3d80aa4 simulation: Timoni mod vendor — heartwood

Radicle Heartwood Protocol & Stack

simulation: Timoni mod vendor

Adrian Duke committed 29 days ago

commit 3d80aa4c59a6c86f063132217a61fb80b295aed3
parent 35ef2275e6210fad4825f86f7946c24f623da8ca

100 files changed +18456 -1

modified .codespellrc

@@ -1,4 +1,5 @@

 # See: https://github.com/codespell-project/codespell#using-a-config-file
 [codespell]
 skip = .git*,*.lock,.codespellrc,target,.jj
 skip = .git*,*.lock,.codespellrc,target,.jj,simulation/modules/radicle-node/cue.mod/*
 check-hidden = true
 ignore-words-list = ser,set,noes

modified .typos.toml

@@ -14,3 +14,8 @@ extend-ignore-re = [

 [type.codespell]
 check-file = false
 extend-glob = [".codespellrc"]
 [files]
 extend-exclude = [
     "simulation/modules/radicle-node/cue.mod"
 ]

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/admission/v1
 package v1
 #GroupName: "admission.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue

@@ -0,0 +1,172 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/admission/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 // AdmissionReview describes an admission review request/response.
 #AdmissionReview: {
 	metav1.#TypeMeta
 	// Request describes the attributes for the admission request.
 	// +optional
 	request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt)
 	// Response describes the attributes for the admission response.
 	// +optional
 	response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt)
 }
 // AdmissionRequest describes the admission.Attributes for the admission request.
 #AdmissionRequest: {
 	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
 	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
 	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
 	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
 	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
 	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
 	kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt)
 	// Resource is the fully-qualified resource being requested (for example, v1.pods)
 	resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt)
 	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
 	// +optional
 	subResource?: string @go(SubResource) @protobuf(4,bytes,opt)
 	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
 	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
 	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
 	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
 	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
 	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
 	//
 	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
 	// +optional
 	requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt)
 	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
 	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
 	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
 	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
 	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
 	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
 	//
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt)
 	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
 	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt)
 	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
 	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
 	// +optional
 	name?: string @go(Name) @protobuf(5,bytes,opt)
 	// Namespace is the namespace associated with the request (if any).
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(6,bytes,opt)
 	// Operation is the operation being performed. This may be different than the operation
 	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
 	operation: #Operation @go(Operation) @protobuf(7,bytes,opt)
 	// UserInfo is information about the requesting user
 	userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt)
 	// Object is the object from the incoming request.
 	// +optional
 	object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt)
 	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
 	// +optional
 	oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt)
 	// DryRun indicates that modifications will definitely not be persisted for this request.
 	// Defaults to false.
 	// +optional
 	dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt)
 	// Options is the operation option structure of the operation being performed.
 	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
 	// different than the options the caller provided. e.g. for a patch request the performed
 	// Operation might be a CREATE, in which case the Options will a
 	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
 	// +optional
 	options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt)
 }
 // AdmissionResponse describes an admission response.
 #AdmissionResponse: {
 	// UID is an identifier for the individual request/response.
 	// This must be copied over from the corresponding AdmissionRequest.
 	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
 	// Allowed indicates whether or not the admission request was permitted.
 	allowed: bool @go(Allowed) @protobuf(2,varint,opt)
 	// Result contains extra details into why an admission request was denied.
 	// This field IS NOT consulted in any way if "Allowed" is "true".
 	// +optional
 	status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt)
 	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
 	// +optional
 	patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt)
 	// The type of Patch. Currently we only allow "JSONPatch".
 	// +optional
 	patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt)
 	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
 	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
 	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
 	// the admission webhook to add additional context to the audit log for this request.
 	// +optional
 	auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt)
 	// warnings is a list of warning messages to return to the requesting API client.
 	// Warning messages describe a problem the client making the API request should correct or be aware of.
 	// Limit warnings to 120 characters if possible.
 	// Warnings over 256 characters and large numbers of warnings may be truncated.
 	// +optional
 	warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep)
 }
 // PatchType is the type of patch being used to represent the mutated object
 #PatchType: string // #enumPatchType
 #enumPatchType:
 	#PatchTypeJSONPatch
 #PatchTypeJSONPatch: #PatchType & "JSONPatch"
 // Operation is the type of resource operation being checked for admission control
 #Operation: string // #enumOperation
 #enumOperation:
 	#Create |
 	#Update |
 	#Delete |
 	#Connect
 #Create:  #Operation & "CREATE"
 #Update:  #Operation & "UPDATE"
 #Delete:  #Operation & "DELETE"
 #Connect: #Operation & "CONNECT"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue

@@ -0,0 +1,9 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/admissionregistration/v1
 // Package v1 is the v1 version of the API.
 // AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
 // MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the
 // new dynamic admission controller configuration.
 package v1

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/admissionregistration/v1
 package v1
 #GroupName: "admissionregistration.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue

@@ -0,0 +1,645 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/admissionregistration/v1
 package v1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
 // to make sure that all the tuple expansions are valid.
 #Rule: {
 	// APIGroups is the API groups the resources belong to. '*' is all groups.
 	// If '*' is present, the length of the slice must be one.
 	// Required.
 	// +listType=atomic
 	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep)
 	// APIVersions is the API versions the resources belong to. '*' is all versions.
 	// If '*' is present, the length of the slice must be one.
 	// Required.
 	// +listType=atomic
 	apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep)
 	// Resources is a list of resources this rule applies to.
 	//
 	// For example:
 	// 'pods' means pods.
 	// 'pods/log' means the log subresource of pods.
 	// '*' means all resources, but not subresources.
 	// 'pods/*' means all subresources of pods.
 	// '*/scale' means all scale subresources.
 	// '*/*' means all resources and their subresources.
 	//
 	// If wildcard is present, the validation rule will ensure resources do not
 	// overlap with each other.
 	//
 	// Depending on the enclosing object, subresources might not be allowed.
 	// Required.
 	// +listType=atomic
 	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
 	// scope specifies the scope of this rule.
 	// Valid values are "Cluster", "Namespaced", and "*"
 	// "Cluster" means that only cluster-scoped resources will match this rule.
 	// Namespace API objects are cluster-scoped.
 	// "Namespaced" means that only namespaced resources will match this rule.
 	// "*" means that there are no scope restrictions.
 	// Subresources match the scope of their parent resource.
 	// Default is "*".
 	//
 	// +optional
 	scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep)
 }
 // ScopeType specifies a scope for a Rule.
 // +enum
 #ScopeType: string // #enumScopeType
 #enumScopeType:
 	#ClusterScope |
 	#NamespacedScope |
 	#AllScopes
 // ClusterScope means that scope is limited to cluster-scoped objects.
 // Namespace objects are cluster-scoped.
 #ClusterScope: #ScopeType & "Cluster"
 // NamespacedScope means that scope is limited to namespaced objects.
 #NamespacedScope: #ScopeType & "Namespaced"
 // AllScopes means that all scopes are included.
 #AllScopes: #ScopeType & "*"
 // FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
 // +enum
 #FailurePolicyType: string // #enumFailurePolicyType
 #enumFailurePolicyType:
 	#Ignore |
 	#Fail
 // Ignore means that an error calling the webhook is ignored.
 #Ignore: #FailurePolicyType & "Ignore"
 // Fail means that an error calling the webhook causes the admission to fail.
 #Fail: #FailurePolicyType & "Fail"
 // MatchPolicyType specifies the type of match policy.
 // +enum
 #MatchPolicyType: string // #enumMatchPolicyType
 #enumMatchPolicyType:
 	#Exact |
 	#Equivalent
 // Exact means requests should only be sent to the webhook if they exactly match a given rule.
 #Exact: #MatchPolicyType & "Exact"
 // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
 #Equivalent: #MatchPolicyType & "Equivalent"
 // SideEffectClass specifies the types of side effects a webhook may have.
 // +enum
 #SideEffectClass: string // #enumSideEffectClass
 #enumSideEffectClass:
 	#SideEffectClassUnknown |
 	#SideEffectClassNone |
 	#SideEffectClassSome |
 	#SideEffectClassNoneOnDryRun
 // SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
 #SideEffectClassUnknown: #SideEffectClass & "Unknown"
 // SideEffectClassNone means that calling the webhook will have no side effects.
 #SideEffectClassNone: #SideEffectClass & "None"
 // SideEffectClassSome means that calling the webhook will possibly have side effects.
 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
 #SideEffectClassSome: #SideEffectClass & "Some"
 // SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
 // request being reviewed has the dry-run attribute, the side effects will be suppressed.
 #SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun"
 // ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
 #ValidatingWebhookConfiguration: {
 	metav1.#TypeMeta
 	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Webhooks is a list of webhooks and the affected resources and operations.
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
 }
 // ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
 #ValidatingWebhookConfigurationList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of ValidatingWebhookConfiguration.
 	items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep)
 }
 // MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
 #MutatingWebhookConfiguration: {
 	metav1.#TypeMeta
 	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Webhooks is a list of webhooks and the affected resources and operations.
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
 }
 // MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
 #MutatingWebhookConfigurationList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of MutatingWebhookConfiguration.
 	items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep)
 }
 // ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 #ValidatingWebhook: {
 	// The name of the admission webhook.
 	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
 	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
 	// of the organization.
 	// Required.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// ClientConfig defines how to communicate with the hook.
 	// Required
 	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
 	// Rules describes what operations on what resources/subresources the webhook cares about.
 	// The webhook cares about an operation if it matches _any_ Rule.
 	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
 	// from putting the cluster in a state which cannot be recovered from without completely
 	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
 	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
 	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
 	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
 	// allowed values are Ignore or Fail. Defaults to Fail.
 	// +optional
 	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
 	// matchPolicy defines how the "rules" list is used to match incoming requests.
 	// Allowed values are "Exact" or "Equivalent".
 	//
 	// - Exact: match a request only if it exactly matches a specified rule.
 	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
 	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
 	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
 	//
 	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
 	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
 	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
 	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
 	//
 	// Defaults to "Equivalent"
 	// +optional
 	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
 	// object itself is a namespace, the matching is performed on
 	// object.metadata.labels. If the object is another cluster scoped resource,
 	// it never skips the webhook.
 	//
 	// For example, to run the webhook on any objects whose namespace is not
 	// associated with "runlevel" of "0" or "1";  you will set the selector as
 	// follows:
 	// "namespaceSelector": {
 	//   "matchExpressions": [
 	//     {
 	//       "key": "runlevel",
 	//       "operator": "NotIn",
 	//       "values": [
 	//         "0",
 	//         "1"
 	//       ]
 	//     }
 	//   ]
 	// }
 	//
 	// If instead you want to only run the webhook on any objects whose
 	// namespace is associated with the "environment" of "prod" or "staging";
 	// you will set the selector as follows:
 	// "namespaceSelector": {
 	//   "matchExpressions": [
 	//     {
 	//       "key": "environment",
 	//       "operator": "In",
 	//       "values": [
 	//         "prod",
 	//         "staging"
 	//       ]
 	//     }
 	//   ]
 	// }
 	//
 	// See
 	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 	// for more examples of label selectors.
 	//
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
 	// ObjectSelector decides whether to run the webhook based on if the
 	// object has matching labels. objectSelector is evaluated against both
 	// the oldObject and newObject that would be sent to the webhook, and
 	// is considered to match if either object matches the selector. A null
 	// object (oldObject in the case of create, or newObject in the case of
 	// delete) or an object that cannot have labels (like a
 	// DeploymentRollback or a PodProxyOptions object) is not considered to
 	// match.
 	// Use the object selector only if the webhook is opt-in, because end
 	// users may skip the admission webhook by setting the labels.
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt)
 	// SideEffects states whether this webhook has side effects.
 	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
 	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
 	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
 	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
 	// sideEffects == Unknown or Some.
 	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
 	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
 	// the webhook call will be ignored or the API call will fail based on the
 	// failure policy.
 	// The timeout value must be between 1 and 30 seconds.
 	// Default to 10 seconds.
 	// +optional
 	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
 	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
 	// versions the Webhook expects. API server will try to use first version in
 	// the list which it supports. If none of the versions specified in this list
 	// supported by API server, validation will fail for this object.
 	// If a persisted webhook configuration specifies allowed versions and does not
 	// include any versions known to the API Server, calls to the webhook will fail
 	// and be subject to the failure policy.
 	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
 	// MatchConditions is a list of conditions that must be met for a request to be sent to this
 	// webhook. Match conditions filter requests that have already been matched by the rules,
 	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
 	// There are a maximum of 64 match conditions allowed.
 	//
 	// The exact matching logic is (in order):
 	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
 	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
 	//   3. If any matchCondition evaluates to an error (but none are FALSE):
 	//      - If failurePolicy=Fail, reject the request
 	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
 	//
 	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
 	//
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=AdmissionWebhookMatchConditions
 	// +optional
 	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt)
 }
 // MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 #MutatingWebhook: {
 	// The name of the admission webhook.
 	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
 	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
 	// of the organization.
 	// Required.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// ClientConfig defines how to communicate with the hook.
 	// Required
 	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
 	// Rules describes what operations on what resources/subresources the webhook cares about.
 	// The webhook cares about an operation if it matches _any_ Rule.
 	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
 	// from putting the cluster in a state which cannot be recovered from without completely
 	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
 	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
 	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
 	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
 	// allowed values are Ignore or Fail. Defaults to Fail.
 	// +optional
 	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
 	// matchPolicy defines how the "rules" list is used to match incoming requests.
 	// Allowed values are "Exact" or "Equivalent".
 	//
 	// - Exact: match a request only if it exactly matches a specified rule.
 	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
 	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
 	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
 	//
 	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
 	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
 	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
 	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
 	//
 	// Defaults to "Equivalent"
 	// +optional
 	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
 	// object itself is a namespace, the matching is performed on
 	// object.metadata.labels. If the object is another cluster scoped resource,
 	// it never skips the webhook.
 	//
 	// For example, to run the webhook on any objects whose namespace is not
 	// associated with "runlevel" of "0" or "1";  you will set the selector as
 	// follows:
 	// "namespaceSelector": {
 	//   "matchExpressions": [
 	//     {
 	//       "key": "runlevel",
 	//       "operator": "NotIn",
 	//       "values": [
 	//         "0",
 	//         "1"
 	//       ]
 	//     }
 	//   ]
 	// }
 	//
 	// If instead you want to only run the webhook on any objects whose
 	// namespace is associated with the "environment" of "prod" or "staging";
 	// you will set the selector as follows:
 	// "namespaceSelector": {
 	//   "matchExpressions": [
 	//     {
 	//       "key": "environment",
 	//       "operator": "In",
 	//       "values": [
 	//         "prod",
 	//         "staging"
 	//       ]
 	//     }
 	//   ]
 	// }
 	//
 	// See
 	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 	// for more examples of label selectors.
 	//
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
 	// ObjectSelector decides whether to run the webhook based on if the
 	// object has matching labels. objectSelector is evaluated against both
 	// the oldObject and newObject that would be sent to the webhook, and
 	// is considered to match if either object matches the selector. A null
 	// object (oldObject in the case of create, or newObject in the case of
 	// delete) or an object that cannot have labels (like a
 	// DeploymentRollback or a PodProxyOptions object) is not considered to
 	// match.
 	// Use the object selector only if the webhook is opt-in, because end
 	// users may skip the admission webhook by setting the labels.
 	// Default to the empty LabelSelector, which matches everything.
 	// +optional
 	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt)
 	// SideEffects states whether this webhook has side effects.
 	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
 	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
 	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
 	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
 	// sideEffects == Unknown or Some.
 	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
 	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
 	// the webhook call will be ignored or the API call will fail based on the
 	// failure policy.
 	// The timeout value must be between 1 and 30 seconds.
 	// Default to 10 seconds.
 	// +optional
 	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
 	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
 	// versions the Webhook expects. API server will try to use first version in
 	// the list which it supports. If none of the versions specified in this list
 	// supported by API server, validation will fail for this object.
 	// If a persisted webhook configuration specifies allowed versions and does not
 	// include any versions known to the API Server, calls to the webhook will fail
 	// and be subject to the failure policy.
 	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
 	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
 	// Allowed values are "Never" and "IfNeeded".
 	//
 	// Never: the webhook will not be called more than once in a single admission evaluation.
 	//
 	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
 	// if the object being admitted is modified by other admission plugins after the initial webhook call.
 	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
 	// Note:
 	// * the number of additional invocations is not guaranteed to be exactly one.
 	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
 	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
 	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
 	//
 	// Defaults to "Never".
 	// +optional
 	reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType)
 	// MatchConditions is a list of conditions that must be met for a request to be sent to this
 	// webhook. Match conditions filter requests that have already been matched by the rules,
 	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
 	// There are a maximum of 64 match conditions allowed.
 	//
 	// The exact matching logic is (in order):
 	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
 	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
 	//   3. If any matchCondition evaluates to an error (but none are FALSE):
 	//      - If failurePolicy=Fail, reject the request
 	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
 	//
 	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
 	//
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=AdmissionWebhookMatchConditions
 	// +optional
 	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt)
 }
 // ReinvocationPolicyType specifies what type of policy the admission hook uses.
 // +enum
 #ReinvocationPolicyType: string // #enumReinvocationPolicyType
 #enumReinvocationPolicyType:
 	#NeverReinvocationPolicy |
 	#IfNeededReinvocationPolicy
 // NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
 // single admission evaluation.
 #NeverReinvocationPolicy: #ReinvocationPolicyType & "Never"
 // IfNeededReinvocationPolicy indicates that the webhook may be called at least one
 // additional time as part of the admission evaluation if the object being admitted is
 // modified by other admission plugins after the initial webhook call.
 #IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded"
 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
 // sure that all the tuple expansions are valid.
 #RuleWithOperations: {
 	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
 	// for all of those operations and any future admission operations that are added.
 	// If '*' is present, the length of the slice must be one.
 	// Required.
 	// +listType=atomic
 	operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType)
 	#Rule
 }
 // OperationType specifies an operation for a request.
 // +enum
 #OperationType: string // #enumOperationType
 #enumOperationType:
 	#OperationAll |
 	#Create |
 	#Update |
 	#Delete |
 	#Connect
 #OperationAll: #OperationType & "*"
 #Create:       #OperationType & "CREATE"
 #Update:       #OperationType & "UPDATE"
 #Delete:       #OperationType & "DELETE"
 #Connect:      #OperationType & "CONNECT"
 // WebhookClientConfig contains the information to make a TLS
 // connection with the webhook
 #WebhookClientConfig: {
 	// `url` gives the location of the webhook, in standard URL form
 	// (`scheme://host:port/path`). Exactly one of `url` or `service`
 	// must be specified.
 	//
 	// The `host` should not refer to a service running in the cluster; use
 	// the `service` field instead. The host might be resolved via external
 	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
 	// in-cluster DNS as that would be a layering violation). `host` may
 	// also be an IP address.
 	//
 	// Please note that using `localhost` or `127.0.0.1` as a `host` is
 	// risky unless you take great care to run this webhook on all hosts
 	// which run an apiserver which might need to make calls to this
 	// webhook. Such installs are likely to be non-portable, i.e., not easy
 	// to turn up in a new cluster.
 	//
 	// The scheme must be "https"; the URL must begin with "https://".
 	//
 	// A path is optional, and if present may be any string permissible in
 	// a URL. You may use the path to pass an arbitrary string to the
 	// webhook, for example, a cluster identifier.
 	//
 	// Attempting to use a user or basic auth e.g. "user:password@" is not
 	// allowed. Fragments ("#...") and query parameters ("?...") are not
 	// allowed, either.
 	//
 	// +optional
 	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
 	// `service` is a reference to the service for this webhook. Either
 	// `service` or `url` must be specified.
 	//
 	// If the webhook is running within the cluster, then you should use `service`.
 	//
 	// +optional
 	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
 	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
 	// If unspecified, system trust roots on the apiserver are used.
 	// +optional
 	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
 }
 // ServiceReference holds a reference to Service.legacy.k8s.io
 #ServiceReference: {
 	// `namespace` is the namespace of the service.
 	// Required
 	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
 	// `name` is the name of the service.
 	// Required
 	name: string @go(Name) @protobuf(2,bytes,opt)
 	// `path` is an optional URL path which will be sent in any request to
 	// this service.
 	// +optional
 	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
 	// If specified, the port on the service that hosting webhook.
 	// Default to 443 for backward compatibility.
 	// `port` should be a valid port number (1-65535, inclusive).
 	// +optional
 	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
 }
 // MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
 #MatchCondition: {
 	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
 	// as well as providing an identifier for logging purposes. A good name should be descriptive of
 	// the associated expression.
 	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
 	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
 	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
 	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
 	//
 	// Required.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
 	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
 	//
 	// 'object' - The object from the incoming request. The value is null for DELETE requests.
 	// 'oldObject' - The existing object. The value is null for CREATE requests.
 	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
 	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
 	//   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
 	//   request resource.
 	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
 	//
 	// Required.
 	expression: string @go(Expression) @protobuf(2,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/apps/v1
 package v1
 #GroupName: "apps"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/apps/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 #ControllerRevisionHashLabelKey: "controller-revision-hash"
 #StatefulSetRevisionLabel:       "controller-revision-hash"
 #DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
 #DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
 #StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
 #PodIndexLabel:                  "apps.kubernetes.io/pod-index"
 // StatefulSet represents a set of pods with consistent identities.
 // Identities are defined as:
 //   - Network: A single stable DNS and hostname.
 //   - Storage: As many VolumeClaims as requested.
 //
 // The StatefulSet guarantees that a given network identity will always
 // map to the same storage identity.
 #StatefulSet: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the desired identities of pods in this set.
 	// +optional
 	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is the current status of Pods in this StatefulSet. This data
 	// may be out of date by some window of time.
 	// +optional
 	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // PodManagementPolicyType defines the policy for creating pods under a stateful set.
 // +enum
 #PodManagementPolicyType: string // #enumPodManagementPolicyType
 #enumPodManagementPolicyType:
 	#OrderedReadyPodManagement |
 	#ParallelPodManagement
 // OrderedReadyPodManagement will create pods in strictly increasing order on
 // scale up and strictly decreasing order on scale down, progressing only when
 // the previous pod is ready or terminated. At most one pod will be changed
 // at any time.
 #OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
 // ParallelPodManagement will create and delete pods as soon as the stateful set
 // replica count is changed, and will not wait for pods to be ready or complete
 // termination.
 #ParallelPodManagement: #PodManagementPolicyType & "Parallel"
 // StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
 // controller will use to perform updates. It includes any additional parameters
 // necessary to perform the update for the indicated strategy.
 #StatefulSetUpdateStrategy: {
 	// Type indicates the type of the StatefulSetUpdateStrategy.
 	// Default is RollingUpdate.
 	// +optional
 	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
 	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
 	// +optional
 	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
 }
 // StatefulSetUpdateStrategyType is a string enumeration type that enumerates
 // all possible update strategies for the StatefulSet controller.
 // +enum
 #StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
 #enumStatefulSetUpdateStrategyType:
 	#RollingUpdateStatefulSetStrategyType |
 	#OnDeleteStatefulSetStrategyType
 // RollingUpdateStatefulSetStrategyType indicates that update will be
 // applied to all Pods in the StatefulSet with respect to the StatefulSet
 // ordering constraints. When a scale operation is performed with this
 // strategy, new Pods will be created from the specification version indicated
 // by the StatefulSet's updateRevision.
 #RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
 // OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
 // tracking and ordered rolling restarts are disabled. Pods are recreated
 // from the StatefulSetSpec when they are manually deleted. When a scale
 // operation is performed with this strategy,specification version indicated
 // by the StatefulSet's currentRevision.
 #OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
 // RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
 #RollingUpdateStatefulSetStrategy: {
 	// Partition indicates the ordinal at which the StatefulSet should be partitioned
 	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
 	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
 	// This is helpful in being able to do a canary based deployment. The default value is 0.
 	// +optional
 	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
 	// The maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding up. This can not be 0.
 	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
 	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
 	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
 	// will be counted towards MaxUnavailable.
 	// +optional
 	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
 }
 // PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
 // when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
 // deleted or scaled down.
 #PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
 #enumPersistentVolumeClaimRetentionPolicyType:
 	#RetainPersistentVolumeClaimRetentionPolicyType |
 	#DeletePersistentVolumeClaimRetentionPolicyType
 // RetainPersistentVolumeClaimRetentionPolicyType is the default
 // PersistentVolumeClaimRetentionPolicy and specifies that
 // PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
 // will not be deleted.
 #RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
 // RetentionPersistentVolumeClaimRetentionPolicyType specifies that
 // PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
 // will be deleted in the scenario specified in
 // StatefulSetPersistentVolumeClaimRetentionPolicy.
 #DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
 // StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
 // created from the StatefulSet VolumeClaimTemplates.
 #StatefulSetPersistentVolumeClaimRetentionPolicy: {
 	// WhenDeleted specifies what happens to PVCs created from StatefulSet
 	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
 	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
 	// `Delete` policy causes those PVCs to be deleted.
 	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
 	// WhenScaled specifies what happens to PVCs created from StatefulSet
 	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
 	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
 	// `Delete` policy causes the associated PVCs for any excess pods above
 	// the replica count to be deleted.
 	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
 }
 // StatefulSetOrdinals describes the policy used for replica ordinal assignment
 // in this StatefulSet.
 #StatefulSetOrdinals: {
 	// start is the number representing the first replica's index. It may be used
 	// to number replicas from an alternate index (eg: 1-indexed) over the default
 	// 0-indexed names, or to orchestrate progressive movement of replicas from
 	// one StatefulSet to another.
 	// If set, replica indices will be in the range:
 	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
 	// If unset, defaults to 0. Replica indices will be in the range:
 	//   [0, .spec.replicas).
 	// +optional
 	start: int32 @go(Start) @protobuf(1,varint,opt)
 }
 // A StatefulSetSpec is the specification of a StatefulSet.
 #StatefulSetSpec: {
 	// replicas is the desired number of replicas of the given Template.
 	// These are replicas in the sense that they are instantiations of the
 	// same Template, but individual replicas also have a consistent identity.
 	// If unspecified, defaults to 1.
 	// TODO: Consider a rename of this field.
 	// +optional
 	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
 	// selector is a label query over pods that should match the replica count.
 	// It must match the pod template's labels.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// template is the object that describes the pod that will be created if
 	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
 	// will fulfill this Template, but have a unique identity from the rest
 	// of the StatefulSet. Each pod will be named with the format
 	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
 	// "web" with index number "3" would be named "web-3".
 	// The only allowed template.spec.restartPolicy value is "Always".
 	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
 	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
 	// The StatefulSet controller is responsible for mapping network identities to
 	// claims in a way that maintains the identity of a pod. Every claim in
 	// this list must have at least one matching (by name) volumeMount in one
 	// container in the template. A claim in this list takes precedence over
 	// any volumes in the template, with the same name.
 	// TODO: Define the behavior if a claim already exists with the same name.
 	// +optional
 	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
 	// serviceName is the name of the service that governs this StatefulSet.
 	// This service must exist before the StatefulSet, and is responsible for
 	// the network identity of the set. Pods get DNS/hostnames that follow the
 	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
 	// where "pod-specific-string" is managed by the StatefulSet controller.
 	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
 	// podManagementPolicy controls how pods are created during initial scale up,
 	// when replacing pods on nodes, or when scaling down. The default policy is
 	// `OrderedReady`, where pods are created in increasing order (pod-0, then
 	// pod-1, etc) and the controller will wait until each pod is ready before
 	// continuing. When scaling down, the pods are removed in the opposite order.
 	// The alternative policy is `Parallel` which will create pods in parallel
 	// to match the desired scale without waiting, and on scale down will delete
 	// all pods at once.
 	// +optional
 	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
 	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
 	// employed to update Pods in the StatefulSet when a revision is made to
 	// Template.
 	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
 	// revisionHistoryLimit is the maximum number of revisions that will
 	// be maintained in the StatefulSet's revision history. The revision history
 	// consists of all revisions not represented by a currently applied
 	// StatefulSetSpec version. The default value is 10.
 	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
 	// Minimum number of seconds for which a newly created pod should be ready
 	// without any of its container crashing for it to be considered available.
 	// Defaults to 0 (pod will be considered available as soon as it is ready)
 	// +optional
 	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
 	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
 	// volume claims created from volumeClaimTemplates. By default, all persistent
 	// volume claims are created as needed and retained until manually deleted. This
 	// policy allows the lifecycle to be altered, for example by deleting persistent
 	// volume claims when their stateful set is deleted, or when their pod is scaled
 	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
 	// which is alpha.  +optional
 	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
 	// ordinals controls the numbering of replica indices in a StatefulSet. The
 	// default ordinals behavior assigns a "0" index to the first replica and
 	// increments the index by one for each additional replica requested. Using
 	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
 	// enabled, which is beta.
 	// +optional
 	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
 }
 // StatefulSetStatus represents the current state of a StatefulSet.
 #StatefulSetStatus: {
 	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
 	// StatefulSet's generation, which is updated on mutation by the API Server.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
 	// replicas is the number of Pods created by the StatefulSet controller.
 	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
 	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
 	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
 	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
 	// indicated by currentRevision.
 	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
 	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
 	// indicated by updateRevision.
 	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
 	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
 	// sequence [0,currentReplicas).
 	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
 	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
 	// [replicas-updatedReplicas,replicas)
 	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
 	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
 	// uses this field as a collision avoidance mechanism when it needs to create the name for the
 	// newest ControllerRevision.
 	// +optional
 	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
 	// Represents the latest available observations of a statefulset's current state.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
 	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
 	// +optional
 	availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
 }
 #StatefulSetConditionType: string
 // StatefulSetCondition describes the state of a statefulset at a certain point.
 #StatefulSetCondition: {
 	// Type of statefulset condition.
 	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// Last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// The reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// A human readable message indicating details about the transition.
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // StatefulSetList is a collection of StatefulSets.
 #StatefulSetList: {
 	metav1.#TypeMeta
 	// Standard list's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is the list of stateful sets.
 	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
 }
 // Deployment enables declarative updates for Pods and ReplicaSets.
 #Deployment: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of the Deployment.
 	// +optional
 	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Most recently observed status of the Deployment.
 	// +optional
 	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // DeploymentSpec is the specification of the desired behavior of the Deployment.
 #DeploymentSpec: {
 	// Number of desired pods. This is a pointer to distinguish between explicit
 	// zero and not specified. Defaults to 1.
 	// +optional
 	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
 	// Label selector for pods. Existing ReplicaSets whose pods are
 	// selected by this will be the ones affected by this deployment.
 	// It must match the pod template's labels.
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// Template describes the pods that will be created.
 	// The only allowed template.spec.restartPolicy value is "Always".
 	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
 	// The deployment strategy to use to replace existing pods with new ones.
 	// +optional
 	// +patchStrategy=retainKeys
 	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
 	// Minimum number of seconds for which a newly created pod should be ready
 	// without any of its container crashing, for it to be considered available.
 	// Defaults to 0 (pod will be considered available as soon as it is ready)
 	// +optional
 	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
 	// The number of old ReplicaSets to retain to allow rollback.
 	// This is a pointer to distinguish between explicit zero and not specified.
 	// Defaults to 10.
 	// +optional
 	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
 	// Indicates that the deployment is paused.
 	// +optional
 	paused?: bool @go(Paused) @protobuf(7,varint,opt)
 	// The maximum time in seconds for a deployment to make progress before it
 	// is considered to be failed. The deployment controller will continue to
 	// process failed deployments and a condition with a ProgressDeadlineExceeded
 	// reason will be surfaced in the deployment status. Note that progress will
 	// not be estimated during the time a deployment is paused. Defaults to 600s.
 	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
 }
 // DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
 // to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
 // to select new pods (and old pods being select by new ReplicaSet).
 #DefaultDeploymentUniqueLabelKey: "pod-template-hash"
 // DeploymentStrategy describes how to replace existing pods with new ones.
 #DeploymentStrategy: {
 	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
 	// +optional
 	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
 	// Rolling update config params. Present only if DeploymentStrategyType =
 	// RollingUpdate.
 	//---
 	// TODO: Update this to follow our convention for oneOf, whatever we decide it
 	// to be.
 	// +optional
 	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
 }
 // +enum
 #DeploymentStrategyType: string // #enumDeploymentStrategyType
 #enumDeploymentStrategyType:
 	#RecreateDeploymentStrategyType |
 	#RollingUpdateDeploymentStrategyType
 // Kill all existing pods before creating new ones.
 #RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
 // Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
 #RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
 // Spec to control the desired behavior of rolling update.
 #RollingUpdateDeployment: {
 	// The maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding down.
 	// This can not be 0 if MaxSurge is 0.
 	// Defaults to 25%.
 	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
 	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
 	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
 	// that the total number of pods available at all times during the update is at
 	// least 70% of desired pods.
 	// +optional
 	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
 	// The maximum number of pods that can be scheduled above the desired number of
 	// pods.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// This can not be 0 if MaxUnavailable is 0.
 	// Absolute number is calculated from percentage by rounding up.
 	// Defaults to 25%.
 	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
 	// the rolling update starts, such that the total number of old and new pods do not exceed
 	// 130% of desired pods. Once old pods have been killed,
 	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
 	// at any time during the update is at most 130% of desired pods.
 	// +optional
 	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
 }
 // DeploymentStatus is the most recently observed status of the Deployment.
 #DeploymentStatus: {
 	// The generation observed by the deployment controller.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
 	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
 	// +optional
 	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
 	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
 	// +optional
 	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
 	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
 	// +optional
 	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
 	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
 	// +optional
 	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
 	// Total number of unavailable pods targeted by this deployment. This is the total number of
 	// pods that are still required for the deployment to have 100% available capacity. They may
 	// either be pods that are running but not yet available or pods that still have not been created.
 	// +optional
 	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
 	// Represents the latest available observations of a deployment's current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
 	// Count of hash collisions for the Deployment. The Deployment controller uses this
 	// field as a collision avoidance mechanism when it needs to create the name for the
 	// newest ReplicaSet.
 	// +optional
 	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
 }
 #DeploymentConditionType: string // #enumDeploymentConditionType
 #enumDeploymentConditionType:
 	#DeploymentAvailable |
 	#DeploymentProgressing |
 	#DeploymentReplicaFailure
 // Available means the deployment is available, ie. at least the minimum available
 // replicas required are up and running for at least minReadySeconds.
 #DeploymentAvailable: #DeploymentConditionType & "Available"
 // Progressing means the deployment is progressing. Progress for a deployment is
 // considered when a new replica set is created or adopted, and when new pods scale
 // up or old pods scale down. Progress is not estimated for paused deployments or
 // when progressDeadlineSeconds is not specified.
 #DeploymentProgressing: #DeploymentConditionType & "Progressing"
 // ReplicaFailure is added in a deployment when one of its pods fails to be created
 // or deleted.
 #DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
 // DeploymentCondition describes the state of a deployment at a certain point.
 #DeploymentCondition: {
 	// Type of deployment condition.
 	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// The last time this condition was updated.
 	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
 	// Last time the condition transitioned from one status to another.
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
 	// The reason for the condition's last transition.
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// A human readable message indicating details about the transition.
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // DeploymentList is a list of Deployments.
 #DeploymentList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is the list of Deployments.
 	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
 }
 // DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
 #DaemonSetUpdateStrategy: {
 	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
 	// +optional
 	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
 	// Rolling update config params. Present only if type = "RollingUpdate".
 	//---
 	// TODO: Update this to follow our convention for oneOf, whatever we decide it
 	// to be. Same as Deployment `strategy.rollingUpdate`.
 	// See https://github.com/kubernetes/kubernetes/issues/35345
 	// +optional
 	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
 }
 // +enum
 #DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
 #enumDaemonSetUpdateStrategyType:
 	#RollingUpdateDaemonSetStrategyType |
 	#OnDeleteDaemonSetStrategyType
 // Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
 #RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
 // Replace the old daemons only when it's killed
 #OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
 // Spec to control the desired behavior of daemon set rolling update.
 #RollingUpdateDaemonSet: {
 	// The maximum number of DaemonSet pods that can be unavailable during the
 	// update. Value can be an absolute number (ex: 5) or a percentage of total
 	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
 	// number is calculated from percentage by rounding up.
 	// This cannot be 0 if MaxSurge is 0
 	// Default value is 1.
 	// Example: when this is set to 30%, at most 30% of the total number of nodes
 	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
 	// can have their pods stopped for an update at any given time. The update
 	// starts by stopping at most 30% of those DaemonSet pods and then brings
 	// up new DaemonSet pods in their place. Once the new pods are available,
 	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
 	// 70% of original number of DaemonSet pods are available at all times during
 	// the update.
 	// +optional
 	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
 	// The maximum number of nodes with an existing available DaemonSet pod that
 	// can have an updated DaemonSet pod during during an update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// This can not be 0 if MaxUnavailable is 0.
 	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
 	// Default value is 0.
 	// Example: when this is set to 30%, at most 30% of the total number of nodes
 	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
 	// can have their a new pod created before the old pod is marked as deleted.
 	// The update starts by launching new pods on 30% of nodes. Once an updated
 	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
 	// on that node is marked deleted. If the old pod becomes unavailable for any
 	// reason (Ready transitions to false, is evicted, or is drained) an updated
 	// pod is immediatedly created on that node without considering surge limits.
 	// Allowing surge implies the possibility that the resources consumed by the
 	// daemonset on any given node can double if the readiness check fails, and
 	// so resource intensive daemonsets should take into account that they may
 	// cause evictions during disruption.
 	// +optional
 	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
 }
 // DaemonSetSpec is the specification of a daemon set.
 #DaemonSetSpec: {
 	// A label query over pods that are managed by the daemon set.
 	// Must match in order to be controlled.
 	// It must match the pod template's labels.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
 	// An object that describes the pod that will be created.
 	// The DaemonSet will create exactly one copy of this pod on every node
 	// that matches the template's node selector (or on every node if no node
 	// selector is specified).
 	// The only allowed template.spec.restartPolicy value is "Always".
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
 	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
 	// An update strategy to replace existing DaemonSet pods with new pods.
 	// +optional
 	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
 	// The minimum number of seconds for which a newly created DaemonSet pod should
 	// be ready without any of its container crashing, for it to be considered
 	// available. Defaults to 0 (pod will be considered available as soon as it
 	// is ready).
 	// +optional
 	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
 	// The number of old history to retain to allow rollback.
 	// This is a pointer to distinguish between explicit zero and not specified.
 	// Defaults to 10.
 	// +optional
 	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
 }
 // DaemonSetStatus represents the current status of a daemon set.
 #DaemonSetStatus: {
 	// The number of nodes that are running at least 1
 	// daemon pod and are supposed to run the daemon pod.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
 	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
 	// The number of nodes that are running the daemon pod, but are
 	// not supposed to run the daemon pod.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
 	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
 	// The total number of nodes that should be running the daemon
 	// pod (including nodes correctly running the daemon pod).
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
 	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
 	// numberReady is the number of nodes that should be running the daemon pod and have one
 	// or more of the daemon pod running with a Ready Condition.
 	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
 	// The most recent generation observed by the daemon set controller.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
 	// The total number of nodes that are running updated daemon pod
 	// +optional
 	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
 	// The number of nodes that should be running the
 	// daemon pod and have one or more of the daemon pod running and
 	// available (ready for at least spec.minReadySeconds)
 	// +optional
 	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
 	// The number of nodes that should be running the
 	// daemon pod and have none of the daemon pod running and available
 	// (ready for at least spec.minReadySeconds)
 	// +optional
 	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
 	// Count of hash collisions for the DaemonSet. The DaemonSet controller
 	// uses this field as a collision avoidance mechanism when it needs to
 	// create the name for the newest ControllerRevision.
 	// +optional
 	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
 	// Represents the latest available observations of a DaemonSet's current state.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
 }
 #DaemonSetConditionType: string
 // DaemonSetCondition describes the state of a DaemonSet at a certain point.
 #DaemonSetCondition: {
 	// Type of DaemonSet condition.
 	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// Last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// The reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// A human readable message indicating details about the transition.
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // DaemonSet represents the configuration of a daemon set.
 #DaemonSet: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// The desired behavior of this daemon set.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
 	// The current status of this daemon set. This data may be
 	// out of date by some window of time.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // DefaultDaemonSetUniqueLabelKey is the default label key that is added
 // to existing DaemonSet pods to distinguish between old and new
 // DaemonSet pods during DaemonSet template updates.
 #DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
 // DaemonSetList is a collection of daemon sets.
 #DaemonSetList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// A list of daemon sets.
 	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
 }
 // ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 #ReplicaSet: {
 	metav1.#TypeMeta
 	// If the Labels of a ReplicaSet are empty, they are defaulted to
 	// be the same as the Pod(s) that the ReplicaSet manages.
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the specification of the desired behavior of the ReplicaSet.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is the most recently observed status of the ReplicaSet.
 	// This data may be out of date by some window of time.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ReplicaSetList is a collection of ReplicaSets.
 #ReplicaSetList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of ReplicaSets.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
 	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
 }
 // ReplicaSetSpec is the specification of a ReplicaSet.
 #ReplicaSetSpec: {
 	// Replicas is the number of desired replicas.
 	// This is a pointer to distinguish between explicit zero and unspecified.
 	// Defaults to 1.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
 	// +optional
 	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
 	// Minimum number of seconds for which a newly created pod should be ready
 	// without any of its container crashing, for it to be considered available.
 	// Defaults to 0 (pod will be considered available as soon as it is ready)
 	// +optional
 	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
 	// Selector is a label query over pods that should match the replica count.
 	// Label keys and values that must match in order to be controlled by this replica set.
 	// It must match the pod template's labels.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// Template is the object that describes the pod that will be created if
 	// insufficient replicas are detected.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
 	// +optional
 	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
 }
 // ReplicaSetStatus represents the current status of a ReplicaSet.
 #ReplicaSetStatus: {
 	// Replicas is the most recently observed number of replicas.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
 	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
 	// The number of pods that have labels matching the labels of the pod template of the replicaset.
 	// +optional
 	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
 	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
 	// +optional
 	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
 	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
 	// +optional
 	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
 	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
 	// Represents the latest available observations of a replica set's current state.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
 }
 #ReplicaSetConditionType: string // #enumReplicaSetConditionType
 #enumReplicaSetConditionType:
 	#ReplicaSetReplicaFailure
 // ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
 // due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
 // due to kubelet being down or finalizers are failing.
 #ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
 // ReplicaSetCondition describes the state of a replica set at a certain point.
 #ReplicaSetCondition: {
 	// Type of replica set condition.
 	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// The last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// The reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// A human readable message indicating details about the transition.
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // ControllerRevision implements an immutable snapshot of state data. Clients
 // are responsible for serializing and deserializing the objects that contain
 // their internal state.
 // Once a ControllerRevision has been successfully created, it can not be updated.
 // The API Server will fail validation of all requests that attempt to mutate
 // the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
 // the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
 // it may be subject to name and representation changes in future releases, and clients should not
 // depend on its stability. It is primarily for internal use by controllers.
 #ControllerRevision: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Data is the serialized representation of the state.
 	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
 	// Revision indicates the revision of the state represented by Data.
 	revision: int64 @go(Revision) @protobuf(3,varint,opt)
 }
 // ControllerRevisionList is a resource containing a list of ControllerRevision objects.
 #ControllerRevisionList: {
 	metav1.#TypeMeta
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is the list of ControllerRevisions
 	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/authentication/v1
 package v1
 #GroupName: "authentication.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue

