
+<div class="type"><a href="#FailStrategy">FailStrategy</a></div>
+</div></td>
 <td>
 <p>Specifies the failure behavior for the plugin due to fatal errors.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-vm_config">
-<td><code>vmConfig</code></td>
-<td><code><a href="#VmConfig">VmConfig</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></div>
+<div class="type"><a href="#VmConfig">VmConfig</a></div>
+</div></td>
 <td>
 <p>Configuration for a Wasm VM.
 More details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-match">
-<td><code>match</code></td>
-<td><code><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-match">match</a></code></div>
+<div class="type"><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></div>
+</div></td>
 <td>
 <p>Specifies the criteria to determine which traffic is passed to WasmPlugin.
 If a traffic satisfies any of TrafficSelectors,
 the traffic passes the WasmPlugin.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-type">
-<td><code>type</code></td>
-<td><code><a href="#PluginType">PluginType</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-type">type</a></code></div>
+<div class="type"><a href="#PluginType">PluginType</a></div>
+</div></td>
 <td>
 <p>Specifies the type of Wasm Extension to be used.</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="WasmPlugin-TrafficSelector">TrafficSelector</h3>
+<section>
+<p>TrafficSelector provides a mechanism to select a specific traffic flow
+for which this Wasm Plugin will be enabled.
+When all the sub conditions in the TrafficSelector are satisfied, the
+traffic will be selected.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="WasmPlugin-TrafficSelector-mode">
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadMode">WorkloadMode</a></div>
+</div></td>
 <td>
-No
+<p>Criteria for selecting traffic by their direction.
+Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
+respectively.
+For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
+If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
+
+</td>
+</tr>
+<tr id="WasmPlugin-TrafficSelector-ports">
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PortSelector">PortSelector[]</a></div>
+</div></td>
+<td>
+<p>Criteria for selecting traffic by their destination port.
+More specifically, for the outbound traffic, the destination port would be
+the port of the target service. On the other hand, for the inbound traffic,
+the destination port is the port bound by the server process in the same Pod.</p>
+<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
+If not specified, this condition is evaluated to true for any port.</p>
+
 </td>
 </tr>
 </tbody>
@ -394,22 +412,18 @@ more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/a
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="VmConfig-env">
-<td><code>env</code></td>
-<td><code><a href="#EnvVar">EnvVar[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#VmConfig-env">env</a></code></div>
+<div class="type"><a href="#EnvVar">EnvVar[]</a></div>
+</div></td>
 <td>
 <p>Specifies environment variables to be injected to this VM.
 Note that if a key does not exist, it will be ignored.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -422,97 +436,39 @@ No
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="EnvVar-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-name">name</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>Name of the environment variable.
 Must be a C_IDENTIFIER.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="EnvVar-value_from">
-<td><code>valueFrom</code></td>
-<td><code><a href="#EnvValueSource">EnvValueSource</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-value_from">valueFrom</a></code></div>
+<div class="type"><a href="#EnvValueSource">EnvValueSource</a></div>
+</div></td>
 <td>
 <p>Source for the environment variable&rsquo;s value.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="EnvVar-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-value">value</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Value for the environment variable.
 Only applicable if <code>valueFrom</code> is <code>HOST</code>.
 Defaults to &ldquo;&rdquo;.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="WasmPlugin-TrafficSelector">WasmPlugin.TrafficSelector</h2>
-<section>
-<p>TrafficSelector provides a mechanism to select a specific traffic flow
-for which this Wasm Plugin will be enabled.
-When all the sub conditions in the TrafficSelector are satisfied, the
-traffic will be selected.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="WasmPlugin-TrafficSelector-mode">
-<td><code>mode</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadMode">WorkloadMode</a></code></td>
-<td>
-<p>Criteria for selecting traffic by their direction.
-Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
-respectively.
-For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
-If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="WasmPlugin-TrafficSelector-ports">
-<td><code>ports</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PortSelector">PortSelector[]</a></code></td>
-<td>
-<p>Criteria for selecting traffic by their destination port.
-More specifically, for the outbound traffic, the destination port would be
-the port of the target service. On the other hand, for the inbound traffic,
-the destination port is the port bound by the server process in the same Pod.</p>
-<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
-If not specified, this condition is evaluated to true for any port.</p>
-
-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -545,21 +501,21 @@ The detailed <code>NETWORK</code> interface can be found here:</p>
 </thead>
 <tbody>
 <tr id="PluginType-UNSPECIFIED_PLUGIN_TYPE">
-<td><code>UNSPECIFIED_PLUGIN_TYPE</code></td>
+<td><code><a href="#PluginType-UNSPECIFIED_PLUGIN_TYPE">UNSPECIFIED_PLUGIN_TYPE</a></code></td>
 <td>
 <p>Defaults to HTTP.</p>