@@ -0,0 +1,206 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/authentication/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 // ImpersonateUserHeader is used to impersonate a particular user during an API server request
 #ImpersonateUserHeader: "Impersonate-User"
 // ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
 // It can be repeated multiplied times for multiple groups.
 #ImpersonateGroupHeader: "Impersonate-Group"
 // ImpersonateUIDHeader is used to impersonate a particular UID during an API server request
 #ImpersonateUIDHeader: "Impersonate-Uid"
 // ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the
 // extra map[string][]string for user.Info.  The key will be every after the prefix.
 // It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple
 // times to have multiple elements in the slice under a single key
 #ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-"
 // TokenReview attempts to authenticate a token to a known user.
 // Note: TokenReview requests may be cached by the webhook token authenticator
 // plugin in the kube-apiserver.
 #TokenReview: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated
 	spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates whether the request can be authenticated.
 	// +optional
 	status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // TokenReviewSpec is a description of the token authentication request.
 #TokenReviewSpec: {
 	// Token is the opaque bearer token.
 	// +optional
 	token?: string @go(Token) @protobuf(1,bytes,opt)
 	// Audiences is a list of the identifiers that the resource server presented
 	// with the token identifies as. Audience-aware token authenticators will
 	// verify that the token was intended for at least one of the audiences in
 	// this list. If no audiences are provided, the audience will default to the
 	// audience of the Kubernetes apiserver.
 	// +optional
 	audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep)
 }
 // TokenReviewStatus is the result of the token authentication request.
 #TokenReviewStatus: {
 	// Authenticated indicates that the token was associated with a known user.
 	// +optional
 	authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt)
 	// User is the UserInfo associated with the provided token.
 	// +optional
 	user?: #UserInfo @go(User) @protobuf(2,bytes,opt)
 	// Audiences are audience identifiers chosen by the authenticator that are
 	// compatible with both the TokenReview and token. An identifier is any
 	// identifier in the intersection of the TokenReviewSpec audiences and the
 	// token's audiences. A client of the TokenReview API that sets the
 	// spec.audiences field should validate that a compatible audience identifier
 	// is returned in the status.audiences field to ensure that the TokenReview
 	// server is audience aware. If a TokenReview returns an empty
 	// status.audience field where status.authenticated is "true", the token is
 	// valid against the audience of the Kubernetes API server.
 	// +optional
 	audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep)
 	// Error indicates that the token couldn't be checked
 	// +optional
 	error?: string @go(Error) @protobuf(3,bytes,opt)
 }
 // UserInfo holds the information about the user needed to implement the
 // user.Info interface.
 #UserInfo: {
 	// The name that uniquely identifies this user among all active users.
 	// +optional
 	username?: string @go(Username) @protobuf(1,bytes,opt)
 	// A unique value that identifies this user across time. If this user is
 	// deleted and another user by the same name is added, they will have
 	// different UIDs.
 	// +optional
 	uid?: string @go(UID) @protobuf(2,bytes,opt)
 	// The names of groups this user is a part of.
 	// +optional
 	groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep)
 	// Any additional information provided by the authenticator.
 	// +optional
 	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep)
 }
 // ExtraValue masks the value so protobuf can generate
 // +protobuf.nullable=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #ExtraValue: [...string]
 // TokenRequest requests a token for a given service account.
 #TokenRequest: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated
 	spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates whether the token can be authenticated.
 	// +optional
 	status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // TokenRequestSpec contains client provided parameters of a token request.
 #TokenRequestSpec: {
 	// Audiences are the intendend audiences of the token. A recipient of a
 	// token must identify themself with an identifier in the list of
 	// audiences of the token, and otherwise should reject the token. A
 	// token issued for multiple audiences may be used to authenticate
 	// against any of the audiences listed but implies a high degree of
 	// trust between the target audiences.
 	audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep)
 	// ExpirationSeconds is the requested duration of validity of the request. The
 	// token issuer may return a token with a different validity duration so a
 	// client needs to check the 'expiration' field in a response.
 	// +optional
 	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt)
 	// BoundObjectRef is a reference to an object that the token will be bound to.
 	// The token will only be valid for as long as the bound object exists.
 	// NOTE: The API server's TokenReview endpoint will validate the
 	// BoundObjectRef, but other audiences may not. Keep ExpirationSeconds
 	// small if you want prompt revocation.
 	// +optional
 	boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt)
 }
 // TokenRequestStatus is the result of a token request.
 #TokenRequestStatus: {
 	// Token is the opaque bearer token.
 	token: string @go(Token) @protobuf(1,bytes,opt)
 	// ExpirationTimestamp is the time of expiration of the returned token.
 	expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt)
 }
 // BoundObjectReference is a reference to an object that a token is bound to.
 #BoundObjectReference: {
 	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
 	// +optional
 	kind?: string @go(Kind) @protobuf(1,bytes,opt)
 	// API version of the referent.
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt)
 	// Name of the referent.
 	// +optional
 	name?: string @go(Name) @protobuf(3,bytes,opt)
 	// UID of the referent.
 	// +optional
 	uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID)
 }
 // SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
 // When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
 // request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
 #SelfSubjectReview: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Status is filled in by the server with the user attributes.
 	status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt)
 }
 // SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
 #SelfSubjectReviewStatus: {
 	// User attributes of the user making this request.
 	// +optional
 	userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/authorization/v1
 package v1
 #GroupName: "authorization.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue

@@ -0,0 +1,262 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/authorization/v1
 package v1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // SubjectAccessReview checks whether or not a user or group can perform an action.
 #SubjectAccessReview: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated
 	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates whether the request is allowed or not
 	// +optional
 	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
 // spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
 // to check whether they can perform an action
 #SelfSubjectAccessReview: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated.  user and groups must be empty
 	spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates whether the request is allowed or not
 	// +optional
 	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
 // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
 // checking.
 #LocalSubjectAccessReview: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
 	// you made the request against.  If empty, it is defaulted.
 	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates whether the request is allowed or not
 	// +optional
 	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
 #ResourceAttributes: {
 	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
 	// "" (empty) is defaulted for LocalSubjectAccessReviews
 	// "" (empty) is empty for cluster-scoped resources
 	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
 	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
 	// +optional
 	verb?: string @go(Verb) @protobuf(2,bytes,opt)
 	// Group is the API Group of the Resource.  "*" means all.
 	// +optional
 	group?: string @go(Group) @protobuf(3,bytes,opt)
 	// Version is the API Version of the Resource.  "*" means all.
 	// +optional
 	version?: string @go(Version) @protobuf(4,bytes,opt)
 	// Resource is one of the existing resource types.  "*" means all.
 	// +optional
 	resource?: string @go(Resource) @protobuf(5,bytes,opt)
 	// Subresource is one of the existing resource types.  "" means none.
 	// +optional
 	subresource?: string @go(Subresource) @protobuf(6,bytes,opt)
 	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
 	// +optional
 	name?: string @go(Name) @protobuf(7,bytes,opt)
 }
 // NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
 #NonResourceAttributes: {
 	// Path is the URL path of the request
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 	// Verb is the standard HTTP verb
 	// +optional
 	verb?: string @go(Verb) @protobuf(2,bytes,opt)
 }
 // SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
 // and NonResourceAuthorizationAttributes must be set
 #SubjectAccessReviewSpec: {
 	// ResourceAuthorizationAttributes describes information for a resource access request
 	// +optional
 	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
 	// NonResourceAttributes describes information for a non-resource access request
 	// +optional
 	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
 	// User is the user you're testing for.
 	// If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
 	// +optional
 	user?: string @go(User) @protobuf(3,bytes,opt)
 	// Groups is the groups you're testing for.
 	// +optional
 	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
 	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
 	// it needs a reflection here.
 	// +optional
 	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep)
 	// UID information about the requesting user.
 	// +optional
 	uid?: string @go(UID) @protobuf(6,bytes,opt)
 }
 // ExtraValue masks the value so protobuf can generate
 // +protobuf.nullable=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #ExtraValue: [...string]
 // SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
 // and NonResourceAuthorizationAttributes must be set
 #SelfSubjectAccessReviewSpec: {
 	// ResourceAuthorizationAttributes describes information for a resource access request
 	// +optional
 	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
 	// NonResourceAttributes describes information for a non-resource access request
 	// +optional
 	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
 }
 // SubjectAccessReviewStatus
 #SubjectAccessReviewStatus: {
 	// Allowed is required. True if the action would be allowed, false otherwise.
 	allowed: bool @go(Allowed) @protobuf(1,varint,opt)
 	// Denied is optional. True if the action would be denied, otherwise
 	// false. If both allowed is false and denied is false, then the
 	// authorizer has no opinion on whether to authorize the action. Denied
 	// may not be true if Allowed is true.
 	// +optional
 	denied?: bool @go(Denied) @protobuf(4,varint,opt)
 	// Reason is optional.  It indicates why a request was allowed or denied.
 	// +optional
 	reason?: string @go(Reason) @protobuf(2,bytes,opt)
 	// EvaluationError is an indication that some error occurred during the authorization check.
 	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
 	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
 	// +optional
 	evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt)
 }
 // SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
 // The returned list of actions may be incomplete depending on the server's authorization mode,
 // and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
 // or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
 // drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
 // SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
 #SelfSubjectRulesReview: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec holds information about the request being evaluated.
 	spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is filled in by the server and indicates the set of actions a user can perform.
 	// +optional
 	status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
 #SelfSubjectRulesReviewSpec: {
 	// Namespace to evaluate rules for. Required.
 	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
 }
 // SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
 // the set of authorizers the server is configured with and any errors experienced during evaluation.
 // Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
 // even if that list is incomplete.
 #SubjectRulesReviewStatus: {
 	// ResourceRules is the list of actions the subject is allowed to perform on resources.
 	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
 	resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep)
 	// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
 	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
 	nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep)
 	// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
 	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
 	incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep)
 	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
 	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
 	// ResourceRules and/or NonResourceRules may be incomplete.
 	// +optional
 	evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt)
 }
 // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
 // may contain duplicates, and possibly be incomplete.
 #ResourceRule: {
 	// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
 	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
 	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
 	// the enumerated resources in any API group will be allowed.  "*" means all.
 	// +optional
 	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
 	// Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
 	//  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
 	// +optional
 	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
 	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
 	// +optional
 	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
 }
 // NonResourceRule holds information that describes a rule for the non-resource
 #NonResourceRule: {
 	// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
 	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
 	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
 	// final step in the path.  "*" means all.
 	// +optional
 	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/autoscaling/v1
 package v1
 #GroupName: "autoscaling"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue

@@ -0,0 +1,542 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/autoscaling/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/api/core/v1"
 )
 // CrossVersionObjectReference contains enough information to let you identify the referred resource.
 // +structType=atomic
 #CrossVersionObjectReference: {
 	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	kind: string @go(Kind) @protobuf(1,bytes,opt)
 	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	name: string @go(Name) @protobuf(2,bytes,opt)
 	// apiVersion is the API version of the referent
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
 }
 // specification of a horizontal pod autoscaler.
 #HorizontalPodAutoscalerSpec: {
 	// reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
 	// and will set the desired number of pods by using its Scale subresource.
 	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
 	// minReplicas is the lower limit for the number of replicas to which the autoscaler
 	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
 	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
 	// metric is configured.  Scaling is active as long as at least one metric value is
 	// available.
 	// +optional
 	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
 	// maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
 	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
 	// targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
 	// if not specified the default autoscaling policy will be used.
 	// +optional
 	targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt)
 }
 // current status of a horizontal pod autoscaler
 #HorizontalPodAutoscalerStatus: {
 	// observedGeneration is the most recent generation observed by this autoscaler.
 	// +optional
 	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
 	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods;
 	// used by the autoscaler to control how often the number of pods is changed.
 	// +optional
 	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
 	// currentReplicas is the current number of replicas of pods managed by this autoscaler.
 	currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
 	// desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.
 	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
 	// currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU,
 	// e.g. 70 means that an average pod is using now 70% of its requested CPU.
 	// +optional
 	currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt)
 }
 // configuration of a horizontal pod autoscaler.
 #HorizontalPodAutoscaler: {
 	metav1.#TypeMeta
 	// Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
 	// +optional
 	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status is the current information about the autoscaler.
 	// +optional
 	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // list of horizontal pod autoscaler objects.
 #HorizontalPodAutoscalerList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of horizontal pod autoscaler objects.
 	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
 }
 // Scale represents a scaling request for a resource.
 #Scale: {
 	metav1.#TypeMeta
 	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
 	// +optional
 	spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
 	// +optional
 	status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ScaleSpec describes the attributes of a scale subresource.
 #ScaleSpec: {
 	// replicas is the desired number of instances for the scaled object.
 	// +optional
 	replicas?: int32 @go(Replicas) @protobuf(1,varint,opt)
 }
 // ScaleStatus represents the current status of a scale subresource.
 #ScaleStatus: {
 	// replicas is the actual number of observed instances of the scaled object.
 	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
 	// selector is the label query over pods that should match the replicas count. This is same
 	// as the label selector but in the string format to avoid introspection
 	// by clients. The string will be in the same format as the query-param syntax.
 	// More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 	// +optional
 	selector?: string @go(Selector) @protobuf(2,bytes,opt)
 }
 // MetricSourceType indicates the type of metric.
 // +enum
 #MetricSourceType: string // #enumMetricSourceType
 #enumMetricSourceType:
 	#ObjectMetricSourceType |
 	#PodsMetricSourceType |
 	#ResourceMetricSourceType |
 	#ContainerResourceMetricSourceType |
 	#ExternalMetricSourceType
 // ObjectMetricSourceType is a metric describing a kubernetes object
 // (for example, hits-per-second on an Ingress object).
 #ObjectMetricSourceType: #MetricSourceType & "Object"
 // PodsMetricSourceType is a metric describing each pod in the current scale
 // target (for example, transactions-processed-per-second).  The values
 // will be averaged together before being compared to the target value.
 #PodsMetricSourceType: #MetricSourceType & "Pods"
 // ResourceMetricSourceType is a resource metric known to Kubernetes, as
 // specified in requests and limits, describing each pod in the current
 // scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available
 // to normal per-pod metrics (the "pods" source).
 #ResourceMetricSourceType: #MetricSourceType & "Resource"
 // ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
 // specified in requests and limits, describing a single container in each pod in the current
 // scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available
 // to normal per-pod metrics (the "pods" source).
 #ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
 // ExternalMetricSourceType is a global metric that is not associated
 // with any Kubernetes object. It allows autoscaling based on information
 // coming from components running outside of cluster
 // (for example length of queue in cloud messaging service, or
 // QPS from loadbalancer running outside of cluster).
 #ExternalMetricSourceType: #MetricSourceType & "External"
 // MetricSpec specifies how to scale based on a single metric
 // (only `type` and one other matching field should be set at once).
 #MetricSpec: {
 	// type is the type of metric source.  It should be one of "ContainerResource",
 	// "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
 	// Note: "ContainerResource" type is available on when the feature-gate
 	// HPAContainerMetrics is enabled
 	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
 	// object refers to a metric describing a single kubernetes object
 	// (for example, hits-per-second on an Ingress object).
 	// +optional
 	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
 	// pods refers to a metric describing each pod in the current scale target
 	// (for example, transactions-processed-per-second).  The values will be
 	// averaged together before being compared to the target value.
 	// +optional
 	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
 	// resource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
 	// containerResource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing a single container in each pod of the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
 	// +optional
 	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
 	// external refers to a global metric that is not associated
 	// with any Kubernetes object. It allows autoscaling based on information
 	// coming from components running outside of cluster
 	// (for example length of queue in cloud messaging service, or
 	// QPS from loadbalancer running outside of cluster).
 	// +optional
 	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
 }
 // ObjectMetricSource indicates how to scale on a metric describing a
 // kubernetes object (for example, hits-per-second on an Ingress object).
 #ObjectMetricSource: {
 	// target is the described Kubernetes object.
 	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
 	// metricName is the name of the metric in question.
 	metricName: string @go(MetricName) @protobuf(2,bytes)
 	// targetValue is the target value of the metric (as a quantity).
 	targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes)
 	// selector is the string-encoded form of a standard kubernetes label selector for the given metric.
 	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
 	// When unset, just the metricName will be used to gather metrics.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
 	// averageValue is the target value of the average of the
 	// metric across all relevant pods (as a quantity)
 	// +optional
 	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
 }
 // PodsMetricSource indicates how to scale on a metric describing each pod in
 // the current scale target (for example, transactions-processed-per-second).
 // The values will be averaged together before being compared to the target
 // value.
 #PodsMetricSource: {
 	// metricName is the name of the metric in question
 	metricName: string @go(MetricName) @protobuf(1,bytes)
 	// targetAverageValue is the target value of the average of the
 	// metric across all relevant pods (as a quantity)
 	targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes)
 	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
 	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
 	// When unset, just the metricName will be used to gather metrics.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
 }
 // ResourceMetricSource indicates how to scale on a resource metric known to
 // Kubernetes, as specified in requests and limits, describing each pod in the
 // current scale target (e.g. CPU or memory).  The values will be averaged
 // together before being compared to the target.  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.  Only one "target" type
 // should be set.
 #ResourceMetricSource: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// targetAverageUtilization is the target value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.
 	// +optional
 	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
 	// targetAverageValue is the target value of the average of the
 	// resource metric across all relevant pods, as a raw value (instead of as
 	// a percentage of the request), similar to the "pods" metric source type.
 	// +optional
 	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
 }
 // ContainerResourceMetricSource indicates how to scale on a resource metric known to
 // Kubernetes, as specified in the requests and limits, describing a single container in
 // each of the pods of the current scale target(e.g. CPU or memory). The values will be
 // averaged together before being compared to the target. Such metrics are built into
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source. Only one "target" type
 // should be set.
 #ContainerResourceMetricSource: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// targetAverageUtilization is the target value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.
 	// +optional
 	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
 	// targetAverageValue is the target value of the average of the
 	// resource metric across all relevant pods, as a raw value (instead of as
 	// a percentage of the request), similar to the "pods" metric source type.
 	// +optional
 	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
 	// container is the name of the container in the pods of the scaling target.
 	container: string @go(Container) @protobuf(5,bytes,opt)
 }
 // ExternalMetricSource indicates how to scale on a metric not associated with
 // any Kubernetes object (for example length of queue in cloud
 // messaging service, or QPS from loadbalancer running outside of cluster).
 #ExternalMetricSource: {
 	// metricName is the name of the metric in question.
 	metricName: string @go(MetricName) @protobuf(1,bytes)
 	// metricSelector is used to identify a specific time series
 	// within a given metric.
 	// +optional
 	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// targetValue is the target value of the metric (as a quantity).
 	// Mutually exclusive with TargetAverageValue.
 	// +optional
 	targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt)
 	// targetAverageValue is the target per-pod value of global metric (as a quantity).
 	// Mutually exclusive with TargetValue.
 	// +optional
 	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
 }
 // MetricStatus describes the last-read state of a single metric.
 #MetricStatus: {
 	// type is the type of metric source.  It will be one of "ContainerResource",
 	// "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
 	// Note: "ContainerResource" type is available on when the feature-gate
 	// HPAContainerMetrics is enabled
 	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
 	// object refers to a metric describing a single kubernetes object
 	// (for example, hits-per-second on an Ingress object).
 	// +optional
 	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
 	// pods refers to a metric describing each pod in the current scale target
 	// (for example, transactions-processed-per-second).  The values will be
 	// averaged together before being compared to the target value.
 	// +optional
 	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
 	// resource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
 	// containerResource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing a single container in each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
 	// external refers to a global metric that is not associated
 	// with any Kubernetes object. It allows autoscaling based on information
 	// coming from components running outside of cluster
 	// (for example length of queue in cloud messaging service, or
 	// QPS from loadbalancer running outside of cluster).
 	// +optional
 	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
 }
 // HorizontalPodAutoscalerConditionType are the valid conditions of
 // a HorizontalPodAutoscaler.
 #HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
 #enumHorizontalPodAutoscalerConditionType:
 	#ScalingActive |
 	#AbleToScale |
 	#ScalingLimited
 // ScalingActive indicates that the HPA controller is able to scale if necessary:
 // it's correctly configured, can fetch the desired metrics, and isn't disabled.
 #ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
 // AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
 // such as being in a backoff window, or being unable to access/update the target scale.
 #AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
 // ScalingLimited indicates that the calculated scale based on metrics would be above or
 // below the range for the HPA, and has thus been capped.
 #ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
 // HorizontalPodAutoscalerCondition describes the state of
 // a HorizontalPodAutoscaler at a certain point.
 #HorizontalPodAutoscalerCondition: {
 	// type describes the current condition
 	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
 	// status is the status of the condition (True, False, Unknown)
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
 	// lastTransitionTime is the last time the condition transitioned from
 	// one status to another
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// reason is the reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// message is a human-readable explanation containing details about
 	// the transition
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // ObjectMetricStatus indicates the current value of a metric describing a
 // kubernetes object (for example, hits-per-second on an Ingress object).
 #ObjectMetricStatus: {
 	// target is the described Kubernetes object.
 	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
 	// metricName is the name of the metric in question.
 	metricName: string @go(MetricName) @protobuf(2,bytes)
 	// currentValue is the current value of the metric (as a quantity).
 	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
 	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
 	// When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
 	// When unset, just the metricName will be used to gather metrics.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
 	// averageValue is the current value of the average of the
 	// metric across all relevant pods (as a quantity)
 	// +optional
 	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
 }
 // PodsMetricStatus indicates the current value of a metric describing each pod in
 // the current scale target (for example, transactions-processed-per-second).
 #PodsMetricStatus: {
 	// metricName is the name of the metric in question
 	metricName: string @go(MetricName) @protobuf(1,bytes)
 	// currentAverageValue is the current value of the average of the
 	// metric across all relevant pods (as a quantity)
 	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes)
 	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
 	// When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
 	// When unset, just the metricName will be used to gather metrics.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
 }
 // ResourceMetricStatus indicates the current value of a resource metric known to
 // Kubernetes, as specified in requests and limits, describing each pod in the
 // current scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.
 #ResourceMetricStatus: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// currentAverageUtilization is the current value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.  It will only be
 	// present if `targetAverageValue` was set in the corresponding metric
 	// specification.
 	// +optional
 	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
 	// currentAverageValue is the current value of the average of the
 	// resource metric across all relevant pods, as a raw value (instead of as
 	// a percentage of the request), similar to the "pods" metric source type.
 	// It will always be set, regardless of the corresponding metric specification.
 	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
 }
 // ContainerResourceMetricStatus indicates the current value of a resource metric known to
 // Kubernetes, as specified in requests and limits, describing a single container in each pod in the
 // current scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.
 #ContainerResourceMetricStatus: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// currentAverageUtilization is the current value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.  It will only be
 	// present if `targetAverageValue` was set in the corresponding metric
 	// specification.
 	// +optional
 	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
 	// currentAverageValue is the current value of the average of the
 	// resource metric across all relevant pods, as a raw value (instead of as
 	// a percentage of the request), similar to the "pods" metric source type.
 	// It will always be set, regardless of the corresponding metric specification.
 	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
 	// container is the name of the container in the pods of the scaling taget
 	container: string @go(Container) @protobuf(4,bytes,opt)
 }
 // ExternalMetricStatus indicates the current value of a global metric
 // not associated with any Kubernetes object.
 #ExternalMetricStatus: {
 	// metricName is the name of a metric used for autoscaling in
 	// metric system.
 	metricName: string @go(MetricName) @protobuf(1,bytes)
 	// metricSelector is used to identify a specific time series
 	// within a given metric.
 	// +optional
 	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// currentValue is the current value of the metric (as a quantity)
 	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
 	// currentAverageValue is the current value of metric averaged over autoscaled pods.
 	// +optional
 	currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/autoscaling/v2
 package v2
 #GroupName: "autoscaling"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue

@@ -0,0 +1,597 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/autoscaling/v2
 package v2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 // HorizontalPodAutoscaler is the configuration for a horizontal pod
 // autoscaler, which automatically manages the replica count of any resource
 // implementing the scale subresource based on the metrics specified.
 #HorizontalPodAutoscaler: {
 	metav1.#TypeMeta
 	// metadata is the standard object metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec is the specification for the behaviour of the autoscaler.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
 	// +optional
 	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status is the current information about the autoscaler.
 	// +optional
 	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
 #HorizontalPodAutoscalerSpec: {
 	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
 	// should be collected, as well as to actually change the replica count.
 	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
 	// minReplicas is the lower limit for the number of replicas to which the autoscaler
 	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
 	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
 	// metric is configured.  Scaling is active as long as at least one metric value is
 	// available.
 	// +optional
 	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
 	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
 	// It cannot be less that minReplicas.
 	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
 	// metrics contains the specifications for which to use to calculate the
 	// desired replica count (the maximum replica count across all metrics will
 	// be used).  The desired replica count is calculated multiplying the
 	// ratio between the target value and the current value by the current
 	// number of pods.  Ergo, metrics used must decrease as the pod count is
 	// increased, and vice-versa.  See the individual metric source types for
 	// more information about how each type of metric must respond.
 	// If not set, the default metric will be set to 80% average CPU utilization.
 	// +listType=atomic
 	// +optional
 	metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep)
 	// behavior configures the scaling behavior of the target
 	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
 	// If not set, the default HPAScalingRules for scale up and scale down are used.
 	// +optional
 	behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt)
 }
 // CrossVersionObjectReference contains enough information to let you identify the referred resource.
 #CrossVersionObjectReference: {
 	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	kind: string @go(Kind) @protobuf(1,bytes,opt)
 	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	name: string @go(Name) @protobuf(2,bytes,opt)
 	// apiVersion is the API version of the referent
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
 }
 // MetricSpec specifies how to scale based on a single metric
 // (only `type` and one other matching field should be set at once).
 #MetricSpec: {
 	// type is the type of metric source.  It should be one of "ContainerResource", "External",
 	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
 	// Note: "ContainerResource" type is available on when the feature-gate
 	// HPAContainerMetrics is enabled
 	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
 	// object refers to a metric describing a single kubernetes object
 	// (for example, hits-per-second on an Ingress object).
 	// +optional
 	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
 	// pods refers to a metric describing each pod in the current scale target
 	// (for example, transactions-processed-per-second).  The values will be
 	// averaged together before being compared to the target value.
 	// +optional
 	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
 	// resource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
 	// containerResource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing a single container in
 	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
 	// built in to Kubernetes, and have special scaling options on top of those
 	// available to normal per-pod metrics using the "pods" source.
 	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
 	// +optional
 	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
 	// external refers to a global metric that is not associated
 	// with any Kubernetes object. It allows autoscaling based on information
 	// coming from components running outside of cluster
 	// (for example length of queue in cloud messaging service, or
 	// QPS from loadbalancer running outside of cluster).
 	// +optional
 	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
 }
 // HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
 // in both Up and Down directions (scaleUp and scaleDown fields respectively).
 #HorizontalPodAutoscalerBehavior: {
 	// scaleUp is scaling policy for scaling Up.
 	// If not set, the default value is the higher of:
 	//   * increase no more than 4 pods per 60 seconds
 	//   * double the number of pods per 60 seconds
 	// No stabilization is used.
 	// +optional
 	scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt)
 	// scaleDown is scaling policy for scaling Down.
 	// If not set, the default value is to allow to scale down to minReplicas pods, with a
 	// 300 second stabilization window (i.e., the highest recommendation for
 	// the last 300sec is used).
 	// +optional
 	scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt)
 }
 // ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction
 #ScalingPolicySelect: string // #enumScalingPolicySelect
 #enumScalingPolicySelect:
 	#MaxChangePolicySelect |
 	#MinChangePolicySelect |
 	#DisabledPolicySelect
 // MaxChangePolicySelect  selects the policy with the highest possible change.
 #MaxChangePolicySelect: #ScalingPolicySelect & "Max"
 // MinChangePolicySelect selects the policy with the lowest possible change.
 #MinChangePolicySelect: #ScalingPolicySelect & "Min"
 // DisabledPolicySelect disables the scaling in this direction.
 #DisabledPolicySelect: #ScalingPolicySelect & "Disabled"
 // HPAScalingRules configures the scaling behavior for one direction.
 // These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
 // They can limit the scaling velocity by specifying scaling policies.
 // They can prevent flapping by specifying the stabilization window, so that the
 // number of replicas is not set instantly, instead, the safest value from the stabilization
 // window is chosen.
 #HPAScalingRules: {
 	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
 	// considered while scaling up or scaling down.
 	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
 	// If not set, use the default values:
 	// - For scale up: 0 (i.e. no stabilization is done).
 	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
 	// +optional
 	stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt)
 	// selectPolicy is used to specify which policy should be used.
 	// If not set, the default value Max is used.
 	// +optional
 	selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt)
 	// policies is a list of potential scaling polices which can be used during scaling.
 	// At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
 	// +listType=atomic
 	// +optional
 	policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep)
 }
 // HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions.
 #HPAScalingPolicyType: string // #enumHPAScalingPolicyType
 #enumHPAScalingPolicyType:
 	#PodsScalingPolicy |
 	#PercentScalingPolicy
 // PodsScalingPolicy is a policy used to specify a change in absolute number of pods.
 #PodsScalingPolicy: #HPAScalingPolicyType & "Pods"
 // PercentScalingPolicy is a policy used to specify a relative amount of change with respect to
 // the current number of pods.
 #PercentScalingPolicy: #HPAScalingPolicyType & "Percent"
 // HPAScalingPolicy is a single policy which must hold true for a specified past interval.
 #HPAScalingPolicy: {
 	// type is used to specify the scaling policy.
 	type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType)
 	// value contains the amount of change which is permitted by the policy.
 	// It must be greater than zero
 	value: int32 @go(Value) @protobuf(2,varint,opt)
 	// periodSeconds specifies the window of time for which the policy should hold true.
 	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
 	periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt)
 }
 // MetricSourceType indicates the type of metric.
 #MetricSourceType: string // #enumMetricSourceType
 #enumMetricSourceType:
 	#ObjectMetricSourceType |
 	#PodsMetricSourceType |
 	#ResourceMetricSourceType |
 	#ContainerResourceMetricSourceType |
 	#ExternalMetricSourceType
 // ObjectMetricSourceType is a metric describing a kubernetes object
 // (for example, hits-per-second on an Ingress object).
 #ObjectMetricSourceType: #MetricSourceType & "Object"
 // PodsMetricSourceType is a metric describing each pod in the current scale
 // target (for example, transactions-processed-per-second).  The values
 // will be averaged together before being compared to the target value.
 #PodsMetricSourceType: #MetricSourceType & "Pods"
 // ResourceMetricSourceType is a resource metric known to Kubernetes, as
 // specified in requests and limits, describing each pod in the current
 // scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available
 // to normal per-pod metrics (the "pods" source).
 #ResourceMetricSourceType: #MetricSourceType & "Resource"
 // ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
 // specified in requests and limits, describing a single container in each pod in the current
 // scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available
 // to normal per-pod metrics (the "pods" source).
 #ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
 // ExternalMetricSourceType is a global metric that is not associated
 // with any Kubernetes object. It allows autoscaling based on information
 // coming from components running outside of cluster
 // (for example length of queue in cloud messaging service, or
 // QPS from loadbalancer running outside of cluster).
 #ExternalMetricSourceType: #MetricSourceType & "External"
 // ObjectMetricSource indicates how to scale on a metric describing a
 // kubernetes object (for example, hits-per-second on an Ingress object).
 #ObjectMetricSource: {
 	// describedObject specifies the descriptions of a object,such as kind,name apiVersion
 	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes)
 	// target specifies the target value for the given metric
 	target: #MetricTarget @go(Target) @protobuf(2,bytes)
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes)
 }
 // PodsMetricSource indicates how to scale on a metric describing each pod in
 // the current scale target (for example, transactions-processed-per-second).
 // The values will be averaged together before being compared to the target
 // value.
 #PodsMetricSource: {
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
 	// target specifies the target value for the given metric
 	target: #MetricTarget @go(Target) @protobuf(2,bytes)
 }
 // ResourceMetricSource indicates how to scale on a resource metric known to
 // Kubernetes, as specified in requests and limits, describing each pod in the
 // current scale target (e.g. CPU or memory).  The values will be averaged
 // together before being compared to the target.  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.  Only one "target" type
 // should be set.
 #ResourceMetricSource: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// target specifies the target value for the given metric
 	target: #MetricTarget @go(Target) @protobuf(2,bytes)
 }
 // ContainerResourceMetricSource indicates how to scale on a resource metric known to
 // Kubernetes, as specified in requests and limits, describing each pod in the
 // current scale target (e.g. CPU or memory).  The values will be averaged
 // together before being compared to the target.  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.  Only one "target" type
 // should be set.
 #ContainerResourceMetricSource: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// target specifies the target value for the given metric
 	target: #MetricTarget @go(Target) @protobuf(2,bytes)
 	// container is the name of the container in the pods of the scaling target
 	container: string @go(Container) @protobuf(3,bytes,opt)
 }
 // ExternalMetricSource indicates how to scale on a metric not associated with
 // any Kubernetes object (for example length of queue in cloud
 // messaging service, or QPS from loadbalancer running outside of cluster).
 #ExternalMetricSource: {
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
 	// target specifies the target value for the given metric
 	target: #MetricTarget @go(Target) @protobuf(2,bytes)
 }
 // MetricIdentifier defines the name and optionally selector for a metric
 #MetricIdentifier: {
 	// name is the name of the given metric
 	name: string @go(Name) @protobuf(1,bytes)
 	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
 	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
 	// When unset, just the metricName will be used to gather metrics.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes)
 }
 // MetricTarget defines the target value, average value, or average utilization of a specific metric
 #MetricTarget: {
 	// type represents whether the metric type is Utilization, Value, or AverageValue
 	type: #MetricTargetType @go(Type) @protobuf(1,bytes)
 	// value is the target value of the metric (as a quantity).
 	// +optional
 	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt)
 	// averageValue is the target value of the average of the
 	// metric across all relevant pods (as a quantity)
 	// +optional
 	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
 	// averageUtilization is the target value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.
 	// Currently only valid for Resource metric source type
 	// +optional
 	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt)
 }
 // MetricTargetType specifies the type of metric being targeted, and should be either
 // "Value", "AverageValue", or "Utilization"
 #MetricTargetType: string // #enumMetricTargetType
 #enumMetricTargetType:
 	#UtilizationMetricType |
 	#ValueMetricType |
 	#AverageValueMetricType
 // UtilizationMetricType declares a MetricTarget is an AverageUtilization value
 #UtilizationMetricType: #MetricTargetType & "Utilization"
 // ValueMetricType declares a MetricTarget is a raw value
 #ValueMetricType: #MetricTargetType & "Value"
 // AverageValueMetricType declares a MetricTarget is an
 #AverageValueMetricType: #MetricTargetType & "AverageValue"
 // HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
 #HorizontalPodAutoscalerStatus: {
 	// observedGeneration is the most recent generation observed by this autoscaler.
 	// +optional
 	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
 	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
 	// used by the autoscaler to control how often the number of pods is changed.
 	// +optional
 	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
 	// currentReplicas is current number of replicas of pods managed by this autoscaler,
 	// as last seen by the autoscaler.
 	// +optional
 	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
 	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
 	// as last calculated by the autoscaler.
 	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
 	// currentMetrics is the last read state of the metrics used by this autoscaler.
 	// +listType=atomic
 	// +optional
 	currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep)
 	// conditions is the set of conditions required for this autoscaler to scale its target,
 	// and indicates whether or not those conditions are met.
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep)
 }
 // HorizontalPodAutoscalerConditionType are the valid conditions of
 // a HorizontalPodAutoscaler.
 #HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
 #enumHorizontalPodAutoscalerConditionType:
 	#ScalingActive |
 	#AbleToScale |
 	#ScalingLimited
 // ScalingActive indicates that the HPA controller is able to scale if necessary:
 // it's correctly configured, can fetch the desired metrics, and isn't disabled.
 #ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
 // AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
 // such as being in a backoff window, or being unable to access/update the target scale.
 #AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
 // ScalingLimited indicates that the calculated scale based on metrics would be above or
 // below the range for the HPA, and has thus been capped.
 #ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
 // HorizontalPodAutoscalerCondition describes the state of
 // a HorizontalPodAutoscaler at a certain point.
 #HorizontalPodAutoscalerCondition: {
 	// type describes the current condition
 	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
 	// status is the status of the condition (True, False, Unknown)
 	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
 	// lastTransitionTime is the last time the condition transitioned from
 	// one status to another
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// reason is the reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// message is a human-readable explanation containing details about
 	// the transition
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // MetricStatus describes the last-read state of a single metric.
 #MetricStatus: {
 	// type is the type of metric source.  It will be one of "ContainerResource", "External",
 	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
 	// Note: "ContainerResource" type is available on when the feature-gate
 	// HPAContainerMetrics is enabled
 	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
 	// object refers to a metric describing a single kubernetes object
 	// (for example, hits-per-second on an Ingress object).
 	// +optional
 	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
 	// pods refers to a metric describing each pod in the current scale target
 	// (for example, transactions-processed-per-second).  The values will be
 	// averaged together before being compared to the target value.
 	// +optional
 	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
 	// resource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
 	// container resource refers to a resource metric (such as those specified in
 	// requests and limits) known to Kubernetes describing a single container in each pod in the
 	// current scale target (e.g. CPU or memory). Such metrics are built in to
 	// Kubernetes, and have special scaling options on top of those available
 	// to normal per-pod metrics using the "pods" source.
 	// +optional
 	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
 	// external refers to a global metric that is not associated
 	// with any Kubernetes object. It allows autoscaling based on information
 	// coming from components running outside of cluster
 	// (for example length of queue in cloud messaging service, or
 	// QPS from loadbalancer running outside of cluster).
 	// +optional
 	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
 }
 // ObjectMetricStatus indicates the current value of a metric describing a
 // kubernetes object (for example, hits-per-second on an Ingress object).
 #ObjectMetricStatus: {
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
 	// current contains the current value for the given metric
 	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
 	// DescribedObject specifies the descriptions of a object,such as kind,name apiVersion
 	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes)
 }
 // PodsMetricStatus indicates the current value of a metric describing each pod in
 // the current scale target (for example, transactions-processed-per-second).
 #PodsMetricStatus: {
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
 	// current contains the current value for the given metric
 	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
 }
 // ResourceMetricStatus indicates the current value of a resource metric known to
 // Kubernetes, as specified in requests and limits, describing each pod in the
 // current scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.
 #ResourceMetricStatus: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// current contains the current value for the given metric
 	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
 }
 // ContainerResourceMetricStatus indicates the current value of a resource metric known to
 // Kubernetes, as specified in requests and limits, describing a single container in each pod in the
 // current scale target (e.g. CPU or memory).  Such metrics are built in to
 // Kubernetes, and have special scaling options on top of those available to
 // normal per-pod metrics using the "pods" source.
 #ContainerResourceMetricStatus: {
 	// name is the name of the resource in question.
 	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
 	// current contains the current value for the given metric
 	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
 	// container is the name of the container in the pods of the scaling target
 	container: string @go(Container) @protobuf(3,bytes,opt)
 }
 // ExternalMetricStatus indicates the current value of a global metric
 // not associated with any Kubernetes object.
 #ExternalMetricStatus: {
 	// metric identifies the target metric by name and selector
 	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
 	// current contains the current value for the given metric
 	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
 }
 // MetricValueStatus holds the current value for a metric
 #MetricValueStatus: {
 	// value is the current value of the metric (as a quantity).
 	// +optional
 	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt)
 	// averageValue is the current value of the average of the
 	// metric across all relevant pods (as a quantity)
 	// +optional
 	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt)
 	// currentAverageUtilization is the current value of the average of the
 	// resource metric across all relevant pods, represented as a percentage of
 	// the requested value of the resource for the pods.
 	// +optional
 	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt)
 }
 // HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
 #HorizontalPodAutoscalerList: {
 	metav1.#TypeMeta
 	// metadata is the standard list metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of horizontal pod autoscaler objects.
 	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/batch/v1
 package v1
 #GroupName: "batch"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue

@@ -0,0 +1,693 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/batch/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 // All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels
 // More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions
 _#labelPrefix: "batch.kubernetes.io/"
 // CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job.
 // It records the original/expected scheduled timestamp for the running job, represented in RFC3339.
 // The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled.
 #CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp"
 #JobCompletionIndexAnnotation:        "batch.kubernetes.io/job-completion-index"
 // JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from
 // being deleted before being accounted in the Job status.
 //
 // Additionally, the apiserver and job controller use this string as a Job
 // annotation, to mark Jobs that are being tracked using pod finalizers.
 // However, this behavior is deprecated in kubernetes 1.26. This means that, in
 // 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the
 // apiserver and job controller will ignore this annotation and they will
 // always track jobs using finalizers.
 #JobTrackingFinalizer: "batch.kubernetes.io/job-tracking"
 // The Job labels will use batch.kubernetes.io as a prefix for all labels
 // Historically the job controller uses unprefixed labels for job-name and controller-uid and
 // Kubernetes continutes to recognize those unprefixed labels for consistency.
 #JobNameLabel: "batch.kubernetes.io/job-name"
 // ControllerUid is used to programatically get pods corresponding to a Job.
 // There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons.
 #ControllerUidLabel: "batch.kubernetes.io/controller-uid"
 // Annotation indicating the number of failures for the index corresponding
 // to the pod, which are counted towards the backoff limit.
 #JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count"
 // Annotation indicating the number of failures for the index corresponding
 // to the pod, which don't count towards the backoff limit, according to the
 // pod failure policy. When the annotation is absent zero is implied.
 #JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count"
 // Job represents the configuration of a single job.
 #Job: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of a job.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Current status of a job.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #JobStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // JobList is a collection of jobs.
 #JobList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of Jobs.
 	items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep)
 }
 // CompletionMode specifies how Pod completions of a Job are tracked.
 // +enum
 #CompletionMode: string // #enumCompletionMode
 #enumCompletionMode:
 	#NonIndexedCompletion |
 	#IndexedCompletion
 // NonIndexedCompletion is a Job completion mode. In this mode, the Job is
 // considered complete when there have been .spec.completions
 // successfully completed Pods. Pod completions are homologous to each other.
 #NonIndexedCompletion: #CompletionMode & "NonIndexed"
 // IndexedCompletion is a Job completion mode. In this mode, the Pods of a
 // Job get an associated completion index from 0 to (.spec.completions - 1).
 // The Job is  considered complete when a Pod completes for each completion
 // index.
 #IndexedCompletion: #CompletionMode & "Indexed"
 // PodFailurePolicyAction specifies how a Pod failure is handled.
 // +enum
 #PodFailurePolicyAction: string // #enumPodFailurePolicyAction
 #enumPodFailurePolicyAction:
 	#PodFailurePolicyActionFailJob |
 	#PodFailurePolicyActionFailIndex |
 	#PodFailurePolicyActionIgnore |
 	#PodFailurePolicyActionCount
 // This is an action which might be taken on a pod failure - mark the
 // pod's job as Failed and terminate all running pods.
 #PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob"
 // This is an action which might be taken on a pod failure - mark the
 // Job's index as failed to avoid restarts within this index. This action
 // can only be used when backoffLimitPerIndex is set.
 #PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex"
 // This is an action which might be taken on a pod failure - the counter towards
 // .backoffLimit, represented by the job's .status.failed field, is not
 // incremented and a replacement pod is created.
 #PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore"
 // This is an action which might be taken on a pod failure - the pod failure
 // is handled in the default way - the counter towards .backoffLimit,
 // represented by the job's .status.failed field, is incremented.
 #PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count"
 // +enum
 #PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator
 #enumPodFailurePolicyOnExitCodesOperator:
 	#PodFailurePolicyOnExitCodesOpIn |
 	#PodFailurePolicyOnExitCodesOpNotIn
 #PodFailurePolicyOnExitCodesOpIn:    #PodFailurePolicyOnExitCodesOperator & "In"
 #PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn"
 // PodReplacementPolicy specifies the policy for creating pod replacements.
 // +enum
 #PodReplacementPolicy: string // #enumPodReplacementPolicy
 #enumPodReplacementPolicy:
 	#TerminatingOrFailed |
 	#Failed
 // TerminatingOrFailed means that we recreate pods
 // when they are terminating (has a metadata.deletionTimestamp) or failed.
 #TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed"
 // Failed means to wait until a previously created Pod is fully terminated (has phase
 // Failed or Succeeded) before creating a replacement Pod.
 #Failed: #PodReplacementPolicy & "Failed"
 // PodFailurePolicyOnExitCodesRequirement describes the requirement for handling
 // a failed pod based on its container exit codes. In particular, it lookups the
 // .state.terminated.exitCode for each app container and init container status,
 // represented by the .status.containerStatuses and .status.initContainerStatuses
 // fields in the Pod status, respectively. Containers completed with success
 // (exit code 0) are excluded from the requirement check.
 #PodFailurePolicyOnExitCodesRequirement: {
 	// Restricts the check for exit codes to the container with the
 	// specified name. When null, the rule applies to all containers.
 	// When specified, it should match one the container or initContainer
 	// names in the pod template.
 	// +optional
 	containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt)
 	// Represents the relationship between the container exit code(s) and the
 	// specified values. Containers completed with success (exit code 0) are
 	// excluded from the requirement check. Possible values are:
 	//
 	// - In: the requirement is satisfied if at least one container exit code
 	//   (might be multiple if there are multiple containers not restricted
 	//   by the 'containerName' field) is in the set of specified values.
 	// - NotIn: the requirement is satisfied if at least one container exit code
 	//   (might be multiple if there are multiple containers not restricted
 	//   by the 'containerName' field) is not in the set of specified values.
 	// Additional values are considered to be added in the future. Clients should
 	// react to an unknown operator by assuming the requirement is not satisfied.
 	operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req)
 	// Specifies the set of values. Each returned container exit code (might be
 	// multiple in case of multiple containers) is checked against this set of
 	// values with respect to the operator. The list of values must be ordered
 	// and must not contain duplicates. Value '0' cannot be used for the In operator.
 	// At least one element is required. At most 255 elements are allowed.
 	// +listType=set
 	values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep)
 }
 // PodFailurePolicyOnPodConditionsPattern describes a pattern for matching
 // an actual pod condition type.
 #PodFailurePolicyOnPodConditionsPattern: {
 	// Specifies the required Pod condition type. To match a pod condition
 	// it is required that specified type equals the pod condition type.
 	type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req)
 	// Specifies the required Pod condition status. To match a pod condition
 	// it is required that the specified status equals the pod condition status.
 	// Defaults to True.
 	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req)
 }
 // PodFailurePolicyRule describes how a pod failure is handled when the requirements are met.
 // One of onExitCodes and onPodConditions, but not both, can be used in each rule.
 #PodFailurePolicyRule: {
 	// Specifies the action taken on a pod failure when the requirements are satisfied.
 	// Possible values are:
 	//
 	// - FailJob: indicates that the pod's job is marked as Failed and all
 	//   running pods are terminated.
 	// - FailIndex: indicates that the pod's index is marked as Failed and will
 	//   not be restarted.
 	//   This value is alpha-level. It can be used when the
 	//   `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default).
 	// - Ignore: indicates that the counter towards the .backoffLimit is not
 	//   incremented and a replacement pod is created.
 	// - Count: indicates that the pod is handled in the default way - the
 	//   counter towards the .backoffLimit is incremented.
 	// Additional values are considered to be added in the future. Clients should
 	// react to an unknown action by skipping the rule.
 	action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req)
 	// Represents the requirement on the container exit codes.
 	// +optional
 	onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt)
 	// Represents the requirement on the pod conditions. The requirement is represented
 	// as a list of pod condition patterns. The requirement is satisfied if at
 	// least one pattern matches an actual pod condition. At most 20 elements are allowed.
 	// +listType=atomic
 	// +optional
 	onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt)
 }
 // PodFailurePolicy describes how failed pods influence the backoffLimit.
 #PodFailurePolicy: {
 	// A list of pod failure policy rules. The rules are evaluated in order.
 	// Once a rule matches a Pod failure, the remaining of the rules are ignored.
 	// When no rule matches the Pod failure, the default handling applies - the
 	// counter of pod failures is incremented and it is checked against
 	// the backoffLimit. At most 20 elements are allowed.
 	// +listType=atomic
 	rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt)
 }
 // JobSpec describes how the job execution will look like.
 #JobSpec: {
 	// Specifies the maximum desired number of pods the job should
 	// run at any given time. The actual number of pods running in steady state will
 	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
 	// i.e. when the work left to do is less than max parallelism.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 	// +optional
 	parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt)
 	// Specifies the desired number of successfully finished pods the
 	// job should be run with.  Setting to null means that the success of any
 	// pod signals the success of all pods, and allows parallelism to have any positive
 	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
 	// pod signals the success of the job.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 	// +optional
 	completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt)
 	// Specifies the duration in seconds relative to the startTime that the job
 	// may be continuously active before the system tries to terminate it; value
 	// must be positive integer. If a Job is suspended (at creation or through an
 	// update), this timer will effectively be stopped and reset when the Job is
 	// resumed again.
 	// +optional
 	activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt)
 	// Specifies the policy of handling failed pods. In particular, it allows to
 	// specify the set of actions and conditions which need to be
 	// satisfied to take the associated action.
 	// If empty, the default behaviour applies - the counter of failed pods,
 	// represented by the jobs's .status.failed field, is incremented and it is
 	// checked against the backoffLimit. This field cannot be used in combination
 	// with restartPolicy=OnFailure.
 	//
 	// This field is beta-level. It can be used when the `JobPodFailurePolicy`
 	// feature gate is enabled (enabled by default).
 	// +optional
 	podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt)
 	// Specifies the number of retries before marking this job failed.
 	// Defaults to 6
 	// +optional
 	backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt)
 	// Specifies the limit for the number of retries within an
 	// index before marking this index as failed. When enabled the number of
 	// failures per index is kept in the pod's
 	// batch.kubernetes.io/job-index-failure-count annotation. It can only
 	// be set when Job's completionMode=Indexed, and the Pod's restart
 	// policy is Never. The field is immutable.
 	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
 	// feature gate is enabled (disabled by default).
 	// +optional
 	backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt)
 	// Specifies the maximal number of failed indexes before marking the Job as
 	// failed, when backoffLimitPerIndex is set. Once the number of failed
 	// indexes exceeds this number the entire Job is marked as Failed and its
 	// execution is terminated. When left as null the job continues execution of
 	// all of its indexes and is marked with the `Complete` Job condition.
 	// It can only be specified when backoffLimitPerIndex is set.
 	// It can be null or up to completions. It is required and must be
 	// less than or equal to 10^4 when is completions greater than 10^5.
 	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
 	// feature gate is enabled (disabled by default).
 	// +optional
 	maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt)
 	// A label query over pods that should match the pod count.
 	// Normally, the system sets this field for you.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
 	// manualSelector controls generation of pod labels and pod selectors.
 	// Leave `manualSelector` unset unless you are certain what you are doing.
 	// When false or unset, the system pick labels unique to this job
 	// and appends those labels to the pod template.  When true,
 	// the user is responsible for picking unique labels and specifying
 	// the selector.  Failure to pick a unique label may cause this
 	// and other jobs to not function correctly.  However, You may see
 	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
 	// API.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
 	// +optional
 	manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt)
 	// Describes the pod that will be created when executing a job.
 	// The only allowed template.spec.restartPolicy values are "Never" or "OnFailure".
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 	template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt)
 	// ttlSecondsAfterFinished limits the lifetime of a Job that has finished
 	// execution (either Complete or Failed). If this field is set,
 	// ttlSecondsAfterFinished after the Job finishes, it is eligible to be
 	// automatically deleted. When the Job is being deleted, its lifecycle
 	// guarantees (e.g. finalizers) will be honored. If this field is unset,
 	// the Job won't be automatically deleted. If this field is set to zero,
 	// the Job becomes eligible to be deleted immediately after it finishes.
 	// +optional
 	ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt)
 	// completionMode specifies how Pod completions are tracked. It can be
 	// `NonIndexed` (default) or `Indexed`.
 	//
 	// `NonIndexed` means that the Job is considered complete when there have
 	// been .spec.completions successfully completed Pods. Each Pod completion is
 	// homologous to each other.
 	//
 	// `Indexed` means that the Pods of a
 	// Job get an associated completion index from 0 to (.spec.completions - 1),
 	// available in the annotation batch.kubernetes.io/job-completion-index.
 	// The Job is considered complete when there is one successfully completed Pod
 	// for each index.
 	// When value is `Indexed`, .spec.completions must be specified and
 	// `.spec.parallelism` must be less than or equal to 10^5.
 	// In addition, The Pod name takes the form
 	// `$(job-name)-$(index)-$(random-string)`,
 	// the Pod hostname takes the form `$(job-name)-$(index)`.
 	//
 	// More completion modes can be added in the future.
 	// If the Job controller observes a mode that it doesn't recognize, which
 	// is possible during upgrades due to version skew, the controller
 	// skips updates for the Job.
 	// +optional
 	completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode)
 	// suspend specifies whether the Job controller should create Pods or not. If
 	// a Job is created with suspend set to true, no Pods are created by the Job
 	// controller. If a Job is suspended after creation (i.e. the flag goes from
 	// false to true), the Job controller will delete all active Pods associated
 	// with this Job. Users must design their workload to gracefully handle this.
 	// Suspending a Job will reset the StartTime field of the Job, effectively
 	// resetting the ActiveDeadlineSeconds timer too. Defaults to false.
 	//
 	// +optional
 	suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt)
 	// podReplacementPolicy specifies when to create replacement Pods.
 	// Possible values are:
 	// - TerminatingOrFailed means that we recreate pods
 	//   when they are terminating (has a metadata.deletionTimestamp) or failed.
 	// - Failed means to wait until a previously created Pod is fully terminated (has phase
 	//   Failed or Succeeded) before creating a replacement Pod.
 	//
 	// When using podFailurePolicy, Failed is the the only allowed value.
 	// TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
 	// This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field.
 	// +optional
 	podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy)
 }
 // JobStatus represents the current state of a Job.
 #JobStatus: {
 	// The latest available observations of an object's current state. When a Job
 	// fails, one of the conditions will have type "Failed" and status true. When
 	// a Job is suspended, one of the conditions will have type "Suspended" and
 	// status true; when the Job is resumed, the status of this condition will
 	// become false. When a Job is completed, one of the conditions will have
 	// type "Complete" and status true.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=atomic
 	conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep)
 	// Represents time when the job controller started processing a job. When a
 	// Job is created in the suspended state, this field is not set until the
 	// first time it is resumed. This field is reset every time a Job is resumed
 	// from suspension. It is represented in RFC3339 form and is in UTC.
 	// +optional
 	startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt)
 	// Represents time when the job was completed. It is not guaranteed to
 	// be set in happens-before order across separate operations.
 	// It is represented in RFC3339 form and is in UTC.
 	// The completion time is only set when the job finishes successfully.
 	// +optional
 	completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt)
 	// The number of pending and running pods.
 	// +optional
 	active?: int32 @go(Active) @protobuf(4,varint,opt)
 	// The number of pods which reached phase Succeeded.
 	// +optional
 	succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt)
 	// The number of pods which reached phase Failed.
 	// +optional
 	failed?: int32 @go(Failed) @protobuf(6,varint,opt)
 	// The number of pods which are terminating (in phase Pending or Running
 	// and have a deletionTimestamp).
 	//
 	// This field is alpha-level. The job controller populates the field when
 	// the feature gate JobPodReplacementPolicy is enabled (disabled by default).
 	// +optional
 	terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt)
 	// completedIndexes holds the completed indexes when .spec.completionMode =
 	// "Indexed" in a text format. The indexes are represented as decimal integers
 	// separated by commas. The numbers are listed in increasing order. Three or
 	// more consecutive numbers are compressed and represented by the first and
 	// last element of the series, separated by a hyphen.
 	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
 	// represented as "1,3-5,7".
 	// +optional
 	completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt)
 	// FailedIndexes holds the failed indexes when backoffLimitPerIndex=true.
 	// The indexes are represented in the text format analogous as for the
 	// `completedIndexes` field, ie. they are kept as decimal integers
 	// separated by commas. The numbers are listed in increasing order. Three or
 	// more consecutive numbers are compressed and represented by the first and
 	// last element of the series, separated by a hyphen.
 	// For example, if the failed indexes are 1, 3, 4, 5 and 7, they are
 	// represented as "1,3-5,7".
 	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
 	// feature gate is enabled (disabled by default).
 	// +optional
 	failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt)
 	// uncountedTerminatedPods holds the UIDs of Pods that have terminated but
 	// the job controller hasn't yet accounted for in the status counters.
 	//
 	// The job controller creates pods with a finalizer. When a pod terminates
 	// (succeeded or failed), the controller does three steps to account for it
 	// in the job status:
 	//
 	// 1. Add the pod UID to the arrays in this field.
 	// 2. Remove the pod finalizer.
 	// 3. Remove the pod UID from the arrays while increasing the corresponding
 	//     counter.
 	//
 	// Old jobs might not be tracked using this field, in which case the field
 	// remains null.
 	// +optional
 	uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt)
 	// The number of pods which have a Ready condition.
 	//
 	// This field is beta-level. The job controller populates the field when
 	// the feature gate JobReadyPods is enabled (enabled by default).
 	// +optional
 	ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt)
 }
 // UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
 // been accounted in Job status counters.
 #UncountedTerminatedPods: {
 	// succeeded holds UIDs of succeeded Pods.
 	// +listType=set
 	// +optional
 	succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
 	// failed holds UIDs of failed Pods.
 	// +listType=set
 	// +optional
 	failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
 }
 #JobConditionType: string // #enumJobConditionType
 #enumJobConditionType:
 	#JobSuspended |
 	#JobComplete |
 	#JobFailed |
 	#JobFailureTarget
 // JobSuspended means the job has been suspended.
 #JobSuspended: #JobConditionType & "Suspended"
 // JobComplete means the job has completed its execution.
 #JobComplete: #JobConditionType & "Complete"
 // JobFailed means the job has failed its execution.
 #JobFailed: #JobConditionType & "Failed"
 // FailureTarget means the job is about to fail its execution.
 #JobFailureTarget: #JobConditionType & "FailureTarget"
 // JobCondition describes current state of a job.
 #JobCondition: {
 	// Type of job condition, Complete or Failed.
 	type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// Last time the condition was checked.
 	// +optional
 	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
 	// Last time the condition transit from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// (brief) reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(5,bytes,opt)
 	// Human readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message) @protobuf(6,bytes,opt)
 }
 // JobTemplateSpec describes the data a Job should have when created from a template
 #JobTemplateSpec: {
 	// Standard object's metadata of the jobs created from this template.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of the job.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // CronJob represents the configuration of a single cron job.
 #CronJob: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of a cron job, including the schedule.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Current status of a cron job.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // CronJobList is a collection of cron jobs.
 #CronJobList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of CronJobs.
 	items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep)
 }
 // CronJobSpec describes how the job execution will look like and when it will actually run.
 #CronJobSpec: {
 	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
 	schedule: string @go(Schedule) @protobuf(1,bytes,opt)
 	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
 	// If not specified, this will default to the time zone of the kube-controller-manager process.
 	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
 	// database by the API server during CronJob validation and the controller manager during execution.
 	// If no system-wide time zone database can be found a bundled version of the database is used instead.
 	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
 	// configuration, the controller will stop creating new new Jobs and will create a system event with the
 	// reason UnknownTimeZone.
 	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
 	// +optional
 	timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt)
 	// Optional deadline in seconds for starting the job if it misses scheduled
 	// time for any reason.  Missed jobs executions will be counted as failed ones.
 	// +optional
 	startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt)
 	// Specifies how to treat concurrent executions of a Job.
 	// Valid values are:
 	//
 	// - "Allow" (default): allows CronJobs to run concurrently;
 	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
 	// - "Replace": cancels currently running job and replaces it with a new one
 	// +optional
 	concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy)
 	// This flag tells the controller to suspend subsequent executions, it does
 	// not apply to already started executions.  Defaults to false.
 	// +optional
 	suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt)
 	// Specifies the job that will be created when executing a CronJob.
 	jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt)
 	// The number of successful finished jobs to retain. Value must be non-negative integer.
 	// Defaults to 3.
 	// +optional
 	successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt)
 	// The number of failed finished jobs to retain. Value must be non-negative integer.
 	// Defaults to 1.
 	// +optional
 	failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt)
 }
 // ConcurrencyPolicy describes how the job will be handled.
 // Only one of the following concurrent policies may be specified.
 // If none of the following policies is specified, the default one
 // is AllowConcurrent.
 // +enum
 #ConcurrencyPolicy: string // #enumConcurrencyPolicy
 #enumConcurrencyPolicy:
 	#AllowConcurrent |
 	#ForbidConcurrent |
 	#ReplaceConcurrent
 // AllowConcurrent allows CronJobs to run concurrently.
 #AllowConcurrent: #ConcurrencyPolicy & "Allow"
 // ForbidConcurrent forbids concurrent runs, skipping next run if previous
 // hasn't finished yet.
 #ForbidConcurrent: #ConcurrencyPolicy & "Forbid"
 // ReplaceConcurrent cancels currently running job and replaces it with a new one.
 #ReplaceConcurrent: #ConcurrencyPolicy & "Replace"
 // CronJobStatus represents the current state of a cron job.
 #CronJobStatus: {
 	// A list of pointers to currently running jobs.
 	// +optional
 	// +listType=atomic
 	active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep)
 	// Information when was the last time the job was successfully scheduled.
 	// +optional
 	lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt)
 	// Information when was the last time the job successfully completed.
 	// +optional
 	lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/certificates/v1
 package v1
 #GroupName: "certificates.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue

@@ -0,0 +1,318 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/certificates/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/api/core/v1"
 )
 // CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
 // by submitting a certificate signing request, and having it asynchronously approved and issued.
 //
 // Kubelets use this API to obtain:
 //  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
 //  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
 //
 // This API can be used to request client certificates to authenticate to kube-apiserver
 // (with the "kubernetes.io/kube-apiserver-client" signerName),
 // or to obtain certificates from custom non-Kubernetes signers.
 #CertificateSigningRequest: {
 	metav1.#TypeMeta
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec contains the certificate request, and is immutable after creation.
 	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
 	// Other fields are derived by Kubernetes and cannot be modified by users.
 	spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status contains information about whether the request is approved or denied,
 	// and the certificate issued by the signer, or the failure condition indicating signer failure.
 	// +optional
 	status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // CertificateSigningRequestSpec contains the certificate request.
 #CertificateSigningRequestSpec: {
 	// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
 	// When serialized as JSON or YAML, the data is additionally base64-encoded.
 	// +listType=atomic
 	request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt)
 	// signerName indicates the requested signer, and is a qualified name.
 	//
 	// List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
 	//
 	// Well-known Kubernetes signers are:
 	//  1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
 	//   Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
 	//  2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
 	//   Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
 	//  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
 	//   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
 	//
 	// More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
 	//
 	// Custom signerNames can also be specified. The signer defines:
 	//  1. Trust distribution: how trust (CA bundles) are distributed.
 	//  2. Permitted subjects: and behavior when a disallowed subject is requested.
 	//  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
 	//  4. Required, permitted, or forbidden key usages / extended key usages.
 	//  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
 	//  6. Whether or not requests for CA certificates are allowed.
 	signerName: string @go(SignerName) @protobuf(7,bytes,opt)
 	// expirationSeconds is the requested duration of validity of the issued
 	// certificate. The certificate signer may issue a certificate with a different
 	// validity duration so a client must check the delta between the notBefore and
 	// and notAfter fields in the issued certificate to determine the actual duration.
 	//
 	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
 	// honor this field as long as the requested duration is not greater than the
 	// maximum duration they will honor per the --cluster-signing-duration CLI
 	// flag to the Kubernetes controller manager.
 	//
 	// Certificate signers may not honor this field for various reasons:
 	//
 	//   1. Old signer that is unaware of the field (such as the in-tree
 	//      implementations prior to v1.22)
 	//   2. Signer whose configured maximum is shorter than the requested duration
 	//   3. Signer whose configured minimum is longer than the requested duration
 	//
 	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
 	//
 	// +optional
 	expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt)
 	// usages specifies a set of key usages requested in the issued certificate.
 	//
 	// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
 	//
 	// Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
 	//
 	// Valid values are:
 	//  "signing", "digital signature", "content commitment",
 	//  "key encipherment", "key agreement", "data encipherment",
 	//  "cert sign", "crl sign", "encipher only", "decipher only", "any",
 	//  "server auth", "client auth",
 	//  "code signing", "email protection", "s/mime",
 	//  "ipsec end system", "ipsec tunnel", "ipsec user",
 	//  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
 	// +listType=atomic
 	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt)
 	// username contains the name of the user that created the CertificateSigningRequest.
 	// Populated by the API server on creation and immutable.
 	// +optional
 	username?: string @go(Username) @protobuf(2,bytes,opt)
 	// uid contains the uid of the user that created the CertificateSigningRequest.
 	// Populated by the API server on creation and immutable.
 	// +optional
 	uid?: string @go(UID) @protobuf(3,bytes,opt)
 	// groups contains group membership of the user that created the CertificateSigningRequest.
 	// Populated by the API server on creation and immutable.
 	// +listType=atomic
 	// +optional
 	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
 	// extra contains extra attributes of the user that created the CertificateSigningRequest.
 	// Populated by the API server on creation and immutable.
 	// +optional
 	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep)
 }
 // "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver.
 // Never auto-approved by kube-controller-manager.
 // Can be issued by the "csrsigning" controller in kube-controller-manager.
 #KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client"
 // "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver.
 // Can be auto-approved by the "csrapproving" controller in kube-controller-manager.
 // Can be issued by the "csrsigning" controller in kube-controller-manager.
 #KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet"
 // "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints,
 // which kube-apiserver can connect to securely.
 // Never auto-approved by kube-controller-manager.
 // Can be issued by the "csrsigning" controller in kube-controller-manager.
 #KubeletServingSignerName: "kubernetes.io/kubelet-serving"
 // ExtraValue masks the value so protobuf can generate
 // +protobuf.nullable=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #ExtraValue: [...string]
 // CertificateSigningRequestStatus contains conditions used to indicate
 // approved/denied/failed status of the request, and the issued certificate.
 #CertificateSigningRequestStatus: {
 	// conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep)
 	// certificate is populated with an issued certificate by the signer after an Approved condition is present.
 	// This field is set via the /status subresource. Once populated, this field is immutable.
 	//
 	// If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
 	// If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
 	//
 	// Validation requirements:
 	//  1. certificate must contain one or more PEM blocks.
 	//  2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
 	//   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
 	//  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
 	//   to allow for explanatory text as described in section 5.2 of RFC7468.
 	//
 	// If more than one PEM block is present, and the definition of the requested spec.signerName
 	// does not indicate otherwise, the first block is the issued certificate,
 	// and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
 	//
 	// The certificate is encoded in PEM format.
 	//
 	// When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
 	//
 	//     base64(
 	//     -----BEGIN CERTIFICATE-----
 	//     ...
 	//     -----END CERTIFICATE-----
 	//     )
 	//
 	// +listType=atomic
 	// +optional
 	certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt)
 }
 // RequestConditionType is the type of a CertificateSigningRequestCondition
 #RequestConditionType: string // #enumRequestConditionType
 #enumRequestConditionType:
 	#CertificateApproved |
 	#CertificateDenied |
 	#CertificateFailed
 // Approved indicates the request was approved and should be issued by the signer.
 #CertificateApproved: #RequestConditionType & "Approved"
 // Denied indicates the request was denied and should not be issued by the signer.
 #CertificateDenied: #RequestConditionType & "Denied"
 // Failed indicates the signer failed to issue the certificate.
 #CertificateFailed: #RequestConditionType & "Failed"
 // CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
 #CertificateSigningRequestCondition: {
 	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
 	//
 	// An "Approved" condition is added via the /approval subresource,
 	// indicating the request was approved and should be issued by the signer.
 	//
 	// A "Denied" condition is added via the /approval subresource,
 	// indicating the request was denied and should not be issued by the signer.
 	//
 	// A "Failed" condition is added via the /status subresource,
 	// indicating the signer failed to issue the certificate.
 	//
 	// Approved and Denied conditions are mutually exclusive.
 	// Approved, Denied, and Failed conditions cannot be removed once added.
 	//
 	// Only one condition of a given type is allowed.
 	type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType)
 	// status of the condition, one of True, False, Unknown.
 	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
 	status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
 	// reason indicates a brief reason for the request state
 	// +optional
 	reason?: string @go(Reason) @protobuf(2,bytes,opt)
 	// message contains a human readable message with details about the request state
 	// +optional
 	message?: string @go(Message) @protobuf(3,bytes,opt)
 	// lastUpdateTime is the time of the last update to this condition
 	// +optional
 	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt)
 	// lastTransitionTime is the time the condition last transitioned from one status to another.
 	// If unset, when a new condition type is added or an existing condition's status is changed,
 	// the server defaults this to the current time.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt)
 }
 // CertificateSigningRequestList is a collection of CertificateSigningRequest objects
 #CertificateSigningRequestList: {
 	metav1.#TypeMeta
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a collection of CertificateSigningRequest objects
 	items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep)
 }
 // KeyUsage specifies valid usage contexts for keys.
 // See:
 //
 //	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 //	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 //
 // +enum
 #KeyUsage: string // #enumKeyUsage
 #enumKeyUsage:
 	#UsageSigning |
 	#UsageDigitalSignature |
 	#UsageContentCommitment |
 	#UsageKeyEncipherment |
 	#UsageKeyAgreement |
 	#UsageDataEncipherment |
 	#UsageCertSign |
 	#UsageCRLSign |
 	#UsageEncipherOnly |
 	#UsageDecipherOnly |
 	#UsageAny |
 	#UsageServerAuth |
 	#UsageClientAuth |
 	#UsageCodeSigning |
 	#UsageEmailProtection |
 	#UsageSMIME |
 	#UsageIPsecEndSystem |
 	#UsageIPsecTunnel |
 	#UsageIPsecUser |
 	#UsageTimestamping |
 	#UsageOCSPSigning |
 	#UsageMicrosoftSGC |
 	#UsageNetscapeSGC
 #UsageSigning:           #KeyUsage & "signing"
 #UsageDigitalSignature:  #KeyUsage & "digital signature"
 #UsageContentCommitment: #KeyUsage & "content commitment"
 #UsageKeyEncipherment:   #KeyUsage & "key encipherment"
 #UsageKeyAgreement:      #KeyUsage & "key agreement"
 #UsageDataEncipherment:  #KeyUsage & "data encipherment"
 #UsageCertSign:          #KeyUsage & "cert sign"
 #UsageCRLSign:           #KeyUsage & "crl sign"
 #UsageEncipherOnly:      #KeyUsage & "encipher only"
 #UsageDecipherOnly:      #KeyUsage & "decipher only"
 #UsageAny:               #KeyUsage & "any"
 #UsageServerAuth:        #KeyUsage & "server auth"
 #UsageClientAuth:        #KeyUsage & "client auth"
 #UsageCodeSigning:       #KeyUsage & "code signing"
 #UsageEmailProtection:   #KeyUsage & "email protection"
 #UsageSMIME:             #KeyUsage & "s/mime"
 #UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
 #UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
 #UsageIPsecUser:         #KeyUsage & "ipsec user"
 #UsageTimestamping:      #KeyUsage & "timestamping"
 #UsageOCSPSigning:       #KeyUsage & "ocsp signing"
 #UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
 #UsageNetscapeSGC:       #KeyUsage & "netscape sgc"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/coordination/v1
 package v1
 #GroupName: "coordination.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue

@@ -0,0 +1,61 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/coordination/v1
 package v1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // Lease defines a lease concept.
 #Lease: {
 	metav1.#TypeMeta
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec contains the specification of the Lease.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // LeaseSpec is a specification of a Lease.
 #LeaseSpec: {
 	// holderIdentity contains the identity of the holder of a current lease.
 	// +optional
 	holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt)
 	// leaseDurationSeconds is a duration that candidates for a lease need
 	// to wait to force acquire it. This is measure against time of last
 	// observed renewTime.
 	// +optional
 	leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt)
 	// acquireTime is a time when the current lease was acquired.
 	// +optional
 	acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt)
 	// renewTime is a time when the current holder of a lease has last
 	// updated the lease.
 	// +optional
 	renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt)
 	// leaseTransitions is the number of transitions of a lease between
 	// holders.
 	// +optional
 	leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt)
 }
 // LeaseList is a list of Lease objects.
 #LeaseList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of schema objects.
 	items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 package v1
 // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
 // webhook backend fails.
 #ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
 // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
 #MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
 // TolerationsAnnotationKey represents the key of tolerations data (json serialized)
 // in the Annotations of a Pod.
 #TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
 // TaintsAnnotationKey represents the key of taints data (json serialized)
 // in the Annotations of a Node.
 #TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
 // SeccompPodAnnotationKey represents the key of a seccomp profile applied
 // to all containers of a pod.
 // Deprecated: set a pod security context `seccompProfile` field.
 #SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
 // SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
 // to one container of a pod.
 // Deprecated: set a container security context `seccompProfile` field.
 #SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
 // SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
 // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
 #SeccompProfileRuntimeDefault: "runtime/default"
 // SeccompProfileNameUnconfined is the unconfined seccomp profile.
 #SeccompProfileNameUnconfined: "unconfined"
 // SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
 #SeccompLocalhostProfileNamePrefix: "localhost/"
 // AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
 #AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
 // AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
 #AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
 // AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
 #AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
 // AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
 #AppArmorBetaProfileRuntimeDefault: "runtime/default"
 // AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
 #AppArmorBetaProfileNamePrefix: "localhost/"
 // AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
 #AppArmorBetaProfileNameUnconfined: "unconfined"
 // DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
 // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
 #DeprecatedSeccompProfileDockerDefault: "docker/default"
 // PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
 // in the Annotations of a Node.
 #PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
 // ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
 // an object (e.g. secret, config map) before fetching it again from apiserver.
 // This annotation can be attached to node.
 #ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
 // annotation key prefix used to identify non-convertible json paths.
 #NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
 _#kubectlPrefix:                 "kubectl.kubernetes.io/"
 // LastAppliedConfigAnnotation is the annotation used to store the previous
 // configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
 #LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
 // AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
 //
 // It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
 // allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
 // access only from the CIDRs currently allocated to MIT & the USPS.
 //
 // Not all cloud providers support this annotation, though AWS & GCE do.
 #AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
 // EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
 // represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
 // of the last change, of some Pod or Service object, that triggered the endpoints object change.
 // In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
 // controller at T1, and the Endpoints object was changed at T2, the
 // EndpointsLastChangeTriggerTime would be set to T0.
 //
 // The "endpoints change trigger" here means any Pod or Service change that resulted in the
 // Endpoints object change.
 //
 // Given the definition of the "endpoints change trigger", please note that this annotation will
 // be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
 // Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
 // already set).
 //
 // This annotation will be used to compute the in-cluster network programming latency SLI, see
 // https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
 #EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
 // EndpointsOverCapacity will be set on an Endpoints resource when it
 // exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
 // controller will set this annotation with a value of "warning". In a
 // future release, the controller may set this annotation with a value of
 // "truncated" to indicate that any addresses exceeding the limit of 1000
 // have been truncated from the Endpoints resource.
 #EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
 // MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
 // list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
 // This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
 // CSI Backend for a volume plugin on a specific node.
 #MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
 // PodDeletionCost can be used to set to an int32 that represent the cost of deleting
 // a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
 // deletion cost are preferred to be deleted before pods with higher deletion cost.
 // Note that this is honored on a best-effort basis, and so it does not offer guarantees on
 // pod deletion order.
 // The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
 //
 // This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
 #PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
 // DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
 // Topology Aware Hints for a Service. This may be set to "Auto" or
 // "Disabled". Any other value is treated as "Disabled". This annotation has
 // been deprecated in favor of the "service.kubernetes.io/topology-mode"
 // annotation.
 #DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
 // AnnotationTopologyMode can be used to enable or disable Topology Aware
 // Routing for a Service. Well known values are "Auto" and "Disabled".
 // Implementations may choose to develop new topology approaches, exposing
 // them with domain-prefixed values. For example, "example.com/lowest-rtt"
 // could be a valid implementation-specific value for this annotation. These
 // heuristics will often populate topology hints on EndpointSlices, but that
 // is not a requirement.
 #AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 // Package v1 is the v1 version of the core API.
 package v1

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 package v1
 #GroupName: ""

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue

@@ -0,0 +1,7617 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/types"
 )
 // NamespaceDefault means the object is in the default namespace which is applied when not specified by clients
 #NamespaceDefault: "default"
 // NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces
 #NamespaceAll: ""
 // NamespaceNodeLease is the namespace where we place node lease objects (used for node heartbeats)
 #NamespaceNodeLease: "kube-node-lease"
 // Volume represents a named volume in a pod that may be accessed by any container in the pod.
 #Volume: {
 	// name of the volume.
 	// Must be a DNS_LABEL and unique within the pod.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	#VolumeSource
 }
 // Represents the source of a volume to mount.
 // Only one of its members may be specified.
 #VolumeSource: {
 	// hostPath represents a pre-existing file or directory on the host
 	// machine that is directly exposed to the container. This is generally
 	// used for system agents or other privileged things that are allowed
 	// to see the host machine. Most containers will NOT need this.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
 	// ---
 	// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
 	// mount host directories as read/write.
 	// +optional
 	hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(1,bytes,opt)
 	// emptyDir represents a temporary directory that shares a pod's lifetime.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
 	// +optional
 	emptyDir?: null | #EmptyDirVolumeSource @go(EmptyDir,*EmptyDirVolumeSource) @protobuf(2,bytes,opt)
 	// gcePersistentDisk represents a GCE Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	// +optional
 	gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(3,bytes,opt)
 	// awsElasticBlockStore represents an AWS Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	// +optional
 	awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(4,bytes,opt)
 	// gitRepo represents a git repository at a particular revision.
 	// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
 	// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
 	// into the Pod's container.
 	// +optional
 	gitRepo?: null | #GitRepoVolumeSource @go(GitRepo,*GitRepoVolumeSource) @protobuf(5,bytes,opt)
 	// secret represents a secret that should populate this volume.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
 	// +optional
 	secret?: null | #SecretVolumeSource @go(Secret,*SecretVolumeSource) @protobuf(6,bytes,opt)
 	// nfs represents an NFS mount on the host that shares a pod's lifetime
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
 	// +optional
 	nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(7,bytes,opt)
 	// iscsi represents an ISCSI Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod.
 	// More info: https://examples.k8s.io/volumes/iscsi/README.md
 	// +optional
 	iscsi?: null | #ISCSIVolumeSource @go(ISCSI,*ISCSIVolumeSource) @protobuf(8,bytes,opt)
 	// glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md
 	// +optional
 	glusterfs?: null | #GlusterfsVolumeSource @go(Glusterfs,*GlusterfsVolumeSource) @protobuf(9,bytes,opt)
 	// persistentVolumeClaimVolumeSource represents a reference to a
 	// PersistentVolumeClaim in the same namespace.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	// +optional
 	persistentVolumeClaim?: null | #PersistentVolumeClaimVolumeSource @go(PersistentVolumeClaim,*PersistentVolumeClaimVolumeSource) @protobuf(10,bytes,opt)
 	// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md
 	// +optional
 	rbd?: null | #RBDVolumeSource @go(RBD,*RBDVolumeSource) @protobuf(11,bytes,opt)
 	// flexVolume represents a generic volume resource that is
 	// provisioned/attached using an exec based plugin.
 	// +optional
 	flexVolume?: null | #FlexVolumeSource @go(FlexVolume,*FlexVolumeSource) @protobuf(12,bytes,opt)
 	// cinder represents a cinder volume attached and mounted on kubelets host machine.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	cinder?: null | #CinderVolumeSource @go(Cinder,*CinderVolumeSource) @protobuf(13,bytes,opt)
 	// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
 	// +optional
 	cephfs?: null | #CephFSVolumeSource @go(CephFS,*CephFSVolumeSource) @protobuf(14,bytes,opt)
 	// flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
 	// +optional
 	flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(15,bytes,opt)
 	// downwardAPI represents downward API about the pod that should populate this volume
 	// +optional
 	downwardAPI?: null | #DownwardAPIVolumeSource @go(DownwardAPI,*DownwardAPIVolumeSource) @protobuf(16,bytes,opt)
 	// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
 	// +optional
 	fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(17,bytes,opt)
 	// azureFile represents an Azure File Service mount on the host and bind mount to the pod.
 	// +optional
 	azureFile?: null | #AzureFileVolumeSource @go(AzureFile,*AzureFileVolumeSource) @protobuf(18,bytes,opt)
 	// configMap represents a configMap that should populate this volume
 	// +optional
 	configMap?: null | #ConfigMapVolumeSource @go(ConfigMap,*ConfigMapVolumeSource) @protobuf(19,bytes,opt)
 	// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
 	// +optional
 	vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(20,bytes,opt)
 	// quobyte represents a Quobyte mount on the host that shares a pod's lifetime
 	// +optional
 	quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(21,bytes,opt)
 	// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
 	// +optional
 	azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(22,bytes,opt)
 	// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
 	photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(23,bytes,opt)
 	// projected items for all in one resources secrets, configmaps, and downward API
 	projected?: null | #ProjectedVolumeSource @go(Projected,*ProjectedVolumeSource) @protobuf(26,bytes,opt)
 	// portworxVolume represents a portworx volume attached and mounted on kubelets host machine
 	// +optional
 	portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(24,bytes,opt)
 	// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
 	// +optional
 	scaleIO?: null | #ScaleIOVolumeSource @go(ScaleIO,*ScaleIOVolumeSource) @protobuf(25,bytes,opt)
 	// storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
 	// +optional
 	storageos?: null | #StorageOSVolumeSource @go(StorageOS,*StorageOSVolumeSource) @protobuf(27,bytes,opt)
 	// csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
 	// +optional
 	csi?: null | #CSIVolumeSource @go(CSI,*CSIVolumeSource) @protobuf(28,bytes,opt)
 	// ephemeral represents a volume that is handled by a cluster storage driver.
 	// The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
 	// and deleted when the pod is removed.
 	//
 	// Use this if:
 	// a) the volume is only needed while the pod runs,
 	// b) features of normal volumes like restoring from snapshot or capacity
 	//    tracking are needed,
 	// c) the storage driver is specified through a storage class, and
 	// d) the storage driver supports dynamic volume provisioning through
 	//    a PersistentVolumeClaim (see EphemeralVolumeSource for more
 	//    information on the connection between this volume type
 	//    and PersistentVolumeClaim).
 	//
 	// Use PersistentVolumeClaim or one of the vendor-specific
 	// APIs for volumes that persist for longer than the lifecycle
 	// of an individual pod.
 	//
 	// Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
 	// be used that way - see the documentation of the driver for
 	// more information.
 	//
 	// A pod can use both types of ephemeral volumes and
 	// persistent volumes at the same time.
 	//
 	// +optional
 	ephemeral?: null | #EphemeralVolumeSource @go(Ephemeral,*EphemeralVolumeSource) @protobuf(29,bytes,opt)
 }
 // PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
 // This volume finds the bound PV and mounts that volume for the pod. A
 // PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another
 // type of volume that is owned by someone else (the system).
 #PersistentVolumeClaimVolumeSource: {
 	// claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	claimName: string @go(ClaimName) @protobuf(1,bytes,opt)
 	// readOnly Will force the ReadOnly setting in VolumeMounts.
 	// Default false.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt)
 }
 // PersistentVolumeSource is similar to VolumeSource but meant for the
 // administrator who creates PVs. Exactly one of its members must be set.
 #PersistentVolumeSource: {
 	// gcePersistentDisk represents a GCE Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	// +optional
 	gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(1,bytes,opt)
 	// awsElasticBlockStore represents an AWS Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	// +optional
 	awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(2,bytes,opt)
 	// hostPath represents a directory on the host.
 	// Provisioned by a developer or tester.
 	// This is useful for single-node development and testing only!
 	// On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
 	// +optional
 	hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(3,bytes,opt)
 	// glusterfs represents a Glusterfs volume that is attached to a host and
 	// exposed to the pod. Provisioned by an admin.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md
 	// +optional
 	glusterfs?: null | #GlusterfsPersistentVolumeSource @go(Glusterfs,*GlusterfsPersistentVolumeSource) @protobuf(4,bytes,opt)
 	// nfs represents an NFS mount on the host. Provisioned by an admin.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
 	// +optional
 	nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(5,bytes,opt)
 	// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md
 	// +optional
 	rbd?: null | #RBDPersistentVolumeSource @go(RBD,*RBDPersistentVolumeSource) @protobuf(6,bytes,opt)
 	// iscsi represents an ISCSI Disk resource that is attached to a
 	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
 	// +optional
 	iscsi?: null | #ISCSIPersistentVolumeSource @go(ISCSI,*ISCSIPersistentVolumeSource) @protobuf(7,bytes,opt)
 	// cinder represents a cinder volume attached and mounted on kubelets host machine.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	cinder?: null | #CinderPersistentVolumeSource @go(Cinder,*CinderPersistentVolumeSource) @protobuf(8,bytes,opt)
 	// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
 	// +optional
 	cephfs?: null | #CephFSPersistentVolumeSource @go(CephFS,*CephFSPersistentVolumeSource) @protobuf(9,bytes,opt)
 	// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
 	// +optional
 	fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(10,bytes,opt)
 	// flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running
 	// +optional
 	flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(11,bytes,opt)
 	// flexVolume represents a generic volume resource that is
 	// provisioned/attached using an exec based plugin.
 	// +optional
 	flexVolume?: null | #FlexPersistentVolumeSource @go(FlexVolume,*FlexPersistentVolumeSource) @protobuf(12,bytes,opt)
 	// azureFile represents an Azure File Service mount on the host and bind mount to the pod.
 	// +optional
 	azureFile?: null | #AzureFilePersistentVolumeSource @go(AzureFile,*AzureFilePersistentVolumeSource) @protobuf(13,bytes,opt)
 	// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
 	// +optional
 	vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(14,bytes,opt)
 	// quobyte represents a Quobyte mount on the host that shares a pod's lifetime
 	// +optional
 	quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(15,bytes,opt)
 	// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
 	// +optional
 	azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(16,bytes,opt)
 	// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
 	photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(17,bytes,opt)
 	// portworxVolume represents a portworx volume attached and mounted on kubelets host machine
 	// +optional
 	portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(18,bytes,opt)
 	// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
 	// +optional
 	scaleIO?: null | #ScaleIOPersistentVolumeSource @go(ScaleIO,*ScaleIOPersistentVolumeSource) @protobuf(19,bytes,opt)
 	// local represents directly-attached storage with node affinity
 	// +optional
 	local?: null | #LocalVolumeSource @go(Local,*LocalVolumeSource) @protobuf(20,bytes,opt)
 	// storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
 	// More info: https://examples.k8s.io/volumes/storageos/README.md
 	// +optional
 	storageos?: null | #StorageOSPersistentVolumeSource @go(StorageOS,*StorageOSPersistentVolumeSource) @protobuf(21,bytes,opt)
 	// csi represents storage that is handled by an external CSI driver (Beta feature).
 	// +optional
 	csi?: null | #CSIPersistentVolumeSource @go(CSI,*CSIPersistentVolumeSource) @protobuf(22,bytes,opt)
 }
 // BetaStorageClassAnnotation represents the beta/previous StorageClass annotation.
 // It's currently still used and will be held for backwards compatibility
 #BetaStorageClassAnnotation: "volume.beta.kubernetes.io/storage-class"
 // MountOptionAnnotation defines mount option annotation used in PVs
 #MountOptionAnnotation: "volume.beta.kubernetes.io/mount-options"
 // PersistentVolume (PV) is a storage resource provisioned by an administrator.
 // It is analogous to a node.
 // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
 #PersistentVolume: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec defines a specification of a persistent volume owned by the cluster.
 	// Provisioned by an administrator.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
 	// +optional
 	spec?: #PersistentVolumeSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status represents the current information/status for the persistent volume.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
 	// +optional
 	status?: #PersistentVolumeStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // PersistentVolumeSpec is the specification of a persistent volume.
 #PersistentVolumeSpec: {
 	// capacity is the description of the persistent volume's resources and capacity.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
 	// +optional
 	capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	#PersistentVolumeSource
 	// accessModes contains all ways the volume can be mounted.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
 	// +optional
 	accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(3,bytes,rep,casttype=PersistentVolumeAccessMode)
 	// claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim.
 	// Expected to be non-nil when bound.
 	// claim.VolumeName is the authoritative bind between PV and PVC.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
 	// +optional
 	// +structType=granular
 	claimRef?: null | #ObjectReference @go(ClaimRef,*ObjectReference) @protobuf(4,bytes,opt)
 	// persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim.
 	// Valid options are Retain (default for manually created PersistentVolumes), Delete (default
 	// for dynamically provisioned PersistentVolumes), and Recycle (deprecated).
 	// Recycle must be supported by the volume plugin underlying this PersistentVolume.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
 	// +optional
 	persistentVolumeReclaimPolicy?: #PersistentVolumeReclaimPolicy @go(PersistentVolumeReclaimPolicy) @protobuf(5,bytes,opt,casttype=PersistentVolumeReclaimPolicy)
 	// storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value
 	// means that this volume does not belong to any StorageClass.
 	// +optional
 	storageClassName?: string @go(StorageClassName) @protobuf(6,bytes,opt)
 	// mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will
 	// simply fail if one is invalid.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options
 	// +optional
 	mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(7,bytes,opt)
 	// volumeMode defines if a volume is intended to be used with a formatted filesystem
 	// or to remain in raw block state. Value of Filesystem is implied when not included in spec.
 	// +optional
 	volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(8,bytes,opt,casttype=PersistentVolumeMode)
 	// nodeAffinity defines constraints that limit what nodes this volume can be accessed from.
 	// This field influences the scheduling of pods that use this volume.
 	// +optional
 	nodeAffinity?: null | #VolumeNodeAffinity @go(NodeAffinity,*VolumeNodeAffinity) @protobuf(9,bytes,opt)
 }
 // VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.
 #VolumeNodeAffinity: {
 	// required specifies hard node constraints that must be met.
 	required?: null | #NodeSelector @go(Required,*NodeSelector) @protobuf(1,bytes,opt)
 }
 // PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes.
 // +enum
 #PersistentVolumeReclaimPolicy: string // #enumPersistentVolumeReclaimPolicy
 #enumPersistentVolumeReclaimPolicy:
 	#PersistentVolumeReclaimRecycle |
 	#PersistentVolumeReclaimDelete |
 	#PersistentVolumeReclaimRetain
 // PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim.
 // The volume plugin must support Recycling.
 #PersistentVolumeReclaimRecycle: #PersistentVolumeReclaimPolicy & "Recycle"
 // PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim.
 // The volume plugin must support Deletion.
 #PersistentVolumeReclaimDelete: #PersistentVolumeReclaimPolicy & "Delete"
 // PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator.
 // The default policy is Retain.
 #PersistentVolumeReclaimRetain: #PersistentVolumeReclaimPolicy & "Retain"
 // PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem.
 // +enum
 #PersistentVolumeMode: string // #enumPersistentVolumeMode
 #enumPersistentVolumeMode:
 	#PersistentVolumeBlock |
 	#PersistentVolumeFilesystem
 // PersistentVolumeBlock means the volume will not be formatted with a filesystem and will remain a raw block device.
 #PersistentVolumeBlock: #PersistentVolumeMode & "Block"
 // PersistentVolumeFilesystem means the volume will be or is formatted with a filesystem.
 #PersistentVolumeFilesystem: #PersistentVolumeMode & "Filesystem"
 // PersistentVolumeStatus is the current status of a persistent volume.
 #PersistentVolumeStatus: {
 	// phase indicates if a volume is available, bound to a claim, or released by a claim.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
 	// +optional
 	phase?: #PersistentVolumePhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumePhase)
 	// message is a human-readable message indicating details about why the volume is in this state.
 	// +optional
 	message?: string @go(Message) @protobuf(2,bytes,opt)
 	// reason is a brief CamelCase string that describes any failure and is meant
 	// for machine parsing and tidy display in the CLI.
 	// +optional
 	reason?: string @go(Reason) @protobuf(3,bytes,opt)
 	// lastPhaseTransitionTime is the time the phase transitioned from one to another
 	// and automatically resets to current time everytime a volume phase transitions.
 	// This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature.
 	// +featureGate=PersistentVolumeLastPhaseTransitionTime
 	// +optional
 	lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt)
 }
 // PersistentVolumeList is a list of PersistentVolume items.
 #PersistentVolumeList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of persistent volumes.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
 	items: [...#PersistentVolume] @go(Items,[]PersistentVolume) @protobuf(2,bytes,rep)
 }
 // PersistentVolumeClaim is a user's request for and claim to a persistent volume
 #PersistentVolumeClaim: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec defines the desired characteristics of a volume requested by a pod author.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	// +optional
 	spec?: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status represents the current information/status of a persistent volume claim.
 	// Read-only.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	// +optional
 	status?: #PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // PersistentVolumeClaimList is a list of PersistentVolumeClaim items.
 #PersistentVolumeClaimList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of persistent volume claims.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	items: [...#PersistentVolumeClaim] @go(Items,[]PersistentVolumeClaim) @protobuf(2,bytes,rep)
 }
 // PersistentVolumeClaimSpec describes the common attributes of storage devices
 // and allows a Source for provider-specific attributes
 #PersistentVolumeClaimSpec: {
 	// accessModes contains the desired access modes the volume should have.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
 	// +optional
 	accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(1,bytes,rep,casttype=PersistentVolumeAccessMode)
 	// selector is a label query over volumes to consider for binding.
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
 	// resources represents the minimum resources the volume should have.
 	// If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
 	// that are lower than previous value but must still be higher than capacity recorded in the
 	// status field of the claim.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
 	// +optional
 	resources?: #ResourceRequirements @go(Resources) @protobuf(2,bytes,opt)
 	// volumeName is the binding reference to the PersistentVolume backing this claim.
 	// +optional
 	volumeName?: string @go(VolumeName) @protobuf(3,bytes,opt)
 	// storageClassName is the name of the StorageClass required by the claim.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
 	// +optional
 	storageClassName?: null | string @go(StorageClassName,*string) @protobuf(5,bytes,opt)
 	// volumeMode defines what type of volume is required by the claim.
 	// Value of Filesystem is implied when not included in claim spec.
 	// +optional
 	volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(6,bytes,opt,casttype=PersistentVolumeMode)
 	// dataSource field can be used to specify either:
 	// * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
 	// * An existing PVC (PersistentVolumeClaim)
 	// If the provisioner or an external controller can support the specified data source,
 	// it will create a new volume based on the contents of the specified data source.
 	// When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
 	// and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
 	// If the namespace is specified, then dataSourceRef will not be copied to dataSource.
 	// +optional
 	dataSource?: null | #TypedLocalObjectReference @go(DataSource,*TypedLocalObjectReference) @protobuf(7,bytes,opt)
 	// dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
 	// volume is desired. This may be any object from a non-empty API group (non
 	// core object) or a PersistentVolumeClaim object.
 	// When this field is specified, volume binding will only succeed if the type of
 	// the specified object matches some installed volume populator or dynamic
 	// provisioner.
 	// This field will replace the functionality of the dataSource field and as such
 	// if both fields are non-empty, they must have the same value. For backwards
 	// compatibility, when namespace isn't specified in dataSourceRef,
 	// both fields (dataSource and dataSourceRef) will be set to the same
 	// value automatically if one of them is empty and the other is non-empty.
 	// When namespace is specified in dataSourceRef,
 	// dataSource isn't set to the same value and must be empty.
 	// There are three important differences between dataSource and dataSourceRef:
 	// * While dataSource only allows two specific types of objects, dataSourceRef
 	//   allows any non-core object, as well as PersistentVolumeClaim objects.
 	// * While dataSource ignores disallowed values (dropping them), dataSourceRef
 	//   preserves all values, and generates an error if a disallowed value is
 	//   specified.
 	// * While dataSource only allows local objects, dataSourceRef allows objects
 	//   in any namespaces.
 	// (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
 	// (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
 	// +optional
 	dataSourceRef?: null | #TypedObjectReference @go(DataSourceRef,*TypedObjectReference) @protobuf(8,bytes,opt)
 }
 #TypedObjectReference: {
 	// APIGroup is the group for the resource being referenced.
 	// If APIGroup is not specified, the specified Kind must be in the core API group.
 	// For any other third-party types, APIGroup is required.
 	// +optional
 	apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt)
 	// Kind is the type of resource being referenced
 	kind: string @go(Kind) @protobuf(2,bytes,opt)
 	// Name is the name of resource being referenced
 	name: string @go(Name) @protobuf(3,bytes,opt)
 	// Namespace is the namespace of resource being referenced
 	// Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
 	// (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
 	// +featureGate=CrossNamespaceVolumeDataSource
 	// +optional
 	namespace?: null | string @go(Namespace,*string) @protobuf(4,bytes,opt)
 }
 // PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type
 #PersistentVolumeClaimConditionType: string // #enumPersistentVolumeClaimConditionType
 #enumPersistentVolumeClaimConditionType:
 	#PersistentVolumeClaimResizing |
 	#PersistentVolumeClaimFileSystemResizePending
 // PersistentVolumeClaimResizing - a user trigger resize of pvc has been started
 #PersistentVolumeClaimResizing: #PersistentVolumeClaimConditionType & "Resizing"
 // PersistentVolumeClaimFileSystemResizePending - controller resize is finished and a file system resize is pending on node
 #PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending"
 // +enum
 // When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource
 // that it does not recognizes, then it should ignore that update and let other controllers
 // handle it.
 #ClaimResourceStatus: string // #enumClaimResourceStatus
 #enumClaimResourceStatus:
 	#PersistentVolumeClaimControllerResizeInProgress |
 	#PersistentVolumeClaimControllerResizeFailed |
 	#PersistentVolumeClaimNodeResizePending |
 	#PersistentVolumeClaimNodeResizeInProgress |
 	#PersistentVolumeClaimNodeResizeFailed
 // State set when resize controller starts resizing the volume in control-plane.
 #PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress"
 // State set when resize has failed in resize controller with a terminal error.
 // Transient errors such as timeout should not set this status and should leave allocatedResourceStatus
 // unmodified, so as resize controller can resume the volume expansion.
 #PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed"
 // State set when resize controller has finished resizing the volume but further resizing of volume
 // is needed on the node.
 #PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending"
 // State set when kubelet starts resizing the volume.
 #PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress"
 // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed
 #PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed"
 // PersistentVolumeClaimCondition contains details about state of pvc
 #PersistentVolumeClaimCondition: {
 	type:   #PersistentVolumeClaimConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimConditionType)
 	status: #ConditionStatus                    @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// lastProbeTime is the time we probed the condition.
 	// +optional
 	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
 	// lastTransitionTime is the time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// reason is a unique, this should be a short, machine understandable string that gives the reason
 	// for condition's last transition. If it reports "ResizeStarted" that means the underlying
 	// persistent volume is being resized.
 	// +optional
 	reason?: string @go(Reason) @protobuf(5,bytes,opt)
 	// message is the human-readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message) @protobuf(6,bytes,opt)
 }
 // PersistentVolumeClaimStatus is the current status of a persistent volume claim.
 #PersistentVolumeClaimStatus: {
 	// phase represents the current phase of PersistentVolumeClaim.
 	// +optional
 	phase?: #PersistentVolumeClaimPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimPhase)
 	// accessModes contains the actual access modes the volume backing the PVC has.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
 	// +optional
 	accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(2,bytes,rep,casttype=PersistentVolumeAccessMode)
 	// capacity represents the actual resources of the underlying volume.
 	// +optional
 	capacity?: #ResourceList @go(Capacity) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// conditions is the current Condition of persistent volume claim. If underlying persistent volume is being
 	// resized then the Condition will be set to 'ResizeStarted'.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep)
 	// allocatedResources tracks the resources allocated to a PVC including its capacity.
 	// Key names follow standard Kubernetes label syntax. Valid values are either:
 	// 	* Un-prefixed keys:
 	//		- storage - the capacity of the volume.
 	//	* Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource"
 	// Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered
 	// reserved and hence may not be used.
 	//
 	// Capacity reported here may be larger than the actual capacity when a volume expansion operation
 	// is requested.
 	// For storage quota, the larger value from allocatedResources and PVC.spec.resources is used.
 	// If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.
 	// If a volume expansion capacity request is lowered, allocatedResources is only
 	// lowered if there are no expansion operations in progress and if the actual volume capacity
 	// is equal or lower than the requested capacity.
 	//
 	// A controller that receives PVC update with previously unknown resourceName
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
 	//
 	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
 	// +featureGate=RecoverVolumeExpansionFailure
 	// +optional
 	allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// allocatedResourceStatuses stores status of resource being resized for the given PVC.
 	// Key names follow standard Kubernetes label syntax. Valid values are either:
 	// 	* Un-prefixed keys:
 	//		- storage - the capacity of the volume.
 	//	* Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource"
 	// Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered
 	// reserved and hence may not be used.
 	//
 	// ClaimResourceStatus can be in any of following states:
 	//	- ControllerResizeInProgress:
 	//		State set when resize controller starts resizing the volume in control-plane.
 	// 	- ControllerResizeFailed:
 	//		State set when resize has failed in resize controller with a terminal error.
 	//	- NodeResizePending:
 	//		State set when resize controller has finished resizing the volume but further resizing of
 	//		volume is needed on the node.
 	//	- NodeResizeInProgress:
 	//		State set when kubelet starts resizing the volume.
 	//	- NodeResizeFailed:
 	//		State set when resizing has failed in kubelet with a terminal error. Transient errors don't set
 	//		NodeResizeFailed.
 	// For example: if expanding a PVC for more capacity - this field can be one of the following states:
 	// 	- pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress"
 	//      - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed"
 	//      - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending"
 	//      - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress"
 	//      - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed"
 	// When this field is not set, it means that no resize operation is in progress for the given PVC.
 	//
 	// A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
 	//
 	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
 	// +featureGate=RecoverVolumeExpansionFailure
 	// +mapType=granular
 	// +optional
 	allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep)
 }
 // +enum
 #PersistentVolumeAccessMode: string // #enumPersistentVolumeAccessMode
 #enumPersistentVolumeAccessMode:
 	#ReadWriteOnce |
 	#ReadOnlyMany |
 	#ReadWriteMany |
 	#ReadWriteOncePod
 // can be mounted in read/write mode to exactly 1 host
 #ReadWriteOnce: #PersistentVolumeAccessMode & "ReadWriteOnce"
 // can be mounted in read-only mode to many hosts
 #ReadOnlyMany: #PersistentVolumeAccessMode & "ReadOnlyMany"
 // can be mounted in read/write mode to many hosts
 #ReadWriteMany: #PersistentVolumeAccessMode & "ReadWriteMany"
 // can be mounted in read/write mode to exactly 1 pod
 // cannot be used in combination with other access modes
 #ReadWriteOncePod: #PersistentVolumeAccessMode & "ReadWriteOncePod"
 // +enum
 #PersistentVolumePhase: string // #enumPersistentVolumePhase
 #enumPersistentVolumePhase:
 	#VolumePending |
 	#VolumeAvailable |
 	#VolumeBound |
 	#VolumeReleased |
 	#VolumeFailed
 // used for PersistentVolumes that are not available
 #VolumePending: #PersistentVolumePhase & "Pending"
 // used for PersistentVolumes that are not yet bound
 // Available volumes are held by the binder and matched to PersistentVolumeClaims
 #VolumeAvailable: #PersistentVolumePhase & "Available"
 // used for PersistentVolumes that are bound
 #VolumeBound: #PersistentVolumePhase & "Bound"
 // used for PersistentVolumes where the bound PersistentVolumeClaim was deleted
 // released volumes must be recycled before becoming available again
 // this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource
 #VolumeReleased: #PersistentVolumePhase & "Released"
 // used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim
 #VolumeFailed: #PersistentVolumePhase & "Failed"
 // +enum
 #PersistentVolumeClaimPhase: string // #enumPersistentVolumeClaimPhase
 #enumPersistentVolumeClaimPhase:
 	#ClaimPending |
 	#ClaimBound |
 	#ClaimLost
 // used for PersistentVolumeClaims that are not yet bound
 #ClaimPending: #PersistentVolumeClaimPhase & "Pending"
 // used for PersistentVolumeClaims that are bound
 #ClaimBound: #PersistentVolumeClaimPhase & "Bound"
 // used for PersistentVolumeClaims that lost their underlying
 // PersistentVolume. The claim was bound to a PersistentVolume and this
 // volume does not exist any longer and all data on it was lost.
 #ClaimLost: #PersistentVolumeClaimPhase & "Lost"
 // +enum
 #HostPathType: string // #enumHostPathType
 #enumHostPathType:
 	#HostPathUnset |
 	#HostPathDirectoryOrCreate |
 	#HostPathDirectory |
 	#HostPathFileOrCreate |
 	#HostPathFile |
 	#HostPathSocket |
 	#HostPathCharDev |
 	#HostPathBlockDev
 // For backwards compatible, leave it empty if unset
 #HostPathUnset: #HostPathType & ""
 // If nothing exists at the given path, an empty directory will be created there
 // as needed with file mode 0755, having the same group and ownership with Kubelet.
 #HostPathDirectoryOrCreate: #HostPathType & "DirectoryOrCreate"
 // A directory must exist at the given path
 #HostPathDirectory: #HostPathType & "Directory"
 // If nothing exists at the given path, an empty file will be created there
 // as needed with file mode 0644, having the same group and ownership with Kubelet.
 #HostPathFileOrCreate: #HostPathType & "FileOrCreate"
 // A file must exist at the given path
 #HostPathFile: #HostPathType & "File"
 // A UNIX socket must exist at the given path
 #HostPathSocket: #HostPathType & "Socket"
 // A character device must exist at the given path
 #HostPathCharDev: #HostPathType & "CharDevice"
 // A block device must exist at the given path
 #HostPathBlockDev: #HostPathType & "BlockDevice"
 // Represents a host path mapped into a pod.
 // Host path volumes do not support ownership management or SELinux relabeling.
 #HostPathVolumeSource: {
 	// path of the directory on the host.
 	// If the path is a symlink, it will follow the link to the real path.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
 	path: string @go(Path) @protobuf(1,bytes,opt)
 	// type for HostPath Volume
 	// Defaults to ""
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
 	// +optional
 	type?: null | #HostPathType @go(Type,*HostPathType) @protobuf(2,bytes,opt)
 }
 // Represents an empty directory for a pod.
 // Empty directory volumes support ownership management and SELinux relabeling.
 #EmptyDirVolumeSource: {
 	// medium represents what type of storage medium should back this directory.
 	// The default is "" which means to use the node's default medium.
 	// Must be an empty string (default) or Memory.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
 	// +optional
 	medium?: #StorageMedium @go(Medium) @protobuf(1,bytes,opt,casttype=StorageMedium)
 	// sizeLimit is the total amount of local storage required for this EmptyDir volume.
 	// The size limit is also applicable for memory medium.
 	// The maximum usage on memory medium EmptyDir would be the minimum value between
 	// the SizeLimit specified here and the sum of memory limits of all containers in a pod.
 	// The default is nil which means that the limit is undefined.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
 	// +optional
 	sizeLimit?: null | resource.#Quantity @go(SizeLimit,*resource.Quantity) @protobuf(2,bytes,opt)
 }
 // Represents a Glusterfs mount that lasts the lifetime of a pod.
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 #GlusterfsVolumeSource: {
 	// endpoints is the endpoint name that details Glusterfs topology.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt)
 	// path is the Glusterfs volume path.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	path: string @go(Path) @protobuf(2,bytes,opt)
 	// readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
 	// Defaults to false.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 }
 // Represents a Glusterfs mount that lasts the lifetime of a pod.
 // Glusterfs volumes do not support ownership management or SELinux relabeling.
 #GlusterfsPersistentVolumeSource: {
 	// endpoints is the endpoint name that details Glusterfs topology.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt)
 	// path is the Glusterfs volume path.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	path: string @go(Path) @protobuf(2,bytes,opt)
 	// readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
 	// Defaults to false.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// endpointsNamespace is the namespace that contains Glusterfs endpoint.
 	// If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC.
 	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	// +optional
 	endpointsNamespace?: null | string @go(EndpointsNamespace,*string) @protobuf(4,bytes,opt)
 }
 // Represents a Rados Block Device mount that lasts the lifetime of a pod.
 // RBD volumes support ownership management and SELinux relabeling.
 #RBDVolumeSource: {
 	// monitors is a collection of Ceph monitors.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep)
 	// image is the rados image name.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	image: string @go(RBDImage) @protobuf(2,bytes,opt)
 	// fsType is the filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(3,bytes,opt)
 	// pool is the rados pool name.
 	// Default is rbd.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	pool?: string @go(RBDPool) @protobuf(4,bytes,opt)
 	// user is the rados user name.
 	// Default is admin.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	user?: string @go(RadosUser) @protobuf(5,bytes,opt)
 	// keyring is the path to key ring for RBDUser.
 	// Default is /etc/ceph/keyring.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	keyring?: string @go(Keyring) @protobuf(6,bytes,opt)
 	// secretRef is name of the authentication secret for RBDUser. If provided
 	// overrides keyring.
 	// Default is nil.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(7,bytes,opt)
 	// readOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt)
 }
 // Represents a Rados Block Device mount that lasts the lifetime of a pod.
 // RBD volumes support ownership management and SELinux relabeling.
 #RBDPersistentVolumeSource: {
 	// monitors is a collection of Ceph monitors.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep)
 	// image is the rados image name.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	image: string @go(RBDImage) @protobuf(2,bytes,opt)
 	// fsType is the filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(3,bytes,opt)
 	// pool is the rados pool name.
 	// Default is rbd.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	pool?: string @go(RBDPool) @protobuf(4,bytes,opt)
 	// user is the rados user name.
 	// Default is admin.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	user?: string @go(RadosUser) @protobuf(5,bytes,opt)
 	// keyring is the path to key ring for RBDUser.
 	// Default is /etc/ceph/keyring.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	keyring?: string @go(Keyring) @protobuf(6,bytes,opt)
 	// secretRef is name of the authentication secret for RBDUser. If provided
 	// overrides keyring.
 	// Default is nil.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(7,bytes,opt)
 	// readOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
 	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt)
 }
 // Represents a cinder volume resource in Openstack.
 // A Cinder volume must exist before mounting to a container.
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 #CinderVolumeSource: {
 	// volumeID used to identify the volume in cinder.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	volumeID: string @go(VolumeID) @protobuf(1,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// secretRef is optional: points to a secret object containing parameters used to connect
 	// to OpenStack.
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(4,bytes,opt)
 }
 // Represents a cinder volume resource in Openstack.
 // A Cinder volume must exist before mounting to a container.
 // The volume must also be in the same region as the kubelet.
 // Cinder volumes support ownership management and SELinux relabeling.
 #CinderPersistentVolumeSource: {
 	// volumeID used to identify the volume in cinder.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	volumeID: string @go(VolumeID) @protobuf(1,bytes,opt)
 	// fsType Filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// secretRef is Optional: points to a secret object containing parameters used to connect
 	// to OpenStack.
 	// +optional
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(4,bytes,opt)
 }
 // Represents a Ceph Filesystem mount that lasts the lifetime of a pod
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 #CephFSVolumeSource: {
 	// monitors is Required: Monitors is a collection of Ceph monitors
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep)
 	// path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
 	// +optional
 	path?: string @go(Path) @protobuf(2,bytes,opt)
 	// user is optional: User is the rados user name, default is admin
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	user?: string @go(User) @protobuf(3,bytes,opt)
 	// secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt)
 	// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt)
 	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt)
 }
 // SecretReference represents a Secret Reference. It has enough information to retrieve secret
 // in any namespace
 // +structType=atomic
 #SecretReference: {
 	// name is unique within a namespace to reference a secret resource.
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// namespace defines the space within which the secret name must be unique.
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(2,bytes,opt)
 }
 // Represents a Ceph Filesystem mount that lasts the lifetime of a pod
 // Cephfs volumes do not support ownership management or SELinux relabeling.
 #CephFSPersistentVolumeSource: {
 	// monitors is Required: Monitors is a collection of Ceph monitors
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep)
 	// path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
 	// +optional
 	path?: string @go(Path) @protobuf(2,bytes,opt)
 	// user is Optional: User is the rados user name, default is admin
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	user?: string @go(User) @protobuf(3,bytes,opt)
 	// secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt)
 	// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(5,bytes,opt)
 	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt)
 }
 // Represents a Flocker volume mounted by the Flocker agent.
 // One and only one of datasetName and datasetUUID should be set.
 // Flocker volumes do not support ownership management or SELinux relabeling.
 #FlockerVolumeSource: {
 	// datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
 	// should be considered as deprecated
 	// +optional
 	datasetName?: string @go(DatasetName) @protobuf(1,bytes,opt)
 	// datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
 	// +optional
 	datasetUUID?: string @go(DatasetUUID) @protobuf(2,bytes,opt)
 }
 // StorageMedium defines ways that storage can be allocated to a volume.
 #StorageMedium: string // #enumStorageMedium
 #enumStorageMedium:
 	#StorageMediumDefault |
 	#StorageMediumMemory |
 	#StorageMediumHugePages |
 	#StorageMediumHugePagesPrefix
 #StorageMediumDefault:         #StorageMedium & ""
 #StorageMediumMemory:          #StorageMedium & "Memory"
 #StorageMediumHugePages:       #StorageMedium & "HugePages"
 #StorageMediumHugePagesPrefix: #StorageMedium & "HugePages-"
 // Protocol defines network protocols supported for things like container ports.
 // +enum
 #Protocol: string // #enumProtocol
 #enumProtocol:
 	#ProtocolTCP |
 	#ProtocolUDP |
 	#ProtocolSCTP
 // ProtocolTCP is the TCP protocol.
 #ProtocolTCP: #Protocol & "TCP"
 // ProtocolUDP is the UDP protocol.
 #ProtocolUDP: #Protocol & "UDP"
 // ProtocolSCTP is the SCTP protocol.
 #ProtocolSCTP: #Protocol & "SCTP"
 // Represents a Persistent Disk resource in Google Compute Engine.
 //
 // A GCE PD must exist before mounting to a container. The disk must
 // also be in the same GCE project and zone as the kubelet. A GCE PD
 // can only be mounted as read/write once or read-only many times. GCE