 </td>
 </tr>
 <tr id="PluginType-HTTP">
-<td><code>HTTP</code></td>
+<td><code><a href="#PluginType-HTTP">HTTP</a></code></td>
 <td>
 <p>Use HTTP Wasm Extension.</p>

 </td>
 </tr>
 <tr id="PluginType-NETWORK">
-<td><code>NETWORK</code></td>
+<td><code><a href="#PluginType-NETWORK">NETWORK</a></code></td>
 <td>
 <p>Use Network Wasm Extension.</p>

@ -581,7 +537,7 @@ The detailed <code>NETWORK</code> interface can be found here:</p>
 </thead>
 <tbody>
 <tr id="PluginPhase-UNSPECIFIED_PHASE">
-<td><code>UNSPECIFIED_PHASE</code></td>
+<td><code><a href="#PluginPhase-UNSPECIFIED_PHASE">UNSPECIFIED_PHASE</a></code></td>
 <td>
 <p>Control plane decides where to insert the plugin. This will generally
 be at the end of the filter chain, right before the Router.
@ -590,21 +546,21 @@ Do not specify <code>PluginPhase</code> if the plugin is independent of others.<
 </td>
 </tr>
 <tr id="PluginPhase-AUTHN">
-<td><code>AUTHN</code></td>
+<td><code><a href="#PluginPhase-AUTHN">AUTHN</a></code></td>
 <td>
 <p>Insert plugin before Istio authentication filters.</p>

 </td>
 </tr>
 <tr id="PluginPhase-AUTHZ">
-<td><code>AUTHZ</code></td>
+<td><code><a href="#PluginPhase-AUTHZ">AUTHZ</a></code></td>
 <td>
 <p>Insert plugin before Istio authorization filters and after Istio authentication filters.</p>

 </td>
 </tr>
 <tr id="PluginPhase-STATS">
-<td><code>STATS</code></td>
+<td><code><a href="#PluginPhase-STATS">STATS</a></code></td>
 <td>
 <p>Insert plugin before Istio stats filters and after Istio authorization filters.</p>

@ -627,7 +583,7 @@ mirroring K8s behaviour.</p>
 </thead>
 <tbody>
 <tr id="PullPolicy-UNSPECIFIED_POLICY">
-<td><code>UNSPECIFIED_POLICY</code></td>
+<td><code><a href="#PullPolicy-UNSPECIFIED_POLICY">UNSPECIFIED_POLICY</a></code></td>
 <td>
 <p>Defaults to <code>IfNotPresent</code>, except for OCI images with tag <code>latest</code>, for which
 the default will be <code>Always</code>.</p>
@ -635,7 +591,7 @@ the default will be <code>Always</code>.</p>
 </td>
 </tr>
 <tr id="PullPolicy-IfNotPresent">
-<td><code>IfNotPresent</code></td>
+<td><code><a href="#PullPolicy-IfNotPresent">IfNotPresent</a></code></td>
 <td>
 <p>If an existing version of the image has been pulled before, that
 will be used. If no version of the image is present locally, we
@ -644,7 +600,7 @@ will pull the latest version.</p>
 </td>
 </tr>
 <tr id="PullPolicy-Always">
-<td><code>Always</code></td>
+<td><code><a href="#PullPolicy-Always">Always</a></code></td>
 <td>
 <p>We will always pull the latest version of an image when changing
 this plugin. Note that the change includes <code>metadata</code> field as well.</p>
@ -665,16 +621,16 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </thead>
 <tbody>
 <tr id="EnvValueSource-INLINE">
-<td><code>INLINE</code></td>
+<td><code><a href="#EnvValueSource-INLINE">INLINE</a></code></td>
 <td>
 <p>Explicitly given key-value pairs to be injected to this VM</p>