 // PDs support ownership management and SELinux relabeling.
 #GCEPersistentDiskVolumeSource: {
 	// pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	pdName: string @go(PDName) @protobuf(1,bytes,opt)
 	// fsType is filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// partition is the partition in the volume that you want to mount.
 	// If omitted, the default is to mount by volume name.
 	// Examples: For volume /dev/sda1, you specify the partition as "1".
 	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	// +optional
 	partition?: int32 @go(Partition) @protobuf(3,varint,opt)
 	// readOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 }
 // Represents a Quobyte mount that lasts the lifetime of a pod.
 // Quobyte volumes do not support ownership management or SELinux relabeling.
 #QuobyteVolumeSource: {
 	// registry represents a single or multiple Quobyte Registry services
 	// specified as a string as host:port pair (multiple entries are separated with commas)
 	// which acts as the central registry for volumes
 	registry: string @go(Registry) @protobuf(1,bytes,opt)
 	// volume is a string that references an already created Quobyte volume by name.
 	volume: string @go(Volume) @protobuf(2,bytes,opt)
 	// readOnly here will force the Quobyte volume to be mounted with read-only permissions.
 	// Defaults to false.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// user to map volume access to
 	// Defaults to serivceaccount user
 	// +optional
 	user?: string @go(User) @protobuf(4,bytes,opt)
 	// group to map volume access to
 	// Default is no group
 	// +optional
 	group?: string @go(Group) @protobuf(5,bytes,opt)
 	// tenant owning the given Quobyte volume in the Backend
 	// Used with dynamically provisioned Quobyte volumes, value is set by the plugin
 	// +optional
 	tenant?: string @go(Tenant) @protobuf(6,bytes,opt)
 }
 // FlexPersistentVolumeSource represents a generic persistent volume resource that is
 // provisioned/attached using an exec based plugin.
 #FlexPersistentVolumeSource: {
 	// driver is the name of the driver to use for this volume.
 	driver: string @go(Driver) @protobuf(1,bytes,opt)
 	// fsType is the Filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// secretRef is Optional: SecretRef is reference to the secret object containing
 	// sensitive information to pass to the plugin scripts. This may be
 	// empty if no secret object is specified. If the secret object
 	// contains more than one secret, all secrets are passed to the plugin
 	// scripts.
 	// +optional
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt)
 	// readOnly is Optional: defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 	// options is Optional: this field holds extra command options if any.
 	// +optional
 	options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep)
 }
 // FlexVolume represents a generic volume resource that is
 // provisioned/attached using an exec based plugin.
 #FlexVolumeSource: {
 	// driver is the name of the driver to use for this volume.
 	driver: string @go(Driver) @protobuf(1,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// secretRef is Optional: secretRef is reference to the secret object containing
 	// sensitive information to pass to the plugin scripts. This may be
 	// empty if no secret object is specified. If the secret object
 	// contains more than one secret, all secrets are passed to the plugin
 	// scripts.
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt)
 	// readOnly is Optional: defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 	// options is Optional: this field holds extra command options if any.
 	// +optional
 	options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep)
 }
 // Represents a Persistent Disk resource in AWS.
 //
 // An AWS EBS disk must exist before mounting to a container. The disk
 // must also be in the same AWS zone as the kubelet. An AWS EBS disk
 // can only be mounted as read/write once. AWS EBS volumes support
 // ownership management and SELinux relabeling.
 #AWSElasticBlockStoreVolumeSource: {
 	// volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	volumeID: string @go(VolumeID) @protobuf(1,bytes,opt)
 	// fsType is the filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// partition is the partition in the volume that you want to mount.
 	// If omitted, the default is to mount by volume name.
 	// Examples: For volume /dev/sda1, you specify the partition as "1".
 	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
 	// +optional
 	partition?: int32 @go(Partition) @protobuf(3,varint,opt)
 	// readOnly value true will force the readOnly setting in VolumeMounts.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 }
 // Represents a volume that is populated with the contents of a git repository.
 // Git repo volumes do not support ownership management.
 // Git repo volumes support SELinux relabeling.
 //
 // DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
 // EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
 // into the Pod's container.
 #GitRepoVolumeSource: {
 	// repository is the URL
 	repository: string @go(Repository) @protobuf(1,bytes,opt)
 	// revision is the commit hash for the specified revision.
 	// +optional
 	revision?: string @go(Revision) @protobuf(2,bytes,opt)
 	// directory is the target directory name.
 	// Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
 	// git repository.  Otherwise, if specified, the volume will contain the git repository in
 	// the subdirectory with the given name.
 	// +optional
 	directory?: string @go(Directory) @protobuf(3,bytes,opt)
 }
 // Adapts a Secret into a volume.
 //
 // The contents of the target Secret's Data field will be presented in a volume
 // as files using the keys in the Data field as the file names.
 // Secret volumes support ownership management and SELinux relabeling.
 #SecretVolumeSource: {
 	// secretName is the name of the secret in the pod's namespace to use.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
 	// +optional
 	secretName?: string @go(SecretName) @protobuf(1,bytes,opt)
 	// items If unspecified, each key-value pair in the Data field of the referenced
 	// Secret will be projected into the volume as a file whose name is the
 	// key and content is the value. If specified, the listed keys will be
 	// projected into the specified paths, and unlisted keys will not be
 	// present. If a key is specified which is not present in the Secret,
 	// the volume setup will error unless it is marked optional. Paths must be
 	// relative and may not contain the '..' path or start with '..'.
 	// +optional
 	items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep)
 	// defaultMode is Optional: mode bits used to set permissions on created files by default.
 	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values
 	// for mode bits. Defaults to 0644.
 	// Directories within the path are not affected by this setting.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,bytes,opt)
 	// optional field specify whether the Secret or its keys must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt)
 }
 #SecretVolumeSourceDefaultMode: int32 & 0o644
 // Adapts a secret into a projected volume.
 //
 // The contents of the target Secret's Data field will be presented in a
 // projected volume as files using the keys in the Data field as the file names.
 // Note that this is identical to a secret volume source without the default
 // mode.
 #SecretProjection: {
 	#LocalObjectReference
 	// items if unspecified, each key-value pair in the Data field of the referenced
 	// Secret will be projected into the volume as a file whose name is the
 	// key and content is the value. If specified, the listed keys will be
 	// projected into the specified paths, and unlisted keys will not be
 	// present. If a key is specified which is not present in the Secret,
 	// the volume setup will error unless it is marked optional. Paths must be
 	// relative and may not contain the '..' path or start with '..'.
 	// +optional
 	items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep)
 	// optional field specify whether the Secret or its key must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt)
 }
 // Represents an NFS mount that lasts the lifetime of a pod.
 // NFS volumes do not support ownership management or SELinux relabeling.
 #NFSVolumeSource: {
 	// server is the hostname or IP address of the NFS server.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
 	server: string @go(Server) @protobuf(1,bytes,opt)
 	// path that is exported by the NFS server.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
 	path: string @go(Path) @protobuf(2,bytes,opt)
 	// readOnly here will force the NFS export to be mounted with read-only permissions.
 	// Defaults to false.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 }
 // Represents an ISCSI disk.
 // ISCSI volumes can only be mounted as read/write once.
 // ISCSI volumes support ownership management and SELinux relabeling.
 #ISCSIVolumeSource: {
 	// targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
 	// is other than default (typically TCP ports 860 and 3260).
 	targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt)
 	// iqn is the target iSCSI Qualified Name.
 	iqn: string @go(IQN) @protobuf(2,bytes,opt)
 	// lun represents iSCSI Target Lun number.
 	lun: int32 @go(Lun) @protobuf(3,varint,opt)
 	// iscsiInterface is the interface Name that uses an iSCSI transport.
 	// Defaults to 'default' (tcp).
 	// +optional
 	iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt)
 	// fsType is the filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(5,bytes,opt)
 	// readOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt)
 	// portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
 	// is other than default (typically TCP ports 860 and 3260).
 	// +optional
 	portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt)
 	// chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
 	// +optional
 	chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt)
 	// chapAuthSession defines whether support iSCSI Session CHAP authentication
 	// +optional
 	chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt)
 	// secretRef is the CHAP Secret for iSCSI target and initiator authentication
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(10,bytes,opt)
 	// initiatorName is the custom iSCSI Initiator Name.
 	// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
 	// <target portal>:<volume name> will be created for the connection.
 	// +optional
 	initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt)
 }
 // ISCSIPersistentVolumeSource represents an ISCSI disk.
 // ISCSI volumes can only be mounted as read/write once.
 // ISCSI volumes support ownership management and SELinux relabeling.
 #ISCSIPersistentVolumeSource: {
 	// targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
 	// is other than default (typically TCP ports 860 and 3260).
 	targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt)
 	// iqn is Target iSCSI Qualified Name.
 	iqn: string @go(IQN) @protobuf(2,bytes,opt)
 	// lun is iSCSI Target Lun number.
 	lun: int32 @go(Lun) @protobuf(3,varint,opt)
 	// iscsiInterface is the interface Name that uses an iSCSI transport.
 	// Defaults to 'default' (tcp).
 	// +optional
 	iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt)
 	// fsType is the filesystem type of the volume that you want to mount.
 	// Tip: Ensure that the filesystem type is supported by the host operating system.
 	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(5,bytes,opt)
 	// readOnly here will force the ReadOnly setting in VolumeMounts.
 	// Defaults to false.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt)
 	// portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port
 	// is other than default (typically TCP ports 860 and 3260).
 	// +optional
 	portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt)
 	// chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
 	// +optional
 	chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt)
 	// chapAuthSession defines whether support iSCSI Session CHAP authentication
 	// +optional
 	chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt)
 	// secretRef is the CHAP Secret for iSCSI target and initiator authentication
 	// +optional
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(10,bytes,opt)
 	// initiatorName is the custom iSCSI Initiator Name.
 	// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
 	// <target portal>:<volume name> will be created for the connection.
 	// +optional
 	initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt)
 }
 // Represents a Fibre Channel volume.
 // Fibre Channel volumes can only be mounted as read/write once.
 // Fibre Channel volumes support ownership management and SELinux relabeling.
 #FCVolumeSource: {
 	// targetWWNs is Optional: FC target worldwide names (WWNs)
 	// +optional
 	targetWWNs?: [...string] @go(TargetWWNs,[]string) @protobuf(1,bytes,rep)
 	// lun is Optional: FC target lun number
 	// +optional
 	lun?: null | int32 @go(Lun,*int32) @protobuf(2,varint,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// TODO: how do we prevent errors in the filesystem from compromising the machine
 	// +optional
 	fsType?: string @go(FSType) @protobuf(3,bytes,opt)
 	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 	// wwids Optional: FC volume world wide identifiers (wwids)
 	// Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
 	// +optional
 	wwids?: [...string] @go(WWIDs,[]string) @protobuf(5,bytes,rep)
 }
 // AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
 #AzureFileVolumeSource: {
 	// secretName is the  name of secret that contains Azure Storage Account Name and Key
 	secretName: string @go(SecretName) @protobuf(1,bytes,opt)
 	// shareName is the azure share Name
 	shareName: string @go(ShareName) @protobuf(2,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 }
 // AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
 #AzureFilePersistentVolumeSource: {
 	// secretName is the name of secret that contains Azure Storage Account Name and Key
 	secretName: string @go(SecretName) @protobuf(1,bytes,opt)
 	// shareName is the azure Share Name
 	shareName: string @go(ShareName) @protobuf(2,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key
 	// default is the same as the Pod
 	// +optional
 	secretNamespace?: null | string @go(SecretNamespace,*string) @protobuf(4,bytes,opt)
 }
 // Represents a vSphere volume resource.
 #VsphereVirtualDiskVolumeSource: {
 	// volumePath is the path that identifies vSphere volume vmdk
 	volumePath: string @go(VolumePath) @protobuf(1,bytes,opt)
 	// fsType is filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// +optional
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// storagePolicyName is the storage Policy Based Management (SPBM) profile name.
 	// +optional
 	storagePolicyName?: string @go(StoragePolicyName) @protobuf(3,bytes,opt)
 	// storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
 	// +optional
 	storagePolicyID?: string @go(StoragePolicyID) @protobuf(4,bytes,opt)
 }
 // Represents a Photon Controller persistent disk resource.
 #PhotonPersistentDiskVolumeSource: {
 	// pdID is the ID that identifies Photon Controller persistent disk
 	pdID: string @go(PdID) @protobuf(1,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 }
 // +enum
 #AzureDataDiskCachingMode: string // #enumAzureDataDiskCachingMode
 #enumAzureDataDiskCachingMode:
 	#AzureDataDiskCachingNone |
 	#AzureDataDiskCachingReadOnly |
 	#AzureDataDiskCachingReadWrite
 // +enum
 #AzureDataDiskKind: string // #enumAzureDataDiskKind
 #enumAzureDataDiskKind:
 	#AzureSharedBlobDisk |
 	#AzureDedicatedBlobDisk |
 	#AzureManagedDisk
 #AzureDataDiskCachingNone:      #AzureDataDiskCachingMode & "None"
 #AzureDataDiskCachingReadOnly:  #AzureDataDiskCachingMode & "ReadOnly"
 #AzureDataDiskCachingReadWrite: #AzureDataDiskCachingMode & "ReadWrite"
 #AzureSharedBlobDisk:           #AzureDataDiskKind & "Shared"
 #AzureDedicatedBlobDisk:        #AzureDataDiskKind & "Dedicated"
 #AzureManagedDisk:              #AzureDataDiskKind & "Managed"
 // AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
 #AzureDiskVolumeSource: {
 	// diskName is the Name of the data disk in the blob storage
 	diskName: string @go(DiskName) @protobuf(1,bytes,opt)
 	// diskURI is the URI of data disk in the blob storage
 	diskURI: string @go(DataDiskURI) @protobuf(2,bytes,opt)
 	// cachingMode is the Host Caching mode: None, Read Only, Read Write.
 	// +optional
 	cachingMode?: null | #AzureDataDiskCachingMode @go(CachingMode,*AzureDataDiskCachingMode) @protobuf(3,bytes,opt,casttype=AzureDataDiskCachingMode)
 	// fsType is Filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// +optional
 	fsType?: null | string @go(FSType,*string) @protobuf(4,bytes,opt)
 	// readOnly Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(5,varint,opt)
 	// kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
 	kind?: null | #AzureDataDiskKind @go(Kind,*AzureDataDiskKind) @protobuf(6,bytes,opt,casttype=AzureDataDiskKind)
 }
 // PortworxVolumeSource represents a Portworx volume resource.
 #PortworxVolumeSource: {
 	// volumeID uniquely identifies a Portworx volume
 	volumeID: string @go(VolumeID) @protobuf(1,bytes,opt)
 	// fSType represents the filesystem type to mount
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
 	fsType?: string @go(FSType) @protobuf(2,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 }
 // ScaleIOVolumeSource represents a persistent ScaleIO volume
 #ScaleIOVolumeSource: {
 	// gateway is the host address of the ScaleIO API Gateway.
 	gateway: string @go(Gateway) @protobuf(1,bytes,opt)
 	// system is the name of the storage system as configured in ScaleIO.
 	system: string @go(System) @protobuf(2,bytes,opt)
 	// secretRef references to the secret for ScaleIO user and other
 	// sensitive information. If this is not provided, Login operation will fail.
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt)
 	// sslEnabled Flag enable/disable SSL communication with Gateway, default false
 	// +optional
 	sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt)
 	// protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
 	// +optional
 	protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt)
 	// storagePool is the ScaleIO Storage Pool associated with the protection domain.
 	// +optional
 	storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt)
 	// storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
 	// Default is ThinProvisioned.
 	// +optional
 	storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt)
 	// volumeName is the name of a volume already created in the ScaleIO system
 	// that is associated with this volume source.
 	volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs".
 	// Default is "xfs".
 	// +optional
 	fsType?: string @go(FSType) @protobuf(9,bytes,opt)
 	// readOnly Defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt)
 }
 // ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume
 #ScaleIOPersistentVolumeSource: {
 	// gateway is the host address of the ScaleIO API Gateway.
 	gateway: string @go(Gateway) @protobuf(1,bytes,opt)
 	// system is the name of the storage system as configured in ScaleIO.
 	system: string @go(System) @protobuf(2,bytes,opt)
 	// secretRef references to the secret for ScaleIO user and other
 	// sensitive information. If this is not provided, Login operation will fail.
 	secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt)
 	// sslEnabled is the flag to enable/disable SSL communication with Gateway, default false
 	// +optional
 	sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt)
 	// protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
 	// +optional
 	protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt)
 	// storagePool is the ScaleIO Storage Pool associated with the protection domain.
 	// +optional
 	storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt)
 	// storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
 	// Default is ThinProvisioned.
 	// +optional
 	storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt)
 	// volumeName is the name of a volume already created in the ScaleIO system
 	// that is associated with this volume source.
 	volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs".
 	// Default is "xfs"
 	// +optional
 	fsType?: string @go(FSType) @protobuf(9,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt)
 }
 // Represents a StorageOS persistent volume resource.
 #StorageOSVolumeSource: {
 	// volumeName is the human-readable name of the StorageOS volume.  Volume
 	// names are only unique within a namespace.
 	volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt)
 	// volumeNamespace specifies the scope of the volume within StorageOS.  If no
 	// namespace is specified then the Pod's namespace will be used.  This allows the
 	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
 	// Set VolumeName to any name to override the default behaviour.
 	// Set to "default" if you are not using namespaces within StorageOS.
 	// Namespaces that do not pre-exist within StorageOS will be created.
 	// +optional
 	volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// +optional
 	fsType?: string @go(FSType) @protobuf(3,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 	// secretRef specifies the secret to use for obtaining the StorageOS API
 	// credentials.  If not specified, default values will be attempted.
 	// +optional
 	secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt)
 }
 // Represents a StorageOS persistent volume resource.
 #StorageOSPersistentVolumeSource: {
 	// volumeName is the human-readable name of the StorageOS volume.  Volume
 	// names are only unique within a namespace.
 	volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt)
 	// volumeNamespace specifies the scope of the volume within StorageOS.  If no
 	// namespace is specified then the Pod's namespace will be used.  This allows the
 	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
 	// Set VolumeName to any name to override the default behaviour.
 	// Set to "default" if you are not using namespaces within StorageOS.
 	// Namespaces that do not pre-exist within StorageOS will be created.
 	// +optional
 	volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	// +optional
 	fsType?: string @go(FSType) @protobuf(3,bytes,opt)
 	// readOnly defaults to false (read/write). ReadOnly here will force
 	// the ReadOnly setting in VolumeMounts.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt)
 	// secretRef specifies the secret to use for obtaining the StorageOS API
 	// credentials.  If not specified, default values will be attempted.
 	// +optional
 	secretRef?: null | #ObjectReference @go(SecretRef,*ObjectReference) @protobuf(5,bytes,opt)
 }
 // Adapts a ConfigMap into a volume.
 //
 // The contents of the target ConfigMap's Data field will be presented in a
 // volume as files using the keys in the Data field as the file names, unless
 // the items element is populated with specific mappings of keys to paths.
 // ConfigMap volumes support ownership management and SELinux relabeling.
 #ConfigMapVolumeSource: {
 	#LocalObjectReference
 	// items if unspecified, each key-value pair in the Data field of the referenced
 	// ConfigMap will be projected into the volume as a file whose name is the
 	// key and content is the value. If specified, the listed keys will be
 	// projected into the specified paths, and unlisted keys will not be
 	// present. If a key is specified which is not present in the ConfigMap,
 	// the volume setup will error unless it is marked optional. Paths must be
 	// relative and may not contain the '..' path or start with '..'.
 	// +optional
 	items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep)
 	// defaultMode is optional: mode bits used to set permissions on created files by default.
 	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
 	// Defaults to 0644.
 	// Directories within the path are not affected by this setting.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,varint,opt)
 	// optional specify whether the ConfigMap or its keys must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt)
 }
 #ConfigMapVolumeSourceDefaultMode: int32 & 0o644
 // Adapts a ConfigMap into a projected volume.
 //
 // The contents of the target ConfigMap's Data field will be presented in a
 // projected volume as files using the keys in the Data field as the file names,
 // unless the items element is populated with specific mappings of keys to paths.
 // Note that this is identical to a configmap volume source without the default
 // mode.
 #ConfigMapProjection: {
 	#LocalObjectReference
 	// items if unspecified, each key-value pair in the Data field of the referenced
 	// ConfigMap will be projected into the volume as a file whose name is the
 	// key and content is the value. If specified, the listed keys will be
 	// projected into the specified paths, and unlisted keys will not be
 	// present. If a key is specified which is not present in the ConfigMap,
 	// the volume setup will error unless it is marked optional. Paths must be
 	// relative and may not contain the '..' path or start with '..'.
 	// +optional
 	items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep)
 	// optional specify whether the ConfigMap or its keys must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt)
 }
 // ServiceAccountTokenProjection represents a projected service account token
 // volume. This projection can be used to insert a service account token into
 // the pods runtime filesystem for use against APIs (Kubernetes API Server or
 // otherwise).
 #ServiceAccountTokenProjection: {
 	// audience is the intended audience of the token. A recipient of a token
 	// must identify itself with an identifier specified in the audience of the
 	// token, and otherwise should reject the token. The audience defaults to the
 	// identifier of the apiserver.
 	// +optional
 	audience?: string @go(Audience) @protobuf(1,bytes,rep)
 	// expirationSeconds is the requested duration of validity of the service
 	// account token. As the token approaches expiration, the kubelet volume
 	// plugin will proactively rotate the service account token. The kubelet will
 	// start trying to rotate the token if the token is older than 80 percent of
 	// its time to live or if the token is older than 24 hours.Defaults to 1 hour
 	// and must be at least 10 minutes.
 	// +optional
 	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt)
 	// path is the path relative to the mount point of the file to project the
 	// token into.
 	path: string @go(Path) @protobuf(3,bytes,opt)
 }
 // Represents a projected volume source
 #ProjectedVolumeSource: {
 	// sources is the list of volume projections
 	// +optional
 	sources: [...#VolumeProjection] @go(Sources,[]VolumeProjection) @protobuf(1,bytes,rep)
 	// defaultMode are the mode bits used to set permissions on created files by default.
 	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
 	// Directories within the path are not affected by this setting.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt)
 }
 // Projection that may be projected along with other supported volume types
 #VolumeProjection: {
 	// secret information about the secret data to project
 	// +optional
 	secret?: null | #SecretProjection @go(Secret,*SecretProjection) @protobuf(1,bytes,opt)
 	// downwardAPI information about the downwardAPI data to project
 	// +optional
 	downwardAPI?: null | #DownwardAPIProjection @go(DownwardAPI,*DownwardAPIProjection) @protobuf(2,bytes,opt)
 	// configMap information about the configMap data to project
 	// +optional
 	configMap?: null | #ConfigMapProjection @go(ConfigMap,*ConfigMapProjection) @protobuf(3,bytes,opt)
 	// serviceAccountToken is information about the serviceAccountToken data to project
 	// +optional
 	serviceAccountToken?: null | #ServiceAccountTokenProjection @go(ServiceAccountToken,*ServiceAccountTokenProjection) @protobuf(4,bytes,opt)
 }
 #ProjectedVolumeSourceDefaultMode: int32 & 0o644
 // Maps a string key to a path within a volume.
 #KeyToPath: {
 	// key is the key to project.
 	key: string @go(Key) @protobuf(1,bytes,opt)
 	// path is the relative path of the file to map the key to.
 	// May not be an absolute path.
 	// May not contain the path element '..'.
 	// May not start with the string '..'.
 	path: string @go(Path) @protobuf(2,bytes,opt)
 	// mode is Optional: mode bits used to set permissions on this file.
 	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
 	// If not specified, the volume defaultMode will be used.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	mode?: null | int32 @go(Mode,*int32) @protobuf(3,varint,opt)
 }
 // Local represents directly-attached storage with node affinity (Beta feature)
 #LocalVolumeSource: {
 	// path of the full path to the volume on the node.
 	// It can be either a directory or block device (disk, partition, ...).
 	path: string @go(Path) @protobuf(1,bytes,opt)
 	// fsType is the filesystem type to mount.
 	// It applies only when the Path is a block device.
 	// Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified.
 	// +optional
 	fsType?: null | string @go(FSType,*string) @protobuf(2,bytes,opt)
 }
 // Represents storage that is managed by an external CSI volume driver (Beta feature)
 #CSIPersistentVolumeSource: {
 	// driver is the name of the driver to use for this volume.
 	// Required.
 	driver: string @go(Driver) @protobuf(1,bytes,opt)
 	// volumeHandle is the unique volume name returned by the CSI volume
 	// plugin’s CreateVolume to refer to the volume on all subsequent calls.
 	// Required.
 	volumeHandle: string @go(VolumeHandle) @protobuf(2,bytes,opt)
 	// readOnly value to pass to ControllerPublishVolumeRequest.
 	// Defaults to false (read/write).
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt)
 	// fsType to mount. Must be a filesystem type supported by the host operating system.
 	// Ex. "ext4", "xfs", "ntfs".
 	// +optional
 	fsType?: string @go(FSType) @protobuf(4,bytes,opt)
 	// volumeAttributes of the volume to publish.
 	// +optional
 	volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(5,bytes,rep)
 	// controllerPublishSecretRef is a reference to the secret object containing
 	// sensitive information to pass to the CSI driver to complete the CSI
 	// ControllerPublishVolume and ControllerUnpublishVolume calls.
 	// This field is optional, and may be empty if no secret is required. If the
 	// secret object contains more than one secret, all secrets are passed.
 	// +optional
 	controllerPublishSecretRef?: null | #SecretReference @go(ControllerPublishSecretRef,*SecretReference) @protobuf(6,bytes,opt)
 	// nodeStageSecretRef is a reference to the secret object containing sensitive
 	// information to pass to the CSI driver to complete the CSI NodeStageVolume
 	// and NodeStageVolume and NodeUnstageVolume calls.
 	// This field is optional, and may be empty if no secret is required. If the
 	// secret object contains more than one secret, all secrets are passed.
 	// +optional
 	nodeStageSecretRef?: null | #SecretReference @go(NodeStageSecretRef,*SecretReference) @protobuf(7,bytes,opt)
 	// nodePublishSecretRef is a reference to the secret object containing
 	// sensitive information to pass to the CSI driver to complete the CSI
 	// NodePublishVolume and NodeUnpublishVolume calls.
 	// This field is optional, and may be empty if no secret is required. If the
 	// secret object contains more than one secret, all secrets are passed.
 	// +optional
 	nodePublishSecretRef?: null | #SecretReference @go(NodePublishSecretRef,*SecretReference) @protobuf(8,bytes,opt)
 	// controllerExpandSecretRef is a reference to the secret object containing
 	// sensitive information to pass to the CSI driver to complete the CSI
 	// ControllerExpandVolume call.
 	// This field is optional, and may be empty if no secret is required. If the
 	// secret object contains more than one secret, all secrets are passed.
 	// +optional
 	controllerExpandSecretRef?: null | #SecretReference @go(ControllerExpandSecretRef,*SecretReference) @protobuf(9,bytes,opt)
 	// nodeExpandSecretRef is a reference to the secret object containing
 	// sensitive information to pass to the CSI driver to complete the CSI
 	// NodeExpandVolume call.
 	// This is a beta field which is enabled default by CSINodeExpandSecret feature gate.
 	// This field is optional, may be omitted if no secret is required. If the
 	// secret object contains more than one secret, all secrets are passed.
 	// +featureGate=CSINodeExpandSecret
 	// +optional
 	nodeExpandSecretRef?: null | #SecretReference @go(NodeExpandSecretRef,*SecretReference) @protobuf(10,bytes,opt)
 }
 // Represents a source location of a volume to mount, managed by an external CSI driver
 #CSIVolumeSource: {
 	// driver is the name of the CSI driver that handles this volume.
 	// Consult with your admin for the correct name as registered in the cluster.
 	driver: string @go(Driver) @protobuf(1,bytes,opt)
 	// readOnly specifies a read-only configuration for the volume.
 	// Defaults to false (read/write).
 	// +optional
 	readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(2,varint,opt)
 	// fsType to mount. Ex. "ext4", "xfs", "ntfs".
 	// If not provided, the empty value is passed to the associated CSI driver
 	// which will determine the default filesystem to apply.
 	// +optional
 	fsType?: null | string @go(FSType,*string) @protobuf(3,bytes,opt)
 	// volumeAttributes stores driver-specific properties that are passed to the CSI
 	// driver. Consult your driver's documentation for supported values.
 	// +optional
 	volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(4,bytes,rep)
 	// nodePublishSecretRef is a reference to the secret object containing
 	// sensitive information to pass to the CSI driver to complete the CSI
 	// NodePublishVolume and NodeUnpublishVolume calls.
 	// This field is optional, and  may be empty if no secret is required. If the
 	// secret object contains more than one secret, all secret references are passed.
 	// +optional
 	nodePublishSecretRef?: null | #LocalObjectReference @go(NodePublishSecretRef,*LocalObjectReference) @protobuf(5,bytes,opt)
 }
 // Represents an ephemeral volume that is handled by a normal storage driver.
 #EphemeralVolumeSource: {
 	// Will be used to create a stand-alone PVC to provision the volume.
 	// The pod in which this EphemeralVolumeSource is embedded will be the
 	// owner of the PVC, i.e. the PVC will be deleted together with the
 	// pod.  The name of the PVC will be `<pod name>-<volume name>` where
 	// `<volume name>` is the name from the `PodSpec.Volumes` array
 	// entry. Pod validation will reject the pod if the concatenated name
 	// is not valid for a PVC (for example, too long).
 	//
 	// An existing PVC with that name that is not owned by the pod
 	// will *not* be used for the pod to avoid using an unrelated
 	// volume by mistake. Starting the pod is then blocked until
 	// the unrelated PVC is removed. If such a pre-created PVC is
 	// meant to be used by the pod, the PVC has to updated with an
 	// owner reference to the pod once the pod exists. Normally
 	// this should not be necessary, but it may be useful when
 	// manually reconstructing a broken cluster.
 	//
 	// This field is read-only and no changes will be made by Kubernetes
 	// to the PVC after it has been created.
 	//
 	// Required, must not be nil.
 	volumeClaimTemplate?: null | #PersistentVolumeClaimTemplate @go(VolumeClaimTemplate,*PersistentVolumeClaimTemplate) @protobuf(1,bytes,opt)
 }
 // PersistentVolumeClaimTemplate is used to produce
 // PersistentVolumeClaim objects as part of an EphemeralVolumeSource.
 #PersistentVolumeClaimTemplate: {
 	// May contain labels and annotations that will be copied into the PVC
 	// when creating it. No other fields are allowed and will be rejected during
 	// validation.
 	//
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// The specification for the PersistentVolumeClaim. The entire content is
 	// copied unchanged into the PVC that gets created from this
 	// template. The same fields as in a PersistentVolumeClaim
 	// are also valid here.
 	spec: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes)
 }
 // ContainerPort represents a network port in a single container.
 #ContainerPort: {
 	// If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
 	// named port in a pod must have a unique name. Name for the port that can be
 	// referred to by services.
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// Number of port to expose on the host.
 	// If specified, this must be a valid port number, 0 < x < 65536.
 	// If HostNetwork is specified, this must match ContainerPort.
 	// Most containers do not need this.
 	// +optional
 	hostPort?: int32 @go(HostPort) @protobuf(2,varint,opt)
 	// Number of port to expose on the pod's IP address.
 	// This must be a valid port number, 0 < x < 65536.
 	containerPort: int32 @go(ContainerPort) @protobuf(3,varint,opt)
 	// Protocol for port. Must be UDP, TCP, or SCTP.
 	// Defaults to "TCP".
 	// +optional
 	// +default="TCP"
 	protocol?: #Protocol @go(Protocol) @protobuf(4,bytes,opt,casttype=Protocol)
 	// What host IP to bind the external port to.
 	// +optional
 	hostIP?: string @go(HostIP) @protobuf(5,bytes,opt)
 }
 // VolumeMount describes a mounting of a Volume within a container.
 #VolumeMount: {
 	// This must match the Name of a Volume.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Mounted read-only if true, read-write otherwise (false or unspecified).
 	// Defaults to false.
 	// +optional
 	readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt)
 	// Path within the container at which the volume should be mounted.  Must
 	// not contain ':'.
 	mountPath: string @go(MountPath) @protobuf(3,bytes,opt)
 	// Path within the volume from which the container's volume should be mounted.
 	// Defaults to "" (volume's root).
 	// +optional
 	subPath?: string @go(SubPath) @protobuf(4,bytes,opt)
 	// mountPropagation determines how mounts are propagated from the host
 	// to container and the other way around.
 	// When not set, MountPropagationNone is used.
 	// This field is beta in 1.10.
 	// +optional
 	mountPropagation?: null | #MountPropagationMode @go(MountPropagation,*MountPropagationMode) @protobuf(5,bytes,opt,casttype=MountPropagationMode)
 	// Expanded path within the volume from which the container's volume should be mounted.
 	// Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
 	// Defaults to "" (volume's root).
 	// SubPathExpr and SubPath are mutually exclusive.
 	// +optional
 	subPathExpr?: string @go(SubPathExpr) @protobuf(6,bytes,opt)
 }
 // MountPropagationMode describes mount propagation.
 // +enum
 #MountPropagationMode: string // #enumMountPropagationMode
 #enumMountPropagationMode:
 	#MountPropagationNone |
 	#MountPropagationHostToContainer |
 	#MountPropagationBidirectional
 // MountPropagationNone means that the volume in a container will
 // not receive new mounts from the host or other containers, and filesystems
 // mounted inside the container won't be propagated to the host or other
 // containers.
 // Note that this mode corresponds to "private" in Linux terminology.
 #MountPropagationNone: #MountPropagationMode & "None"
 // MountPropagationHostToContainer means that the volume in a container will
 // receive new mounts from the host or other containers, but filesystems
 // mounted inside the container won't be propagated to the host or other
 // containers.
 // Note that this mode is recursively applied to all mounts in the volume
 // ("rslave" in Linux terminology).
 #MountPropagationHostToContainer: #MountPropagationMode & "HostToContainer"
 // MountPropagationBidirectional means that the volume in a container will
 // receive new mounts from the host or other containers, and its own mounts
 // will be propagated from the container to the host or other containers.
 // Note that this mode is recursively applied to all mounts in the volume
 // ("rshared" in Linux terminology).
 #MountPropagationBidirectional: #MountPropagationMode & "Bidirectional"
 // volumeDevice describes a mapping of a raw block device within a container.
 #VolumeDevice: {
 	// name must match the name of a persistentVolumeClaim in the pod
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// devicePath is the path inside of the container that the device will be mapped to.
 	devicePath: string @go(DevicePath) @protobuf(2,bytes,opt)
 }
 // EnvVar represents an environment variable present in a Container.
 #EnvVar: {
 	// Name of the environment variable. Must be a C_IDENTIFIER.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Variable references $(VAR_NAME) are expanded
 	// using the previously defined environment variables in the container and
 	// any service environment variables. If a variable cannot be resolved,
 	// the reference in the input string will be unchanged. Double $$ are reduced
 	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
 	// "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
 	// Escaped references will never be expanded, regardless of whether the variable
 	// exists or not.
 	// Defaults to "".
 	// +optional
 	value?: string @go(Value) @protobuf(2,bytes,opt)
 	// Source for the environment variable's value. Cannot be used if value is not empty.
 	// +optional
 	valueFrom?: null | #EnvVarSource @go(ValueFrom,*EnvVarSource) @protobuf(3,bytes,opt)
 }
 // EnvVarSource represents a source for the value of an EnvVar.
 #EnvVarSource: {
 	// Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
 	// spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
 	// +optional
 	fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(1,bytes,opt)
 	// Selects a resource of the container: only resources limits and requests
 	// (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
 	// +optional
 	resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(2,bytes,opt)
 	// Selects a key of a ConfigMap.
 	// +optional
 	configMapKeyRef?: null | #ConfigMapKeySelector @go(ConfigMapKeyRef,*ConfigMapKeySelector) @protobuf(3,bytes,opt)
 	// Selects a key of a secret in the pod's namespace
 	// +optional
 	secretKeyRef?: null | #SecretKeySelector @go(SecretKeyRef,*SecretKeySelector) @protobuf(4,bytes,opt)
 }
 // ObjectFieldSelector selects an APIVersioned field of an object.
 // +structType=atomic
 #ObjectFieldSelector: {
 	// Version of the schema the FieldPath is written in terms of, defaults to "v1".
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt)
 	// Path of the field to select in the specified API version.
 	fieldPath: string @go(FieldPath) @protobuf(2,bytes,opt)
 }
 // ResourceFieldSelector represents container resources (cpu, memory) and their output format
 // +structType=atomic
 #ResourceFieldSelector: {
 	// Container name: required for volumes, optional for env vars
 	// +optional
 	containerName?: string @go(ContainerName) @protobuf(1,bytes,opt)
 	// Required: resource to select
 	"resource": string @go(Resource) @protobuf(2,bytes,opt)
 	// Specifies the output format of the exposed resources, defaults to "1"
 	// +optional
 	divisor?: resource.#Quantity @go(Divisor) @protobuf(3,bytes,opt)
 }
 // Selects a key from a ConfigMap.
 // +structType=atomic
 #ConfigMapKeySelector: {
 	#LocalObjectReference
 	// The key to select.
 	key: string @go(Key) @protobuf(2,bytes,opt)
 	// Specify whether the ConfigMap or its key must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt)
 }
 // SecretKeySelector selects a key of a Secret.
 // +structType=atomic
 #SecretKeySelector: {
 	#LocalObjectReference
 	// The key of the secret to select from.  Must be a valid secret key.
 	key: string @go(Key) @protobuf(2,bytes,opt)
 	// Specify whether the Secret or its key must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt)
 }
 // EnvFromSource represents the source of a set of ConfigMaps
 #EnvFromSource: {
 	// An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
 	// +optional
 	prefix?: string @go(Prefix) @protobuf(1,bytes,opt)
 	// The ConfigMap to select from
 	// +optional
 	configMapRef?: null | #ConfigMapEnvSource @go(ConfigMapRef,*ConfigMapEnvSource) @protobuf(2,bytes,opt)
 	// The Secret to select from
 	// +optional
 	secretRef?: null | #SecretEnvSource @go(SecretRef,*SecretEnvSource) @protobuf(3,bytes,opt)
 }
 // ConfigMapEnvSource selects a ConfigMap to populate the environment
 // variables with.
 //
 // The contents of the target ConfigMap's Data field will represent the
 // key-value pairs as environment variables.
 #ConfigMapEnvSource: {
 	#LocalObjectReference
 	// Specify whether the ConfigMap must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt)
 }
 // SecretEnvSource selects a Secret to populate the environment
 // variables with.
 //
 // The contents of the target Secret's Data field will represent the
 // key-value pairs as environment variables.
 #SecretEnvSource: {
 	#LocalObjectReference
 	// Specify whether the Secret must be defined
 	// +optional
 	optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt)
 }
 // HTTPHeader describes a custom header to be used in HTTP probes
 #HTTPHeader: {
 	// The header field name.
 	// This will be canonicalized upon output, so case-variant names will be understood as the same header.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// The header field value
 	value: string @go(Value) @protobuf(2,bytes,opt)
 }
 // HTTPGetAction describes an action based on HTTP Get requests.
 #HTTPGetAction: {
 	// Path to access on the HTTP server.
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 	// Name or number of the port to access on the container.
 	// Number must be in the range 1 to 65535.
 	// Name must be an IANA_SVC_NAME.
 	port: intstr.#IntOrString @go(Port) @protobuf(2,bytes,opt)
 	// Host name to connect to, defaults to the pod IP. You probably want to set
 	// "Host" in httpHeaders instead.
 	// +optional
 	host?: string @go(Host) @protobuf(3,bytes,opt)
 	// Scheme to use for connecting to the host.
 	// Defaults to HTTP.
 	// +optional
 	scheme?: #URIScheme @go(Scheme) @protobuf(4,bytes,opt,casttype=URIScheme)
 	// Custom headers to set in the request. HTTP allows repeated headers.
 	// +optional
 	httpHeaders?: [...#HTTPHeader] @go(HTTPHeaders,[]HTTPHeader) @protobuf(5,bytes,rep)
 }
 // URIScheme identifies the scheme used for connection to a host for Get actions
 // +enum
 #URIScheme: string // #enumURIScheme
 #enumURIScheme:
 	#URISchemeHTTP |
 	#URISchemeHTTPS
 // URISchemeHTTP means that the scheme used will be http://
 #URISchemeHTTP: #URIScheme & "HTTP"
 // URISchemeHTTPS means that the scheme used will be https://
 #URISchemeHTTPS: #URIScheme & "HTTPS"
 // TCPSocketAction describes an action based on opening a socket
 #TCPSocketAction: {
 	// Number or name of the port to access on the container.
 	// Number must be in the range 1 to 65535.
 	// Name must be an IANA_SVC_NAME.
 	port: intstr.#IntOrString @go(Port) @protobuf(1,bytes,opt)
 	// Optional: Host name to connect to, defaults to the pod IP.
 	// +optional
 	host?: string @go(Host) @protobuf(2,bytes,opt)
 }
 #GRPCAction: {
 	// Port number of the gRPC service. Number must be in the range 1 to 65535.
 	port: int32 @go(Port) @protobuf(1,bytes,opt)
 	// Service is the name of the service to place in the gRPC HealthCheckRequest
 	// (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
 	//
 	// If this is not specified, the default behavior is defined by gRPC.
 	// +optional
 	// +default=""
 	service?: null | string @go(Service,*string) @protobuf(2,bytes,opt)
 }
 // ExecAction describes a "run in container" action.
 #ExecAction: {
 	// Command is the command line to execute inside the container, the working directory for the
 	// command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
 	// not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
 	// a shell, you need to explicitly call out to that shell.
 	// Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
 	// +optional
 	command?: [...string] @go(Command,[]string) @protobuf(1,bytes,rep)
 }
 // Probe describes a health check to be performed against a container to determine whether it is
 // alive or ready to receive traffic.
 #Probe: {
 	#ProbeHandler
 	// Number of seconds after the container has started before liveness probes are initiated.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 	// +optional
 	initialDelaySeconds?: int32 @go(InitialDelaySeconds) @protobuf(2,varint,opt)
 	// Number of seconds after which the probe times out.
 	// Defaults to 1 second. Minimum value is 1.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 	// +optional
 	timeoutSeconds?: int32 @go(TimeoutSeconds) @protobuf(3,varint,opt)
 	// How often (in seconds) to perform the probe.
 	// Default to 10 seconds. Minimum value is 1.
 	// +optional
 	periodSeconds?: int32 @go(PeriodSeconds) @protobuf(4,varint,opt)
 	// Minimum consecutive successes for the probe to be considered successful after having failed.
 	// Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
 	// +optional
 	successThreshold?: int32 @go(SuccessThreshold) @protobuf(5,varint,opt)
 	// Minimum consecutive failures for the probe to be considered failed after having succeeded.
 	// Defaults to 3. Minimum value is 1.
 	// +optional
 	failureThreshold?: int32 @go(FailureThreshold) @protobuf(6,varint,opt)
 	// Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
 	// The grace period is the duration in seconds after the processes running in the pod are sent
 	// a termination signal and the time when the processes are forcibly halted with a kill signal.
 	// Set this value longer than the expected cleanup time for your process.
 	// If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
 	// value overrides the value provided by the pod spec.
 	// Value must be non-negative integer. The value zero indicates stop immediately via
 	// the kill signal (no opportunity to shut down).
 	// This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
 	// Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
 	// +optional
 	terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(7,varint,opt)
 }
 // PullPolicy describes a policy for if/when to pull a container image
 // +enum
 #PullPolicy: string // #enumPullPolicy
 #enumPullPolicy:
 	#PullAlways |
 	#PullNever |
 	#PullIfNotPresent
 // PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.
 #PullAlways: #PullPolicy & "Always"
 // PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present
 #PullNever: #PullPolicy & "Never"
 // PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.
 #PullIfNotPresent: #PullPolicy & "IfNotPresent"
 // ResourceResizeRestartPolicy specifies how to handle container resource resize.
 #ResourceResizeRestartPolicy: string // #enumResourceResizeRestartPolicy
 #enumResourceResizeRestartPolicy:
 	#NotRequired |
 	#RestartContainer
 // 'NotRequired' means Kubernetes will try to resize the container
 // without restarting it, if possible. Kubernetes may however choose to
 // restart the container if it is unable to actuate resize without a
 // restart. For e.g. the runtime doesn't support restart-free resizing.
 #NotRequired: #ResourceResizeRestartPolicy & "NotRequired"
 // 'RestartContainer' means Kubernetes will resize the container in-place
 // by stopping and starting the container when new resources are applied.
 // This is needed for legacy applications. For e.g. java apps using the
 // -xmxN flag which are unable to use resized memory without restarting.
 #RestartContainer: #ResourceResizeRestartPolicy & "RestartContainer"
 // ContainerResizePolicy represents resource resize policy for the container.
 #ContainerResizePolicy: {
 	// Name of the resource to which this resource resize policy applies.
 	// Supported values: cpu, memory.
 	resourceName: #ResourceName @go(ResourceName) @protobuf(1,bytes,opt,casttype=ResourceName)
 	// Restart policy to apply when specified resource is resized.
 	// If not specified, it defaults to NotRequired.
 	restartPolicy: #ResourceResizeRestartPolicy @go(RestartPolicy) @protobuf(2,bytes,opt,casttype=ResourceResizeRestartPolicy)
 }
 // PreemptionPolicy describes a policy for if/when to preempt a pod.
 // +enum
 #PreemptionPolicy: string // #enumPreemptionPolicy
 #enumPreemptionPolicy:
 	#PreemptLowerPriority |
 	#PreemptNever
 // PreemptLowerPriority means that pod can preempt other pods with lower priority.
 #PreemptLowerPriority: #PreemptionPolicy & "PreemptLowerPriority"
 // PreemptNever means that pod never preempts other pods with lower priority.
 #PreemptNever: #PreemptionPolicy & "Never"
 // TerminationMessagePolicy describes how termination messages are retrieved from a container.
 // +enum
 #TerminationMessagePolicy: string // #enumTerminationMessagePolicy
 #enumTerminationMessagePolicy:
 	#TerminationMessageReadFile |
 	#TerminationMessageFallbackToLogsOnError
 // TerminationMessageReadFile is the default behavior and will set the container status message to
 // the contents of the container's terminationMessagePath when the container exits.
 #TerminationMessageReadFile: #TerminationMessagePolicy & "File"
 // TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs
 // for the container status message when the container exits with an error and the
 // terminationMessagePath has no contents.
 #TerminationMessageFallbackToLogsOnError: #TerminationMessagePolicy & "FallbackToLogsOnError"
 // Capability represent POSIX capabilities type
 #Capability: string
 // Adds and removes POSIX capabilities from running containers.
 #Capabilities: {
 	// Added capabilities
 	// +optional
 	add?: [...#Capability] @go(Add,[]Capability) @protobuf(1,bytes,rep,casttype=Capability)
 	// Removed capabilities
 	// +optional
 	drop?: [...#Capability] @go(Drop,[]Capability) @protobuf(2,bytes,rep,casttype=Capability)
 }
 // ResourceRequirements describes the compute resource requirements.
 #ResourceRequirements: {
 	// Limits describes the maximum amount of compute resources allowed.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	// +optional
 	limits?: #ResourceList @go(Limits) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Requests describes the minimum amount of compute resources required.
 	// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
 	// otherwise to an implementation-defined value. Requests cannot exceed Limits.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	// +optional
 	requests?: #ResourceList @go(Requests) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Claims lists the names of resources, defined in spec.resourceClaims,
 	// that are used by this container.
 	//
 	// This is an alpha field and requires enabling the
 	// DynamicResourceAllocation feature gate.
 	//
 	// This field is immutable. It can only be set for containers.
 	//
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=DynamicResourceAllocation
 	// +optional
 	claims?: [...#ResourceClaim] @go(Claims,[]ResourceClaim) @protobuf(3,bytes,opt)
 }
 // ResourceClaim references one entry in PodSpec.ResourceClaims.
 #ResourceClaim: {
 	// Name must match the name of one entry in pod.spec.resourceClaims of
 	// the Pod where this field is used. It makes that resource available
 	// inside a container.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 }
 // TerminationMessagePathDefault means the default path to capture the application termination message running in a container
 #TerminationMessagePathDefault: "/dev/termination-log"
 // A single application container that you want to run within a pod.
 #Container: {
 	// Name of the container specified as a DNS_LABEL.
 	// Each container in a pod must have a unique name (DNS_LABEL).
 	// Cannot be updated.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Container image name.
 	// More info: https://kubernetes.io/docs/concepts/containers/images
 	// This field is optional to allow higher level config management to default or override
 	// container images in workload controllers like Deployments and StatefulSets.
 	// +optional
 	image?: string @go(Image) @protobuf(2,bytes,opt)
 	// Entrypoint array. Not executed within a shell.
 	// The container image's ENTRYPOINT is used if this is not provided.
 	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
 	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
 	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
 	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
 	// of whether the variable exists or not. Cannot be updated.
 	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
 	// +optional
 	command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep)
 	// Arguments to the entrypoint.
 	// The container image's CMD is used if this is not provided.
 	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
 	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
 	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
 	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
 	// of whether the variable exists or not. Cannot be updated.
 	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
 	// +optional
 	args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep)
 	// Container's working directory.
 	// If not specified, the container runtime's default will be used, which
 	// might be configured in the container image.
 	// Cannot be updated.
 	// +optional
 	workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt)
 	// List of ports to expose from the container. Not specifying a port here
 	// DOES NOT prevent that port from being exposed. Any port which is
 	// listening on the default "0.0.0.0" address inside a container will be
 	// accessible from the network.
 	// Modifying this array with strategic merge patch may corrupt the data.
 	// For more information See https://github.com/kubernetes/kubernetes/issues/108255.
 	// Cannot be updated.
 	// +optional
 	// +patchMergeKey=containerPort
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=containerPort
 	// +listMapKey=protocol
 	ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep)
 	// List of sources to populate environment variables in the container.
 	// The keys defined within a source must be a C_IDENTIFIER. All invalid keys
 	// will be reported as an event when the container is starting. When a key exists in multiple
 	// sources, the value associated with the last source will take precedence.
 	// Values defined by an Env with a duplicate key will take precedence.
 	// Cannot be updated.
 	// +optional
 	envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep)
 	// List of environment variables to set in the container.
 	// Cannot be updated.
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep)
 	// Compute Resources required by this container.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	// +optional
 	resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt)
 	// Resources resize policy for the container.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	// +listType=atomic
 	resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep)
 	// RestartPolicy defines the restart behavior of individual containers in a pod.
 	// This field may only be set for init containers, and the only allowed value is "Always".
 	// For non-init containers or when this field is not specified,
 	// the restart behavior is defined by the Pod's restart policy and the container type.
 	// Setting the RestartPolicy as "Always" for the init container will have the following effect:
 	// this init container will be continually restarted on
 	// exit until all regular containers have terminated. Once all regular
 	// containers have completed, all init containers with restartPolicy "Always"
 	// will be shut down. This lifecycle differs from normal init containers and
 	// is often referred to as a "sidecar" container. Although this init
 	// container still starts in the init container sequence, it does not wait
 	// for the container to complete before proceeding to the next init
 	// container. Instead, the next init container starts immediately after this
 	// init container is started, or after any startupProbe has successfully
 	// completed.
 	// +featureGate=SidecarContainers
 	// +optional
 	restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy)
 	// Pod volumes to mount into the container's filesystem.
 	// Cannot be updated.
 	// +optional
 	// +patchMergeKey=mountPath
 	// +patchStrategy=merge
 	volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep)
 	// volumeDevices is the list of block devices to be used by the container.
 	// +patchMergeKey=devicePath
 	// +patchStrategy=merge
 	// +optional
 	volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep)
 	// Periodic probe of container liveness.
 	// Container will be restarted if the probe fails.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 	// +optional
 	livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt)
 	// Periodic probe of container service readiness.
 	// Container will be removed from service endpoints if the probe fails.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 	// +optional
 	readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt)
 	// StartupProbe indicates that the Pod has successfully initialized.
 	// If specified, no other probes are executed until this completes successfully.
 	// If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
 	// This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
 	// when it might take a long time to load data or warm a cache, than during steady-state operation.
 	// This cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 	// +optional
 	startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt)
 	// Actions that the management system should take in response to container lifecycle events.
 	// Cannot be updated.
 	// +optional
 	lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt)
 	// Optional: Path at which the file to which the container's termination message
 	// will be written is mounted into the container's filesystem.
 	// Message written is intended to be brief final status, such as an assertion failure message.
 	// Will be truncated by the node if greater than 4096 bytes. The total message length across
 	// all containers will be limited to 12kb.
 	// Defaults to /dev/termination-log.
 	// Cannot be updated.
 	// +optional
 	terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt)
 	// Indicate how the termination message should be populated. File will use the contents of
 	// terminationMessagePath to populate the container status message on both success and failure.
 	// FallbackToLogsOnError will use the last chunk of container log output if the termination
 	// message file is empty and the container exited with an error.
 	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
 	// Defaults to File.
 	// Cannot be updated.
 	// +optional
 	terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy)
 	// Image pull policy.
 	// One of Always, Never, IfNotPresent.
 	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
 	// +optional
 	imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy)
 	// SecurityContext defines the security options the container should be run with.
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
 	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
 	// Default is false.
 	// +optional
 	stdin?: bool @go(Stdin) @protobuf(16,varint,opt)
 	// Whether the container runtime should close the stdin channel after it has been opened by
 	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
 	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
 	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
 	// at which time stdin is closed and remains closed until the container is restarted. If this
 	// flag is false, a container processes that reads from stdin will never receive an EOF.
 	// Default is false
 	// +optional
 	stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt)
 	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
 	// Default is false.
 	// +optional
 	tty?: bool @go(TTY) @protobuf(18,varint,opt)
 }
 // ProbeHandler defines a specific action that should be taken in a probe.
 // One and only one of the fields must be specified.
 #ProbeHandler: {
 	// Exec specifies the action to take.
 	// +optional
 	exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt)
 	// HTTPGet specifies the http request to perform.
 	// +optional
 	httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt)
 	// TCPSocket specifies an action involving a TCP port.
 	// +optional
 	tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt)
 	// GRPC specifies an action involving a GRPC port.
 	// +optional
 	grpc?: null | #GRPCAction @go(GRPC,*GRPCAction) @protobuf(4,bytes,opt)
 }
 // LifecycleHandler defines a specific action that should be taken in a lifecycle
 // hook. One and only one of the fields, except TCPSocket must be specified.
 #LifecycleHandler: {
 	// Exec specifies the action to take.
 	// +optional
 	exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt)
 	// HTTPGet specifies the http request to perform.
 	// +optional
 	httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt)
 	// Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
 	// for the backward compatibility. There are no validation of this field and
 	// lifecycle hooks will fail in runtime when tcp handler is specified.
 	// +optional
 	tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt)
 }
 // Lifecycle describes actions that the management system should take in response to container lifecycle
 // events. For the PostStart and PreStop lifecycle handlers, management of the container blocks
 // until the action is complete, unless the container process fails, in which case the handler is aborted.
 #Lifecycle: {
 	// PostStart is called immediately after a container is created. If the handler fails,
 	// the container is terminated and restarted according to its restart policy.
 	// Other management of the container blocks until the hook completes.
 	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
 	// +optional
 	postStart?: null | #LifecycleHandler @go(PostStart,*LifecycleHandler) @protobuf(1,bytes,opt)
 	// PreStop is called immediately before a container is terminated due to an
 	// API request or management event such as liveness/startup probe failure,
 	// preemption, resource contention, etc. The handler is not called if the
 	// container crashes or exits. The Pod's termination grace period countdown begins before the
 	// PreStop hook is executed. Regardless of the outcome of the handler, the
 	// container will eventually terminate within the Pod's termination grace
 	// period (unless delayed by finalizers). Other management of the container blocks until the hook completes
 	// or until the termination grace period is reached.
 	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
 	// +optional
 	preStop?: null | #LifecycleHandler @go(PreStop,*LifecycleHandler) @protobuf(2,bytes,opt)
 }
 #ConditionStatus: string // #enumConditionStatus
 #enumConditionStatus:
 	#ConditionTrue |
 	#ConditionFalse |
 	#ConditionUnknown
 #ConditionTrue:    #ConditionStatus & "True"
 #ConditionFalse:   #ConditionStatus & "False"
 #ConditionUnknown: #ConditionStatus & "Unknown"
 // ContainerStateWaiting is a waiting state of a container.
 #ContainerStateWaiting: {
 	// (brief) reason the container is not yet running.
 	// +optional
 	reason?: string @go(Reason) @protobuf(1,bytes,opt)
 	// Message regarding why the container is not yet running.
 	// +optional
 	message?: string @go(Message) @protobuf(2,bytes,opt)
 }
 // ContainerStateRunning is a running state of a container.
 #ContainerStateRunning: {
 	// Time at which the container was last (re-)started
 	// +optional
 	startedAt?: metav1.#Time @go(StartedAt) @protobuf(1,bytes,opt)
 }
 // ContainerStateTerminated is a terminated state of a container.
 #ContainerStateTerminated: {
 	// Exit status from the last termination of the container
 	exitCode: int32 @go(ExitCode) @protobuf(1,varint,opt)
 	// Signal from the last termination of the container
 	// +optional
 	signal?: int32 @go(Signal) @protobuf(2,varint,opt)
 	// (brief) reason from the last termination of the container
 	// +optional
 	reason?: string @go(Reason) @protobuf(3,bytes,opt)
 	// Message regarding the last termination of the container
 	// +optional
 	message?: string @go(Message) @protobuf(4,bytes,opt)
 	// Time at which previous execution of the container started
 	// +optional
 	startedAt?: metav1.#Time @go(StartedAt) @protobuf(5,bytes,opt)
 	// Time at which the container last terminated
 	// +optional
 	finishedAt?: metav1.#Time @go(FinishedAt) @protobuf(6,bytes,opt)
 	// Container's ID in the format '<type>://<container_id>'
 	// +optional
 	containerID?: string @go(ContainerID) @protobuf(7,bytes,opt)
 }
 // ContainerState holds a possible state of container.
 // Only one of its members may be specified.
 // If none of them is specified, the default one is ContainerStateWaiting.
 #ContainerState: {
 	// Details about a waiting container
 	// +optional
 	waiting?: null | #ContainerStateWaiting @go(Waiting,*ContainerStateWaiting) @protobuf(1,bytes,opt)
 	// Details about a running container
 	// +optional
 	running?: null | #ContainerStateRunning @go(Running,*ContainerStateRunning) @protobuf(2,bytes,opt)
 	// Details about a terminated container
 	// +optional
 	terminated?: null | #ContainerStateTerminated @go(Terminated,*ContainerStateTerminated) @protobuf(3,bytes,opt)
 }
 // ContainerStatus contains details for the current status of this container.
 #ContainerStatus: {
 	// Name is a DNS_LABEL representing the unique name of the container.
 	// Each container in a pod must have a unique name across all container types.
 	// Cannot be updated.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// State holds details about the container's current condition.
 	// +optional
 	state?: #ContainerState @go(State) @protobuf(2,bytes,opt)
 	// LastTerminationState holds the last termination state of the container to
 	// help debug container crashes and restarts. This field is not
 	// populated if the container is still running and RestartCount is 0.
 	// +optional
 	lastState?: #ContainerState @go(LastTerminationState) @protobuf(3,bytes,opt)
 	// Ready specifies whether the container is currently passing its readiness check.
 	// The value will change as readiness probes keep executing. If no readiness
 	// probes are specified, this field defaults to true once the container is
 	// fully started (see Started field).
 	//
 	// The value is typically used to determine whether a container is ready to
 	// accept traffic.
 	ready: bool @go(Ready) @protobuf(4,varint,opt)
 	// RestartCount holds the number of times the container has been restarted.
 	// Kubelet makes an effort to always increment the value, but there
 	// are cases when the state may be lost due to node restarts and then the value
 	// may be reset to 0. The value is never negative.
 	restartCount: int32 @go(RestartCount) @protobuf(5,varint,opt)
 	// Image is the name of container image that the container is running.
 	// The container image may not match the image used in the PodSpec,
 	// as it may have been resolved by the runtime.
 	// More info: https://kubernetes.io/docs/concepts/containers/images.
 	image: string @go(Image) @protobuf(6,bytes,opt)
 	// ImageID is the image ID of the container's image. The image ID may not
 	// match the image ID of the image used in the PodSpec, as it may have been
 	// resolved by the runtime.
 	imageID: string @go(ImageID) @protobuf(7,bytes,opt)
 	// ContainerID is the ID of the container in the format '<type>://<container_id>'.
 	// Where type is a container runtime identifier, returned from Version call of CRI API
 	// (for example "containerd").
 	// +optional
 	containerID?: string @go(ContainerID) @protobuf(8,bytes,opt)
 	// Started indicates whether the container has finished its postStart lifecycle hook
 	// and passed its startup probe.
 	// Initialized as false, becomes true after startupProbe is considered
 	// successful. Resets to false when the container is restarted, or if kubelet
 	// loses state temporarily. In both cases, startup probes will run again.
 	// Is always true when no startupProbe is defined and container is running and
 	// has passed the postStart lifecycle hook. The null value must be treated the
 	// same as false.
 	// +optional
 	started?: null | bool @go(Started,*bool) @protobuf(9,varint,opt)
 	// AllocatedResources represents the compute resources allocated for this container by the
 	// node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission
 	// and after successfully admitting desired pod resize.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(10,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Resources represents the compute resource requests and limits that have been successfully
 	// enacted on the running container after it has been started or has been successfully resized.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	resources?: null | #ResourceRequirements @go(Resources,*ResourceRequirements) @protobuf(11,bytes,opt)
 }
 // PodPhase is a label for the condition of a pod at the current time.
 // +enum
 #PodPhase: string // #enumPodPhase
 #enumPodPhase:
 	#PodPending |
 	#PodRunning |
 	#PodSucceeded |
 	#PodFailed |
 	#PodUnknown
 // PodPending means the pod has been accepted by the system, but one or more of the containers
 // has not been started. This includes time before being bound to a node, as well as time spent
 // pulling images onto the host.
 #PodPending: #PodPhase & "Pending"
 // PodRunning means the pod has been bound to a node and all of the containers have been started.
 // At least one container is still running or is in the process of being restarted.
 #PodRunning: #PodPhase & "Running"
 // PodSucceeded means that all containers in the pod have voluntarily terminated
 // with a container exit code of 0, and the system is not going to restart any of these containers.
 #PodSucceeded: #PodPhase & "Succeeded"
 // PodFailed means that all containers in the pod have terminated, and at least one container has
 // terminated in a failure (exited with a non-zero exit code or was stopped by the system).
 #PodFailed: #PodPhase & "Failed"
 // PodUnknown means that for some reason the state of the pod could not be obtained, typically due
 // to an error in communicating with the host of the pod.
 // Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)
 #PodUnknown: #PodPhase & "Unknown"
 // PodConditionType is a valid value for PodCondition.Type
 #PodConditionType: string // #enumPodConditionType
 #enumPodConditionType:
 	#ContainersReady |
 	#PodInitialized |
 	#PodReady |
 	#PodScheduled |
 	#DisruptionTarget
 // ContainersReady indicates whether all containers in the pod are ready.
 #ContainersReady: #PodConditionType & "ContainersReady"
 // PodInitialized means that all init containers in the pod have started successfully.
 #PodInitialized: #PodConditionType & "Initialized"
 // PodReady means the pod is able to service requests and should be added to the
 // load balancing pools of all matching services.
 #PodReady: #PodConditionType & "Ready"
 // PodScheduled represents status of the scheduling process for this pod.
 #PodScheduled: #PodConditionType & "PodScheduled"
 // DisruptionTarget indicates the pod is about to be terminated due to a
 // disruption (such as preemption, eviction API or garbage-collection).
 #DisruptionTarget: #PodConditionType & "DisruptionTarget"
 // PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler
 // can't schedule the pod right now, for example due to insufficient resources in the cluster.
 #PodReasonUnschedulable: "Unschedulable"
 // PodReasonSchedulingGated reason in PodScheduled PodCondition means that the scheduler
 // skips scheduling the pod because one or more scheduling gates are still present.
 #PodReasonSchedulingGated: "SchedulingGated"
 // PodReasonSchedulerError reason in PodScheduled PodCondition means that some internal error happens
 // during scheduling, for example due to nodeAffinity parsing errors.
 #PodReasonSchedulerError: "SchedulerError"
 // TerminationByKubelet reason in DisruptionTarget pod condition indicates that the termination
 // is initiated by kubelet
 #PodReasonTerminationByKubelet: "TerminationByKubelet"
 // PodReasonPreemptionByScheduler reason in DisruptionTarget pod condition indicates that the
 // disruption was initiated by scheduler's preemption.
 #PodReasonPreemptionByScheduler: "PreemptionByScheduler"
 // PodCondition contains details for the current condition of this pod.
 #PodCondition: {
 	// Type is the type of the condition.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
 	type: #PodConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PodConditionType)
 	// Status is the status of the condition.
 	// Can be True, False, Unknown.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// Last time we probed the condition.
 	// +optional
 	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
 	// Last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// Unique, one-word, CamelCase reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(5,bytes,opt)
 	// Human-readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message) @protobuf(6,bytes,opt)
 }
 // PodResizeStatus shows status of desired resize of a pod's containers.
 #PodResizeStatus: string // #enumPodResizeStatus
 #enumPodResizeStatus:
 	#PodResizeStatusProposed |
 	#PodResizeStatusInProgress |
 	#PodResizeStatusDeferred |
 	#PodResizeStatusInfeasible
 // Pod resources resize has been requested and will be evaluated by node.
 #PodResizeStatusProposed: #PodResizeStatus & "Proposed"
 // Pod resources resize has been accepted by node and is being actuated.
 #PodResizeStatusInProgress: #PodResizeStatus & "InProgress"
 // Node cannot resize the pod at this time and will keep retrying.
 #PodResizeStatusDeferred: #PodResizeStatus & "Deferred"
 // Requested pod resize is not feasible and will not be re-evaluated.
 #PodResizeStatusInfeasible: #PodResizeStatus & "Infeasible"
 // RestartPolicy describes how the container should be restarted.
 // Only one of the following restart policies may be specified.
 // If none of the following policies is specified, the default one
 // is RestartPolicyAlways.
 // +enum
 #RestartPolicy: string // #enumRestartPolicy
 #enumRestartPolicy:
 	#RestartPolicyAlways |
 	#RestartPolicyOnFailure |
 	#RestartPolicyNever
 #RestartPolicyAlways:    #RestartPolicy & "Always"
 #RestartPolicyOnFailure: #RestartPolicy & "OnFailure"
 #RestartPolicyNever:     #RestartPolicy & "Never"
 // ContainerRestartPolicy is the restart policy for a single container.
 // This may only be set for init containers and only allowed value is "Always".
 #ContainerRestartPolicy: string // #enumContainerRestartPolicy
 #enumContainerRestartPolicy:
 	#ContainerRestartPolicyAlways
 #ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always"
 // DNSPolicy defines how a pod's DNS will be configured.
 // +enum
 #DNSPolicy: string // #enumDNSPolicy
 #enumDNSPolicy:
 	#DNSClusterFirstWithHostNet |
 	#DNSClusterFirst |
 	#DNSDefault |
 	#DNSNone
 // DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS
 // first, if it is available, then fall back on the default
 // (as determined by kubelet) DNS settings.
 #DNSClusterFirstWithHostNet: #DNSPolicy & "ClusterFirstWithHostNet"
 // DNSClusterFirst indicates that the pod should use cluster DNS
 // first unless hostNetwork is true, if it is available, then
 // fall back on the default (as determined by kubelet) DNS settings.
 #DNSClusterFirst: #DNSPolicy & "ClusterFirst"
 // DNSDefault indicates that the pod should use the default (as
 // determined by kubelet) DNS settings.
 #DNSDefault: #DNSPolicy & "Default"
 // DNSNone indicates that the pod should use empty DNS settings. DNS
 // parameters such as nameservers and search paths should be defined via
 // DNSConfig.
 #DNSNone: #DNSPolicy & "None"
 // DefaultTerminationGracePeriodSeconds indicates the default duration in
 // seconds a pod needs to terminate gracefully.
 #DefaultTerminationGracePeriodSeconds: 30
 // A node selector represents the union of the results of one or more label queries
 // over a set of nodes; that is, it represents the OR of the selectors represented
 // by the node selector terms.
 // +structType=atomic
 #NodeSelector: {
 	// Required. A list of node selector terms. The terms are ORed.
 	nodeSelectorTerms: [...#NodeSelectorTerm] @go(NodeSelectorTerms,[]NodeSelectorTerm) @protobuf(1,bytes,rep)
 }
 // A null or empty node selector term matches no objects. The requirements of
 // them are ANDed.
 // The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
 // +structType=atomic
 #NodeSelectorTerm: {
 	// A list of node selector requirements by node's labels.
 	// +optional
 	matchExpressions?: [...#NodeSelectorRequirement] @go(MatchExpressions,[]NodeSelectorRequirement) @protobuf(1,bytes,rep)
 	// A list of node selector requirements by node's fields.
 	// +optional
 	matchFields?: [...#NodeSelectorRequirement] @go(MatchFields,[]NodeSelectorRequirement) @protobuf(2,bytes,rep)
 }
 // A node selector requirement is a selector that contains values, a key, and an operator
 // that relates the key and values.
 #NodeSelectorRequirement: {
 	// The label key that the selector applies to.
 	key: string @go(Key) @protobuf(1,bytes,opt)
 	// Represents a key's relationship to a set of values.
 	// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
 	operator: #NodeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=NodeSelectorOperator)
 	// An array of string values. If the operator is In or NotIn,
 	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
 	// the values array must be empty. If the operator is Gt or Lt, the values
 	// array must have a single element, which will be interpreted as an integer.
 	// This array is replaced during a strategic merge patch.
 	// +optional
 	values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep)
 }
 // A node selector operator is the set of operators that can be used in
 // a node selector requirement.
 // +enum
 #NodeSelectorOperator: string // #enumNodeSelectorOperator
 #enumNodeSelectorOperator:
 	#NodeSelectorOpIn |
 	#NodeSelectorOpNotIn |
 	#NodeSelectorOpExists |
 	#NodeSelectorOpDoesNotExist |
 	#NodeSelectorOpGt |
 	#NodeSelectorOpLt
 #NodeSelectorOpIn:           #NodeSelectorOperator & "In"
 #NodeSelectorOpNotIn:        #NodeSelectorOperator & "NotIn"
 #NodeSelectorOpExists:       #NodeSelectorOperator & "Exists"
 #NodeSelectorOpDoesNotExist: #NodeSelectorOperator & "DoesNotExist"
 #NodeSelectorOpGt:           #NodeSelectorOperator & "Gt"
 #NodeSelectorOpLt:           #NodeSelectorOperator & "Lt"
 // A topology selector term represents the result of label queries.
 // A null or empty topology selector term matches no objects.
 // The requirements of them are ANDed.
 // It provides a subset of functionality as NodeSelectorTerm.
 // This is an alpha feature and may change in the future.
 // +structType=atomic
 #TopologySelectorTerm: {
 	// A list of topology selector requirements by labels.
 	// +optional
 	matchLabelExpressions?: [...#TopologySelectorLabelRequirement] @go(MatchLabelExpressions,[]TopologySelectorLabelRequirement) @protobuf(1,bytes,rep)
 }
 // A topology selector requirement is a selector that matches given label.
 // This is an alpha feature and may change in the future.
 #TopologySelectorLabelRequirement: {
 	// The label key that the selector applies to.
 	key: string @go(Key) @protobuf(1,bytes,opt)
 	// An array of string values. One value must match the label to be selected.
 	// Each entry in Values is ORed.
 	values: [...string] @go(Values,[]string) @protobuf(2,bytes,rep)
 }
 // Affinity is a group of affinity scheduling rules.
 #Affinity: {
 	// Describes node affinity scheduling rules for the pod.
 	// +optional
 	nodeAffinity?: null | #NodeAffinity @go(NodeAffinity,*NodeAffinity) @protobuf(1,bytes,opt)
 	// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
 	// +optional
 	podAffinity?: null | #PodAffinity @go(PodAffinity,*PodAffinity) @protobuf(2,bytes,opt)
 	// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
 	// +optional
 	podAntiAffinity?: null | #PodAntiAffinity @go(PodAntiAffinity,*PodAntiAffinity) @protobuf(3,bytes,opt)
 }
 // Pod affinity is a group of inter pod affinity scheduling rules.
 #PodAffinity: {
 	// If the affinity requirements specified by this field are not met at
 	// scheduling time, the pod will not be scheduled onto the node.
 	// If the affinity requirements specified by this field cease to be met
 	// at some point during pod execution (e.g. due to a pod label update), the
 	// system may or may not try to eventually evict the pod from its node.
 	// When there are multiple elements, the lists of nodes corresponding to each
 	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
 	// +optional
 	requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep)
 	// The scheduler will prefer to schedule pods to nodes that satisfy
 	// the affinity expressions specified by this field, but it may choose
 	// a node that violates one or more of the expressions. The node that is
 	// most preferred is the one with the greatest sum of weights, i.e.
 	// for each node that meets all of the scheduling requirements (resource
 	// request, requiredDuringScheduling affinity expressions, etc.),
 	// compute a sum by iterating through the elements of this field and adding
 	// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
 	// node(s) with the highest sum are the most preferred.
 	// +optional
 	preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep)
 }
 // Pod anti affinity is a group of inter pod anti affinity scheduling rules.
 #PodAntiAffinity: {
 	// If the anti-affinity requirements specified by this field are not met at
 	// scheduling time, the pod will not be scheduled onto the node.
 	// If the anti-affinity requirements specified by this field cease to be met
 	// at some point during pod execution (e.g. due to a pod label update), the
 	// system may or may not try to eventually evict the pod from its node.
 	// When there are multiple elements, the lists of nodes corresponding to each
 	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
 	// +optional
 	requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep)
 	// The scheduler will prefer to schedule pods to nodes that satisfy
 	// the anti-affinity expressions specified by this field, but it may choose
 	// a node that violates one or more of the expressions. The node that is
 	// most preferred is the one with the greatest sum of weights, i.e.
 	// for each node that meets all of the scheduling requirements (resource
 	// request, requiredDuringScheduling anti-affinity expressions, etc.),
 	// compute a sum by iterating through the elements of this field and adding
 	// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
 	// node(s) with the highest sum are the most preferred.
 	// +optional
 	preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep)
 }
 // The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
 #WeightedPodAffinityTerm: {
 	// weight associated with matching the corresponding podAffinityTerm,
 	// in the range 1-100.
 	weight: int32 @go(Weight) @protobuf(1,varint,opt)
 	// Required. A pod affinity term, associated with the corresponding weight.
 	podAffinityTerm: #PodAffinityTerm @go(PodAffinityTerm) @protobuf(2,bytes,opt)
 }
 // Defines a set of pods (namely those matching the labelSelector
 // relative to the given namespace(s)) that this pod should be
 // co-located (affinity) or not co-located (anti-affinity) with,
 // where co-located is defined as running on a node whose value of
 // the label with key <topologyKey> matches that of any node on which
 // a pod of the set of pods is running
 #PodAffinityTerm: {
 	// A label query over a set of resources, in this case pods.
 	// +optional
 	labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
 	// namespaces specifies a static list of namespace names that the term applies to.
 	// The term is applied to the union of the namespaces listed in this field
 	// and the ones selected by namespaceSelector.
 	// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
 	// +optional
 	namespaces?: [...string] @go(Namespaces,[]string) @protobuf(2,bytes,rep)
 	// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
 	// the labelSelector in the specified namespaces, where co-located is defined as running on a node
 	// whose value of the label with key topologyKey matches that of any node on which any of the
 	// selected pods is running.
 	// Empty topologyKey is not allowed.
 	topologyKey: string @go(TopologyKey) @protobuf(3,bytes,opt)
 	// A label query over the set of namespaces that the term applies to.
 	// The term is applied to the union of the namespaces selected by this field
 	// and the ones listed in the namespaces field.
 	// null selector and null or empty namespaces list means "this pod's namespace".
 	// An empty selector ({}) matches all namespaces.
 	// +optional
 	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
 }
 // Node affinity is a group of node affinity scheduling rules.
 #NodeAffinity: {
 	// If the affinity requirements specified by this field are not met at
 	// scheduling time, the pod will not be scheduled onto the node.
 	// If the affinity requirements specified by this field cease to be met
 	// at some point during pod execution (e.g. due to an update), the system
 	// may or may not try to eventually evict the pod from its node.
 	// +optional
 	requiredDuringSchedulingIgnoredDuringExecution?: null | #NodeSelector @go(RequiredDuringSchedulingIgnoredDuringExecution,*NodeSelector) @protobuf(1,bytes,opt)
 	// The scheduler will prefer to schedule pods to nodes that satisfy
 	// the affinity expressions specified by this field, but it may choose
 	// a node that violates one or more of the expressions. The node that is
 	// most preferred is the one with the greatest sum of weights, i.e.
 	// for each node that meets all of the scheduling requirements (resource
 	// request, requiredDuringScheduling affinity expressions, etc.),
 	// compute a sum by iterating through the elements of this field and adding
 	// "weight" to the sum if the node matches the corresponding matchExpressions; the
 	// node(s) with the highest sum are the most preferred.
 	// +optional
 	preferredDuringSchedulingIgnoredDuringExecution?: [...#PreferredSchedulingTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]PreferredSchedulingTerm) @protobuf(2,bytes,rep)
 }
 // An empty preferred scheduling term matches all objects with implicit weight 0
 // (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
 #PreferredSchedulingTerm: {
 	// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
 	weight: int32 @go(Weight) @protobuf(1,varint,opt)
 	// A node selector term, associated with the corresponding weight.
 	preference: #NodeSelectorTerm @go(Preference) @protobuf(2,bytes,opt)
 }
 // The node this Taint is attached to has the "effect" on
 // any pod that does not tolerate the Taint.
 #Taint: {
 	// Required. The taint key to be applied to a node.
 	key: string @go(Key) @protobuf(1,bytes,opt)
 	// The taint value corresponding to the taint key.
 	// +optional
 	value?: string @go(Value) @protobuf(2,bytes,opt)
 	// Required. The effect of the taint on pods
 	// that do not tolerate the taint.
 	// Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
 	effect: #TaintEffect @go(Effect) @protobuf(3,bytes,opt,casttype=TaintEffect)
 	// TimeAdded represents the time at which the taint was added.
 	// It is only written for NoExecute taints.
 	// +optional
 	timeAdded?: null | metav1.#Time @go(TimeAdded,*metav1.Time) @protobuf(4,bytes,opt)
 }
 // +enum
 #TaintEffect: string // #enumTaintEffect
 #enumTaintEffect:
 	#TaintEffectNoSchedule |
 	#TaintEffectPreferNoSchedule |
 	#TaintEffectNoExecute
 // Do not allow new pods to schedule onto the node unless they tolerate the taint,
 // but allow all pods submitted to Kubelet without going through the scheduler
 // to start, and allow all already-running pods to continue running.
 // Enforced by the scheduler.
 #TaintEffectNoSchedule: #TaintEffect & "NoSchedule"
 // Like TaintEffectNoSchedule, but the scheduler tries not to schedule
 // new pods onto the node, rather than prohibiting new pods from scheduling
 // onto the node entirely. Enforced by the scheduler.
 #TaintEffectPreferNoSchedule: #TaintEffect & "PreferNoSchedule"
 // Evict any already-running pods that do not tolerate the taint.
 // Currently enforced by NodeController.
 #TaintEffectNoExecute: #TaintEffect & "NoExecute"
 // The pod this Toleration is attached to tolerates any taint that matches