 </td>
 </tr>
 <tr id="EnvValueSource-HOST">
-<td><code>HOST</code></td>
+<td><code><a href="#EnvValueSource-HOST">HOST</a></code></td>
 <td>
-<p><em>Istio-proxy&rsquo;s</em> environment variables exposed to this VM.</p>
+<p>Proxy environment variables exposed to this VM.</p>

 </td>
 </tr>
@ -692,7 +648,7 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </thead>
 <tbody>
 <tr id="FailStrategy-FAIL_CLOSE">
-<td><code>FAIL_CLOSE</code></td>
+<td><code><a href="#FailStrategy-FAIL_CLOSE">FAIL_CLOSE</a></code></td>
 <td>
 <p>A fatal error in the binary fetching or during the plugin execution causes
 all subsequent requests to fail with 5xx.</p>
@ -700,13 +656,22 @@ all subsequent requests to fail with 5xx.</p>
 </td>
 </tr>
 <tr id="FailStrategy-FAIL_OPEN">
-<td><code>FAIL_OPEN</code></td>
+<td><code><a href="#FailStrategy-FAIL_OPEN">FAIL_OPEN</a></code></td>
 <td>
 <p>Enables the fail open behavior for the Wasm plugin fatal errors to bypass
 the plugin execution. A fatal error can be a failure to fetch the remote
 binary, an exception, or abort() on the VM. This flag is not recommended
 for the authentication or the authorization plugins.</p>

+</td>
+</tr>
+<tr id="FailStrategy-FAIL_RELOAD">
+<td><code><a href="#FailStrategy-FAIL_RELOAD">FAIL_RELOAD</a></code></td>
+<td>
+<p>New plugin instance will be created for the new request if the Wasm plugin
+has failed. This only applies for <code>proxy_wasm::FailState::RuntimeError</code>.
+For all other error types this will fallback to <code>FAIL_CLOSED</code>.</p>
+
 </td>
 </tr>
 </tbody>
--- a/extensions/v1alpha1/wasm.proto
+++ b/extensions/v1alpha1/wasm.proto
@ -14,11 +14,6 @@

 syntax = "proto3";

-import "google/protobuf/wrappers.proto";
-import "google/protobuf/struct.proto";
-import "type/v1beta1/selector.proto";
-import "google/api/field_behavior.proto";
-
 // $schema: istio.extensions.v1alpha1.WasmPlugin
 // $title: Wasm Plugin
 // $description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
@ -28,7 +23,7 @@ import "google/api/field_behavior.proto";
 // WasmPlugins provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
-// Order of execution (as part of Envoy's filter chain) is determined by
+// The order of execution (as part of Envoy's filter chain) is determined by
 // phase and priority settings, allowing the configuration of complex
 // interactions between user-supplied WasmPlugins and Istio's internal
 // filters.
@ -207,9 +202,14 @@ import "google/api/field_behavior.proto";
 //
 package istio.extensions.v1alpha1;

-option go_package="istio.io/api/extensions/v1alpha1";
+import "google/api/field_behavior.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+import "type/v1beta1/selector.proto";

-// WasmPlugins provides a mechanism to extend the functionality provided by
+option go_package = "istio.io/api/extensions/v1alpha1";
+
+// WasmPlugin provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
 // <!-- crd generation tags
@ -236,6 +236,7 @@ option go_package="istio.io/api/extensions/v1alpha1";
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="oneof(self.selector, self.targetRef, self.targetRefs)"
 message WasmPlugin {
  // Criteria used to select the specific set of pods/VMs on which
  // this plugin configuration should be applied. If omitted, this
@ -256,7 +257,9 @@ message WasmPlugin {
  //
  // Currently, the following resource attachment types are supported:
  // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
-  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
+  // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
+  // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
+  // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
  //
  // If not set, the policy is applied as defined by the selector.
  // At most one of the selector and targetRefs can be set.
@ -267,6 +270,7 @@ message WasmPlugin {
  // from misinterpreting the policy as namespace-wide during the upgrade process.
  //
  // NOTE: Waypoint proxies are required to use this field for policies to apply; `selector` policies will be ignored.
+  // +kubebuilder:validation:MaxItems=16
  repeated istio.type.v1beta1.PolicyTargetReference targetRefs = 16;

  // URL of a Wasm module or OCI container. If no scheme is present,
@ -385,7 +389,6 @@ message WasmPlugin {
  PluginType type = 14;
 }

-
 // PluginType indicates the type of Wasm extension to be used.
 // There are two types of extensions: `HTTP` and `NETWORK`.
 //
@ -406,7 +409,7 @@ enum PluginType {

  // Use HTTP Wasm Extension.
  HTTP = 1;
-  
+
  // Use Network Wasm Extension.
  NETWORK = 2;
 }
@ -460,7 +463,7 @@ message VmConfig {
  repeated EnvVar env = 1;
 }

-// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' || !has(self.value)"
+// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="default(self.valueFrom, '') != 'HOST' || !has(self.value)"
 message EnvVar {
  // Name of the environment variable.
  // Must be a C_IDENTIFIER.
@ -482,7 +485,7 @@ enum EnvValueSource {
  // Explicitly given key-value pairs to be injected to this VM
  INLINE = 0;

-  // *Istio-proxy's* environment variables exposed to this VM.
+  // Proxy environment variables exposed to this VM.
  HOST = 1;
 }

@ -496,4 +499,9 @@ enum FailStrategy {
  // binary, an exception, or abort() on the VM. This flag is not recommended
  // for the authentication or the authorization plugins.
  FAIL_OPEN = 1;
+
+  // New plugin instance will be created for the new request if the Wasm plugin
+  // has failed. This only applies for ``proxy_wasm::FailState::RuntimeError``.
+  // For all other error types this will fallback to ``FAIL_CLOSED``.
+  FAIL_RELOAD = 2;
 }
--- a/gen.sh
+++ b/gen.sh
@ -30,10 +30,12 @@ buf generate \
 # These folders do not have the full plugins used, as they are not full CRDs.
 # We pass them a custom configuration to exclude the non-required files
 buf generate --template buf.gen-noncrd.yaml \
-  --path operator \
  --path mcp \
  --path mesh

 # These plugins are sent to Envoy, which uses golang/protobuf, so do not use gogo
 buf generate --template buf.gen-golang.yaml \
  --path envoy
+
+# Format Protobuf files
+buf format -w
--- a/github.com
+++ b/github.com
@ -1 +0,0 @@
-common-protos/github.com
--- a/go.mod
+++ b/go.mod
@ -1,31 +1,19 @@
 module istio.io/api

-go 1.22.0
+go 1.23.0
+
+toolchain go1.23.7

 require (
 	github.com/golang/protobuf v1.5.4
-	google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8
-	google.golang.org/grpc v1.64.1
-	google.golang.org/protobuf v1.34.1
-	k8s.io/api v0.30.0
-	k8s.io/apimachinery v0.30.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463
+	google.golang.org/grpc v1.71.0
+	google.golang.org/protobuf v1.36.6
 )

 require (
-	github.com/go-logr/logr v1.4.1 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,103 +1,36 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM=
-google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
-google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
-k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
-k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
-k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
--- a/k8s.io
+++ b/k8s.io
@ -1 +0,0 @@
-common-protos/k8s.io
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
--- a/Show More
+++ b/Show More