 // the triple <key,value,effect> using the matching operator <operator>.
 #Toleration: {
 	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
 	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
 	// +optional
 	key?: string @go(Key) @protobuf(1,bytes,opt)
 	// Operator represents a key's relationship to the value.
 	// Valid operators are Exists and Equal. Defaults to Equal.
 	// Exists is equivalent to wildcard for value, so that a pod can
 	// tolerate all taints of a particular category.
 	// +optional
 	operator?: #TolerationOperator @go(Operator) @protobuf(2,bytes,opt,casttype=TolerationOperator)
 	// Value is the taint value the toleration matches to.
 	// If the operator is Exists, the value should be empty, otherwise just a regular string.
 	// +optional
 	value?: string @go(Value) @protobuf(3,bytes,opt)
 	// Effect indicates the taint effect to match. Empty means match all taint effects.
 	// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
 	// +optional
 	effect?: #TaintEffect @go(Effect) @protobuf(4,bytes,opt,casttype=TaintEffect)
 	// TolerationSeconds represents the period of time the toleration (which must be
 	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
 	// it is not set, which means tolerate the taint forever (do not evict). Zero and
 	// negative values will be treated as 0 (evict immediately) by the system.
 	// +optional
 	tolerationSeconds?: null | int64 @go(TolerationSeconds,*int64) @protobuf(5,varint,opt)
 }
 // A toleration operator is the set of operators that can be used in a toleration.
 // +enum
 #TolerationOperator: string // #enumTolerationOperator
 #enumTolerationOperator:
 	#TolerationOpExists |
 	#TolerationOpEqual
 #TolerationOpExists: #TolerationOperator & "Exists"
 #TolerationOpEqual:  #TolerationOperator & "Equal"
 // PodReadinessGate contains the reference to a pod condition
 #PodReadinessGate: {
 	// ConditionType refers to a condition in the pod's condition list with matching type.
 	conditionType: #PodConditionType @go(ConditionType) @protobuf(1,bytes,opt,casttype=PodConditionType)
 }
 // PodSpec is a description of a pod.
 #PodSpec: {
 	// List of volumes that can be mounted by containers belonging to the pod.
 	// More info: https://kubernetes.io/docs/concepts/storage/volumes
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge,retainKeys
 	volumes?: [...#Volume] @go(Volumes,[]Volume) @protobuf(1,bytes,rep)
 	// List of initialization containers belonging to the pod.
 	// Init containers are executed in order prior to containers being started. If any
 	// init container fails, the pod is considered to have failed and is handled according
 	// to its restartPolicy. The name for an init container or normal container must be
 	// unique among all containers.
 	// Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
 	// The resourceRequirements of an init container are taken into account during scheduling
 	// by finding the highest request/limit for each resource type, and then using the max of
 	// of that value or the sum of the normal containers. Limits are applied to init containers
 	// in a similar fashion.
 	// Init containers cannot currently be added or removed.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	initContainers?: [...#Container] @go(InitContainers,[]Container) @protobuf(20,bytes,rep)
 	// List of containers belonging to the pod.
 	// Containers cannot currently be added or removed.
 	// There must be at least one container in a Pod.
 	// Cannot be updated.
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	containers: [...#Container] @go(Containers,[]Container) @protobuf(2,bytes,rep)
 	// List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing
 	// pod to perform user-initiated actions such as debugging. This list cannot be specified when
 	// creating a pod, and it cannot be modified by updating the pod spec. In order to add an
 	// ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	ephemeralContainers?: [...#EphemeralContainer] @go(EphemeralContainers,[]EphemeralContainer) @protobuf(34,bytes,rep)
 	// Restart policy for all containers within the pod.
 	// One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted.
 	// Default to Always.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
 	// +optional
 	restartPolicy?: #RestartPolicy @go(RestartPolicy) @protobuf(3,bytes,opt,casttype=RestartPolicy)
 	// Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
 	// Value must be non-negative integer. The value zero indicates stop immediately via
 	// the kill signal (no opportunity to shut down).
 	// If this value is nil, the default grace period will be used instead.
 	// The grace period is the duration in seconds after the processes running in the pod are sent
 	// a termination signal and the time when the processes are forcibly halted with a kill signal.
 	// Set this value longer than the expected cleanup time for your process.
 	// Defaults to 30 seconds.
 	// +optional
 	terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(4,varint,opt)
 	// Optional duration in seconds the pod may be active on the node relative to
 	// StartTime before the system will actively try to mark it failed and kill associated containers.
 	// Value must be a positive integer.
 	// +optional
 	activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(5,varint,opt)
 	// Set DNS policy for the pod.
 	// Defaults to "ClusterFirst".
 	// Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'.
 	// DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
 	// To have DNS options set along with hostNetwork, you have to specify DNS policy
 	// explicitly to 'ClusterFirstWithHostNet'.
 	// +optional
 	dnsPolicy?: #DNSPolicy @go(DNSPolicy) @protobuf(6,bytes,opt,casttype=DNSPolicy)
 	// NodeSelector is a selector which must be true for the pod to fit on a node.
 	// Selector which must match a node's labels for the pod to be scheduled on that node.
 	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 	// +optional
 	// +mapType=atomic
 	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(7,bytes,rep)
 	// ServiceAccountName is the name of the ServiceAccount to use to run this pod.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 	// +optional
 	serviceAccountName?: string @go(ServiceAccountName) @protobuf(8,bytes,opt)
 	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
 	// Deprecated: Use serviceAccountName instead.
 	// +k8s:conversion-gen=false
 	// +optional
 	serviceAccount?: string @go(DeprecatedServiceAccount) @protobuf(9,bytes,opt)
 	// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
 	// +optional
 	automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(21,varint,opt)
 	// NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
 	// the scheduler simply schedules this pod onto that node, assuming that it fits resource
 	// requirements.
 	// +optional
 	nodeName?: string @go(NodeName) @protobuf(10,bytes,opt)
 	// Host networking requested for this pod. Use the host's network namespace.
 	// If this option is set, the ports that will be used must be specified.
 	// Default to false.
 	// +k8s:conversion-gen=false
 	// +optional
 	hostNetwork?: bool @go(HostNetwork) @protobuf(11,varint,opt)
 	// Use the host's pid namespace.
 	// Optional: Default to false.
 	// +k8s:conversion-gen=false
 	// +optional
 	hostPID?: bool @go(HostPID) @protobuf(12,varint,opt)
 	// Use the host's ipc namespace.
 	// Optional: Default to false.
 	// +k8s:conversion-gen=false
 	// +optional
 	hostIPC?: bool @go(HostIPC) @protobuf(13,varint,opt)
 	// Share a single process namespace between all of the containers in a pod.
 	// When this is set containers will be able to view and signal processes from other containers
 	// in the same pod, and the first process in each container will not be assigned PID 1.
 	// HostPID and ShareProcessNamespace cannot both be set.
 	// Optional: Default to false.
 	// +k8s:conversion-gen=false
 	// +optional
 	shareProcessNamespace?: null | bool @go(ShareProcessNamespace,*bool) @protobuf(27,varint,opt)
 	// SecurityContext holds pod-level security attributes and common container settings.
 	// Optional: Defaults to empty.  See type description for default values of each field.
 	// +optional
 	securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
 	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.
 	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(15,bytes,rep)
 	// Specifies the hostname of the Pod
 	// If not specified, the pod's hostname will be set to a system-defined value.
 	// +optional
 	hostname?: string @go(Hostname) @protobuf(16,bytes,opt)
 	// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
 	// If not specified, the pod will not have a domainname at all.
 	// +optional
 	subdomain?: string @go(Subdomain) @protobuf(17,bytes,opt)
 	// If specified, the pod's scheduling constraints
 	// +optional
 	affinity?: null | #Affinity @go(Affinity,*Affinity) @protobuf(18,bytes,opt)
 	// If specified, the pod will be dispatched by specified scheduler.
 	// If not specified, the pod will be dispatched by default scheduler.
 	// +optional
 	schedulerName?: string @go(SchedulerName) @protobuf(19,bytes,opt)
 	// If specified, the pod's tolerations.
 	// +optional
 	tolerations?: [...#Toleration] @go(Tolerations,[]Toleration) @protobuf(22,bytes,opt)
 	// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
 	// file if specified. This is only valid for non-hostNetwork pods.
 	// +optional
 	// +patchMergeKey=ip
 	// +patchStrategy=merge
 	hostAliases?: [...#HostAlias] @go(HostAliases,[]HostAlias) @protobuf(23,bytes,rep)
 	// If specified, indicates the pod's priority. "system-node-critical" and
 	// "system-cluster-critical" are two special keywords which indicate the
 	// highest priorities with the former being the highest priority. Any other
 	// name must be defined by creating a PriorityClass object with that name.
 	// If not specified, the pod priority will be default or zero if there is no
 	// default.
 	// +optional
 	priorityClassName?: string @go(PriorityClassName) @protobuf(24,bytes,opt)
 	// The priority value. Various system components use this field to find the
 	// priority of the pod. When Priority Admission Controller is enabled, it
 	// prevents users from setting this field. The admission controller populates
 	// this field from PriorityClassName.
 	// The higher the value, the higher the priority.
 	// +optional
 	priority?: null | int32 @go(Priority,*int32) @protobuf(25,bytes,opt)
 	// Specifies the DNS parameters of a pod.
 	// Parameters specified here will be merged to the generated DNS
 	// configuration based on DNSPolicy.
 	// +optional
 	dnsConfig?: null | #PodDNSConfig @go(DNSConfig,*PodDNSConfig) @protobuf(26,bytes,opt)
 	// If specified, all readiness gates will be evaluated for pod readiness.
 	// A pod is ready when all its containers are ready AND
 	// all conditions specified in the readiness gates have status equal to "True"
 	// More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates
 	// +optional
 	readinessGates?: [...#PodReadinessGate] @go(ReadinessGates,[]PodReadinessGate) @protobuf(28,bytes,opt)
 	// RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used
 	// to run this pod.  If no RuntimeClass resource matches the named class, the pod will not be run.
 	// If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an
 	// empty definition that uses the default runtime handler.
 	// More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
 	// +optional
 	runtimeClassName?: null | string @go(RuntimeClassName,*string) @protobuf(29,bytes,opt)
 	// EnableServiceLinks indicates whether information about services should be injected into pod's
 	// environment variables, matching the syntax of Docker links.
 	// Optional: Defaults to true.
 	// +optional
 	enableServiceLinks?: null | bool @go(EnableServiceLinks,*bool) @protobuf(30,varint,opt)
 	// PreemptionPolicy is the Policy for preempting pods with lower priority.
 	// One of Never, PreemptLowerPriority.
 	// Defaults to PreemptLowerPriority if unset.
 	// +optional
 	preemptionPolicy?: null | #PreemptionPolicy @go(PreemptionPolicy,*PreemptionPolicy) @protobuf(31,bytes,opt)
 	// Overhead represents the resource overhead associated with running a pod for a given RuntimeClass.
 	// This field will be autopopulated at admission time by the RuntimeClass admission controller. If
 	// the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests.
 	// The RuntimeClass admission controller will reject Pod create requests which have the overhead already
 	// set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value
 	// defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero.
 	// More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
 	// +optional
 	overhead?: #ResourceList @go(Overhead) @protobuf(32,bytes,opt)
 	// TopologySpreadConstraints describes how a group of pods ought to spread across topology
 	// domains. Scheduler will schedule pods in a way which abides by the constraints.
 	// All topologySpreadConstraints are ANDed.
 	// +optional
 	// +patchMergeKey=topologyKey
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=topologyKey
 	// +listMapKey=whenUnsatisfiable
 	topologySpreadConstraints?: [...#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]TopologySpreadConstraint) @protobuf(33,bytes,opt)
 	// If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default).
 	// In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname).
 	// In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN.
 	// If a pod does not have FQDN, this has no effect.
 	// Default to false.
 	// +optional
 	setHostnameAsFQDN?: null | bool @go(SetHostnameAsFQDN,*bool) @protobuf(35,varint,opt)
 	// Specifies the OS of the containers in the pod.
 	// Some pod and container fields are restricted if this is set.
 	//
 	// If the OS field is set to linux, the following fields must be unset:
 	// -securityContext.windowsOptions
 	//
 	// If the OS field is set to windows, following fields must be unset:
 	// - spec.hostPID
 	// - spec.hostIPC
 	// - spec.hostUsers
 	// - spec.securityContext.seLinuxOptions
 	// - spec.securityContext.seccompProfile
 	// - spec.securityContext.fsGroup
 	// - spec.securityContext.fsGroupChangePolicy
 	// - spec.securityContext.sysctls
 	// - spec.shareProcessNamespace
 	// - spec.securityContext.runAsUser
 	// - spec.securityContext.runAsGroup
 	// - spec.securityContext.supplementalGroups
 	// - spec.containers[*].securityContext.seLinuxOptions
 	// - spec.containers[*].securityContext.seccompProfile
 	// - spec.containers[*].securityContext.capabilities
 	// - spec.containers[*].securityContext.readOnlyRootFilesystem
 	// - spec.containers[*].securityContext.privileged
 	// - spec.containers[*].securityContext.allowPrivilegeEscalation
 	// - spec.containers[*].securityContext.procMount
 	// - spec.containers[*].securityContext.runAsUser
 	// - spec.containers[*].securityContext.runAsGroup
 	// +optional
 	os?: null | #PodOS @go(OS,*PodOS) @protobuf(36,bytes,opt)
 	// Use the host's user namespace.
 	// Optional: Default to true.
 	// If set to true or not present, the pod will be run in the host user namespace, useful
 	// for when the pod needs a feature only available to the host user namespace, such as
 	// loading a kernel module with CAP_SYS_MODULE.
 	// When set to false, a new userns is created for the pod. Setting false is useful for
 	// mitigating container breakout vulnerabilities even allowing users to run their
 	// containers as root without actually having root privileges on the host.
 	// This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
 	// +k8s:conversion-gen=false
 	// +optional
 	hostUsers?: null | bool @go(HostUsers,*bool) @protobuf(37,bytes,opt)
 	// SchedulingGates is an opaque list of values that if specified will block scheduling the pod.
 	// If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
 	// scheduler will not attempt to schedule the pod.
 	//
 	// SchedulingGates can only be set at pod creation time, and be removed only afterwards.
 	//
 	// This is a beta feature enabled by the PodSchedulingReadiness feature gate.
 	//
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=PodSchedulingReadiness
 	// +optional
 	schedulingGates?: [...#PodSchedulingGate] @go(SchedulingGates,[]PodSchedulingGate) @protobuf(38,bytes,opt)
 	// ResourceClaims defines which ResourceClaims must be allocated
 	// and reserved before the Pod is allowed to start. The resources
 	// will be made available to those containers which consume them
 	// by name.
 	//
 	// This is an alpha field and requires enabling the
 	// DynamicResourceAllocation feature gate.
 	//
 	// This field is immutable.
 	//
 	// +patchMergeKey=name
 	// +patchStrategy=merge,retainKeys
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=DynamicResourceAllocation
 	// +optional
 	resourceClaims?: [...#PodResourceClaim] @go(ResourceClaims,[]PodResourceClaim) @protobuf(39,bytes,rep)
 }
 // PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
 // It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
 // Containers that need access to the ResourceClaim reference it with this name.
 #PodResourceClaim: {
 	// Name uniquely identifies this resource claim inside the pod.
 	// This must be a DNS_LABEL.
 	name: string @go(Name) @protobuf(1,bytes)
 	// Source describes where to find the ResourceClaim.
 	source?: #ClaimSource @go(Source) @protobuf(2,bytes)
 }
 // ClaimSource describes a reference to a ResourceClaim.
 //
 // Exactly one of these fields should be set.  Consumers of this type must
 // treat an empty object as if it has an unknown value.
 #ClaimSource: {
 	// ResourceClaimName is the name of a ResourceClaim object in the same
 	// namespace as this pod.
 	resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(1,bytes,opt)
 	// ResourceClaimTemplateName is the name of a ResourceClaimTemplate
 	// object in the same namespace as this pod.
 	//
 	// The template will be used to create a new ResourceClaim, which will
 	// be bound to this pod. When this pod is deleted, the ResourceClaim
 	// will also be deleted. The pod name and resource name, along with a
 	// generated component, will be used to form a unique name for the
 	// ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
 	//
 	// This field is immutable and no changes will be made to the
 	// corresponding ResourceClaim by the control plane after creating the
 	// ResourceClaim.
 	resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt)
 }
 // PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim
 // which references a ResourceClaimTemplate. It stores the generated name for
 // the corresponding ResourceClaim.
 #PodResourceClaimStatus: {
 	// Name uniquely identifies this resource claim inside the pod.
 	// This must match the name of an entry in pod.spec.resourceClaims,
 	// which implies that the string must be a DNS_LABEL.
 	name: string @go(Name) @protobuf(1,bytes)
 	// ResourceClaimName is the name of the ResourceClaim that was
 	// generated for the Pod in the namespace of the Pod. It this is
 	// unset, then generating a ResourceClaim was not necessary. The
 	// pod.spec.resourceClaims entry can be ignored in this case.
 	//
 	// +optional
 	resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt)
 }
 // OSName is the set of OS'es that can be used in OS.
 #OSName: string // #enumOSName
 #enumOSName:
 	#Linux |
 	#Windows
 #Linux:   #OSName & "linux"
 #Windows: #OSName & "windows"
 // PodOS defines the OS parameters of a pod.
 #PodOS: {
 	// Name is the name of the operating system. The currently supported values are linux and windows.
 	// Additional value may be defined in future and can be one of:
 	// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
 	// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
 	name: #OSName @go(Name) @protobuf(1,bytes,opt)
 }
 // PodSchedulingGate is associated to a Pod to guard its scheduling.
 #PodSchedulingGate: {
 	// Name of the scheduling gate.
 	// Each scheduling gate must have a unique name field.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 }
 // +enum
 #UnsatisfiableConstraintAction: string // #enumUnsatisfiableConstraintAction
 #enumUnsatisfiableConstraintAction:
 	#DoNotSchedule |
 	#ScheduleAnyway
 // DoNotSchedule instructs the scheduler not to schedule the pod
 // when constraints are not satisfied.
 #DoNotSchedule: #UnsatisfiableConstraintAction & "DoNotSchedule"
 // ScheduleAnyway instructs the scheduler to schedule the pod
 // even if constraints are not satisfied.
 #ScheduleAnyway: #UnsatisfiableConstraintAction & "ScheduleAnyway"
 // NodeInclusionPolicy defines the type of node inclusion policy
 // +enum
 #NodeInclusionPolicy: string // #enumNodeInclusionPolicy
 #enumNodeInclusionPolicy:
 	#NodeInclusionPolicyIgnore |
 	#NodeInclusionPolicyHonor
 // NodeInclusionPolicyIgnore means ignore this scheduling directive when calculating pod topology spread skew.
 #NodeInclusionPolicyIgnore: #NodeInclusionPolicy & "Ignore"
 // NodeInclusionPolicyHonor means use this scheduling directive when calculating pod topology spread skew.
 #NodeInclusionPolicyHonor: #NodeInclusionPolicy & "Honor"
 // TopologySpreadConstraint specifies how to spread matching pods among the given topology.
 #TopologySpreadConstraint: {
 	// MaxSkew describes the degree to which pods may be unevenly distributed.
 	// When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
 	// between the number of matching pods in the target topology and the global minimum.
 	// The global minimum is the minimum number of matching pods in an eligible domain
 	// or zero if the number of eligible domains is less than MinDomains.
 	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
 	// labelSelector spread as 2/2/1:
 	// In this case, the global minimum is 1.
 	// +-------+-------+-------+
 	// | zone1 | zone2 | zone3 |
 	// +-------+-------+-------+
 	// |  P P  |  P P  |   P   |
 	// +-------+-------+-------+
 	// - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
 	// scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
 	// violate MaxSkew(1).
 	// - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
 	// When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
 	// to topologies that satisfy it.
 	// It's a required field. Default value is 1 and 0 is not allowed.
 	maxSkew: int32 @go(MaxSkew) @protobuf(1,varint,opt)
 	// TopologyKey is the key of node labels. Nodes that have a label with this key
 	// and identical values are considered to be in the same topology.
 	// We consider each <key, value> as a "bucket", and try to put balanced number
 	// of pods into each bucket.
 	// We define a domain as a particular instance of a topology.
 	// Also, we define an eligible domain as a domain whose nodes meet the requirements of
 	// nodeAffinityPolicy and nodeTaintsPolicy.
 	// e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
 	// And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
 	// It's a required field.
 	topologyKey: string @go(TopologyKey) @protobuf(2,bytes,opt)
 	// WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
 	// the spread constraint.
 	// - DoNotSchedule (default) tells the scheduler not to schedule it.
 	// - ScheduleAnyway tells the scheduler to schedule the pod in any location,
 	//   but giving higher precedence to topologies that would help reduce the
 	//   skew.
 	// A constraint is considered "Unsatisfiable" for an incoming pod
 	// if and only if every possible node assignment for that pod would violate
 	// "MaxSkew" on some topology.
 	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
 	// labelSelector spread as 3/1/1:
 	// +-------+-------+-------+
 	// | zone1 | zone2 | zone3 |
 	// +-------+-------+-------+
 	// | P P P |   P   |   P   |
 	// +-------+-------+-------+
 	// If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
 	// to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
 	// MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
 	// won't make it *more* imbalanced.
 	// It's a required field.
 	whenUnsatisfiable: #UnsatisfiableConstraintAction @go(WhenUnsatisfiable) @protobuf(3,bytes,opt,casttype=UnsatisfiableConstraintAction)
 	// LabelSelector is used to find matching pods.
 	// Pods that match this label selector are counted to determine the number of pods
 	// in their corresponding topology domain.
 	// +optional
 	labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
 	// MinDomains indicates a minimum number of eligible domains.
 	// When the number of eligible domains with matching topology keys is less than minDomains,
 	// Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
 	// And when the number of eligible domains with matching topology keys equals or greater than minDomains,
 	// this value has no effect on scheduling.
 	// As a result, when the number of eligible domains is less than minDomains,
 	// scheduler won't schedule more than maxSkew Pods to those domains.
 	// If value is nil, the constraint behaves as if MinDomains is equal to 1.
 	// Valid values are integers greater than 0.
 	// When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
 	//
 	// For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
 	// labelSelector spread as 2/2/2:
 	// +-------+-------+-------+
 	// | zone1 | zone2 | zone3 |
 	// +-------+-------+-------+
 	// |  P P  |  P P  |  P P  |
 	// +-------+-------+-------+
 	// The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
 	// In this situation, new pod with the same labelSelector cannot be scheduled,
 	// because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
 	// it will violate MaxSkew.
 	//
 	// This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
 	// +optional
 	minDomains?: null | int32 @go(MinDomains,*int32) @protobuf(5,varint,opt)
 	// NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
 	// when calculating pod topology spread skew. Options are:
 	// - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
 	// - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 	//
 	// If this value is nil, the behavior is equivalent to the Honor policy.
 	// This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
 	// +optional
 	nodeAffinityPolicy?: null | #NodeInclusionPolicy @go(NodeAffinityPolicy,*NodeInclusionPolicy) @protobuf(6,bytes,opt)
 	// NodeTaintsPolicy indicates how we will treat node taints when calculating
 	// pod topology spread skew. Options are:
 	// - Honor: nodes without taints, along with tainted nodes for which the incoming pod
 	// has a toleration, are included.
 	// - Ignore: node taints are ignored. All nodes are included.
 	//
 	// If this value is nil, the behavior is equivalent to the Ignore policy.
 	// This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
 	// +optional
 	nodeTaintsPolicy?: null | #NodeInclusionPolicy @go(NodeTaintsPolicy,*NodeInclusionPolicy) @protobuf(7,bytes,opt)
 	// MatchLabelKeys is a set of pod label keys to select the pods over which
 	// spreading will be calculated. The keys are used to lookup values from the
 	// incoming pod labels, those key-value labels are ANDed with labelSelector
 	// to select the group of existing pods over which spreading will be calculated
 	// for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
 	// MatchLabelKeys cannot be set when LabelSelector isn't set.
 	// Keys that don't exist in the incoming pod labels will
 	// be ignored. A null or empty list means only match against labelSelector.
 	//
 	// This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
 	// +listType=atomic
 	// +optional
 	matchLabelKeys?: [...string] @go(MatchLabelKeys,[]string) @protobuf(8,bytes,opt)
 }
 // The default value for enableServiceLinks attribute.
 #DefaultEnableServiceLinks: true
 // HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
 // pod's hosts file.
 #HostAlias: {
 	// IP address of the host file entry.
 	ip?: string @go(IP) @protobuf(1,bytes,opt)
 	// Hostnames for the above IP address.
 	hostnames?: [...string] @go(Hostnames,[]string) @protobuf(2,bytes,rep)
 }
 // PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume
 // when volume is mounted.
 // +enum
 #PodFSGroupChangePolicy: string // #enumPodFSGroupChangePolicy
 #enumPodFSGroupChangePolicy:
 	#FSGroupChangeOnRootMismatch |
 	#FSGroupChangeAlways
 // FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed
 // only when permission and ownership of root directory does not match with expected
 // permissions on the volume. This can help shorten the time it takes to change
 // ownership and permissions of a volume.
 #FSGroupChangeOnRootMismatch: #PodFSGroupChangePolicy & "OnRootMismatch"
 // FSGroupChangeAlways indicates that volume's ownership and permissions
 // should always be changed whenever volume is mounted inside a Pod. This the default
 // behavior.
 #FSGroupChangeAlways: #PodFSGroupChangePolicy & "Always"
 // PodSecurityContext holds pod-level security attributes and common container settings.
 // Some fields are also present in container.securityContext.  Field values of
 // container.securityContext take precedence over field values of PodSecurityContext.
 #PodSecurityContext: {
 	// The SELinux context to be applied to all containers.
 	// If unspecified, the container runtime will allocate a random SELinux context for each
 	// container.  May also be set in SecurityContext.  If set in
 	// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 	// takes precedence for that container.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(1,bytes,opt)
 	// The Windows specific settings applied to all containers.
 	// If unspecified, the options within a container's SecurityContext will be used.
 	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// Note that this field cannot be set when spec.os.name is linux.
 	// +optional
 	windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(8,bytes,opt)
 	// The UID to run the entrypoint of the container process.
 	// Defaults to user specified in image metadata if unspecified.
 	// May also be set in SecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence
 	// for that container.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(2,varint,opt)
 	// The GID to run the entrypoint of the container process.
 	// Uses runtime default if unset.
 	// May also be set in SecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence
 	// for that container.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(6,varint,opt)
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
 	// If unset or false, no such validation will be performed.
 	// May also be set in SecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(3,varint,opt)
 	// A list of groups applied to the first process run in each container, in addition
 	// to the container's primary GID, the fsGroup (if specified), and group memberships
 	// defined in the container image for the uid of the container process. If unspecified,
 	// no additional groups are added to any container. Note that group memberships
 	// defined in the container image for the uid of the container process are still effective,
 	// even if they are not included in this list.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	supplementalGroups?: [...int64] @go(SupplementalGroups,[]int64) @protobuf(4,varint,rep)
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
 	//
 	// 1. The owning GID will be the FSGroup
 	// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
 	// 3. The permission bits are OR'd with rw-rw----
 	//
 	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	fsGroup?: null | int64 @go(FSGroup,*int64) @protobuf(5,varint,opt)
 	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 	// sysctls (by the container runtime) might fail to launch.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	sysctls?: [...#Sysctl] @go(Sysctls,[]Sysctl) @protobuf(7,bytes,rep)
 	// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 	// before being exposed inside Pod. This field will only apply to
 	// volume types which support fsGroup based ownership(and permissions).
 	// It will have no effect on ephemeral volume types such as: secret, configmaps
 	// and emptydir.
 	// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	fsGroupChangePolicy?: null | #PodFSGroupChangePolicy @go(FSGroupChangePolicy,*PodFSGroupChangePolicy) @protobuf(9,bytes,opt)
 	// The seccomp options to use by the containers in this pod.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(10,bytes,opt)
 }
 // SeccompProfile defines a pod/container's seccomp profile settings.
 // Only one profile source may be set.
 // +union
 #SeccompProfile: {
 	// type indicates which kind of seccomp profile will be applied.
 	// Valid options are:
 	//
 	// Localhost - a profile defined in a file on the node should be used.
 	// RuntimeDefault - the container runtime default profile should be used.
 	// Unconfined - no profile should be applied.
 	// +unionDiscriminator
 	type: #SeccompProfileType @go(Type) @protobuf(1,bytes,opt,casttype=SeccompProfileType)
 	// localhostProfile indicates a profile defined in a file on the node should be used.
 	// The profile must be preconfigured on the node to work.
 	// Must be a descending path, relative to the kubelet's configured seccomp profile location.
 	// Must be set if type is "Localhost". Must NOT be set for any other type.
 	// +optional
 	localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt)
 }
 // SeccompProfileType defines the supported seccomp profile types.
 // +enum
 #SeccompProfileType: string // #enumSeccompProfileType
 #enumSeccompProfileType:
 	#SeccompProfileTypeUnconfined |
 	#SeccompProfileTypeRuntimeDefault |
 	#SeccompProfileTypeLocalhost
 // SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined).
 #SeccompProfileTypeUnconfined: #SeccompProfileType & "Unconfined"
 // SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
 #SeccompProfileTypeRuntimeDefault: #SeccompProfileType & "RuntimeDefault"
 // SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
 // The file's location relative to <kubelet-root-dir>/seccomp.
 #SeccompProfileTypeLocalhost: #SeccompProfileType & "Localhost"
 // PodQOSClass defines the supported qos classes of Pods.
 // +enum
 #PodQOSClass: string // #enumPodQOSClass
 #enumPodQOSClass:
 	#PodQOSGuaranteed |
 	#PodQOSBurstable |
 	#PodQOSBestEffort
 // PodQOSGuaranteed is the Guaranteed qos class.
 #PodQOSGuaranteed: #PodQOSClass & "Guaranteed"
 // PodQOSBurstable is the Burstable qos class.
 #PodQOSBurstable: #PodQOSClass & "Burstable"
 // PodQOSBestEffort is the BestEffort qos class.
 #PodQOSBestEffort: #PodQOSClass & "BestEffort"
 // PodDNSConfig defines the DNS parameters of a pod in addition to
 // those generated from DNSPolicy.
 #PodDNSConfig: {
 	// A list of DNS name server IP addresses.
 	// This will be appended to the base nameservers generated from DNSPolicy.
 	// Duplicated nameservers will be removed.
 	// +optional
 	nameservers?: [...string] @go(Nameservers,[]string) @protobuf(1,bytes,rep)
 	// A list of DNS search domains for host-name lookup.
 	// This will be appended to the base search paths generated from DNSPolicy.
 	// Duplicated search paths will be removed.
 	// +optional
 	searches?: [...string] @go(Searches,[]string) @protobuf(2,bytes,rep)
 	// A list of DNS resolver options.
 	// This will be merged with the base options generated from DNSPolicy.
 	// Duplicated entries will be removed. Resolution options given in Options
 	// will override those that appear in the base DNSPolicy.
 	// +optional
 	options?: [...#PodDNSConfigOption] @go(Options,[]PodDNSConfigOption) @protobuf(3,bytes,rep)
 }
 // PodDNSConfigOption defines DNS resolver options of a pod.
 #PodDNSConfigOption: {
 	// Required.
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// +optional
 	value?: null | string @go(Value,*string) @protobuf(2,bytes,opt)
 }
 // PodIP represents a single IP address allocated to the pod.
 #PodIP: {
 	// IP is the IP address assigned to the pod
 	ip?: string @go(IP) @protobuf(1,bytes,opt)
 }
 // HostIP represents a single IP address allocated to the host.
 #HostIP: {
 	// IP is the IP address assigned to the host
 	ip?: string @go(IP) @protobuf(1,bytes,opt)
 }
 // EphemeralContainerCommon is a copy of all fields in Container to be inlined in
 // EphemeralContainer. This separate type allows easy conversion from EphemeralContainer
 // to Container and allows separate documentation for the fields of EphemeralContainer.
 // When a new field is added to Container it must be added here as well.
 #EphemeralContainerCommon: {
 	// Name of the ephemeral container specified as a DNS_LABEL.
 	// This name must be unique among all containers, init containers and ephemeral containers.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Container image name.
 	// More info: https://kubernetes.io/docs/concepts/containers/images
 	image?: string @go(Image) @protobuf(2,bytes,opt)
 	// Entrypoint array. Not executed within a shell.
 	// The image's ENTRYPOINT is used if this is not provided.
 	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
 	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
 	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
 	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
 	// of whether the variable exists or not. Cannot be updated.
 	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
 	// +optional
 	command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep)
 	// Arguments to the entrypoint.
 	// The image's CMD is used if this is not provided.
 	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
 	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
 	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
 	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
 	// of whether the variable exists or not. Cannot be updated.
 	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
 	// +optional
 	args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep)
 	// Container's working directory.
 	// If not specified, the container runtime's default will be used, which
 	// might be configured in the container image.
 	// Cannot be updated.
 	// +optional
 	workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt)
 	// Ports are not allowed for ephemeral containers.
 	// +optional
 	// +patchMergeKey=containerPort
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=containerPort
 	// +listMapKey=protocol
 	ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep)
 	// List of sources to populate environment variables in the container.
 	// The keys defined within a source must be a C_IDENTIFIER. All invalid keys
 	// will be reported as an event when the container is starting. When a key exists in multiple
 	// sources, the value associated with the last source will take precedence.
 	// Values defined by an Env with a duplicate key will take precedence.
 	// Cannot be updated.
 	// +optional
 	envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep)
 	// List of environment variables to set in the container.
 	// Cannot be updated.
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep)
 	// Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources
 	// already allocated to the pod.
 	// +optional
 	resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt)
 	// Resources resize policy for the container.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	// +listType=atomic
 	resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep)
 	// Restart policy for the container to manage the restart behavior of each
 	// container within a pod.
 	// This may only be set for init containers. You cannot set this field on
 	// ephemeral containers.
 	// +featureGate=SidecarContainers
 	// +optional
 	restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy)
 	// Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
 	// Cannot be updated.
 	// +optional
 	// +patchMergeKey=mountPath
 	// +patchStrategy=merge
 	volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep)
 	// volumeDevices is the list of block devices to be used by the container.
 	// +patchMergeKey=devicePath
 	// +patchStrategy=merge
 	// +optional
 	volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep)
 	// Probes are not allowed for ephemeral containers.
 	// +optional
 	livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt)
 	// Probes are not allowed for ephemeral containers.
 	// +optional
 	readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt)
 	// Probes are not allowed for ephemeral containers.
 	// +optional
 	startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt)
 	// Lifecycle is not allowed for ephemeral containers.
 	// +optional
 	lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt)
 	// Optional: Path at which the file to which the container's termination message
 	// will be written is mounted into the container's filesystem.
 	// Message written is intended to be brief final status, such as an assertion failure message.
 	// Will be truncated by the node if greater than 4096 bytes. The total message length across
 	// all containers will be limited to 12kb.
 	// Defaults to /dev/termination-log.
 	// Cannot be updated.
 	// +optional
 	terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt)
 	// Indicate how the termination message should be populated. File will use the contents of
 	// terminationMessagePath to populate the container status message on both success and failure.
 	// FallbackToLogsOnError will use the last chunk of container log output if the termination
 	// message file is empty and the container exited with an error.
 	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
 	// Defaults to File.
 	// Cannot be updated.
 	// +optional
 	terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy)
 	// Image pull policy.
 	// One of Always, Never, IfNotPresent.
 	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
 	// +optional
 	imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy)
 	// Optional: SecurityContext defines the security options the ephemeral container should be run with.
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// +optional
 	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
 	// Default is false.
 	// +optional
 	stdin?: bool @go(Stdin) @protobuf(16,varint,opt)
 	// Whether the container runtime should close the stdin channel after it has been opened by
 	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
 	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
 	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
 	// at which time stdin is closed and remains closed until the container is restarted. If this
 	// flag is false, a container processes that reads from stdin will never receive an EOF.
 	// Default is false
 	// +optional
 	stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt)
 	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
 	// Default is false.
 	// +optional
 	tty?: bool @go(TTY) @protobuf(18,varint,opt)
 }
 // An EphemeralContainer is a temporary container that you may add to an existing Pod for
 // user-initiated activities such as debugging. Ephemeral containers have no resource or
 // scheduling guarantees, and they will not be restarted when they exit or when a Pod is
 // removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
 // Pod to exceed its resource allocation.
 //
 // To add an ephemeral container, use the ephemeralcontainers subresource of an existing
 // Pod. Ephemeral containers may not be removed or restarted.
 #EphemeralContainer: {
 	#EphemeralContainerCommon
 	// If set, the name of the container from PodSpec that this ephemeral container targets.
 	// The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
 	// If not set then the ephemeral container uses the namespaces configured in the Pod spec.
 	//
 	// The container runtime must implement support for this feature. If the runtime does not
 	// support namespace targeting then the result of setting this field is undefined.
 	// +optional
 	targetContainerName?: string @go(TargetContainerName) @protobuf(2,bytes,opt)
 }
 // PodStatus represents information about the status of a pod. Status may trail the actual
 // state of a system, especially if the node that hosts the pod cannot contact the control
 // plane.
 #PodStatus: {
 	// The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle.
 	// The conditions array, the reason and message fields, and the individual container status
 	// arrays contain more detail about the pod's status.
 	// There are five possible phase values:
 	//
 	// Pending: The pod has been accepted by the Kubernetes system, but one or more of the
 	// container images has not been created. This includes time before being scheduled as
 	// well as time spent downloading images over the network, which could take a while.
 	// Running: The pod has been bound to a node, and all of the containers have been created.
 	// At least one container is still running, or is in the process of starting or restarting.
 	// Succeeded: All containers in the pod have terminated in success, and will not be restarted.
 	// Failed: All containers in the pod have terminated, and at least one container has
 	// terminated in failure. The container either exited with non-zero status or was terminated
 	// by the system.
 	// Unknown: For some reason the state of the pod could not be obtained, typically due to an
 	// error in communicating with the host of the pod.
 	//
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase
 	// +optional
 	phase?: #PodPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PodPhase)
 	// Current service state of pod.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#PodCondition] @go(Conditions,[]PodCondition) @protobuf(2,bytes,rep)
 	// A human readable message indicating details about why the pod is in this condition.
 	// +optional
 	message?: string @go(Message) @protobuf(3,bytes,opt)
 	// A brief CamelCase message indicating details about why the pod is in this state.
 	// e.g. 'Evicted'
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be
 	// scheduled right away as preemption victims receive their graceful termination periods.
 	// This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide
 	// to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to
 	// give the resources on this node to a higher priority pod that is created after preemption.
 	// As a result, this field may be different than PodSpec.nodeName when the pod is
 	// scheduled.
 	// +optional
 	nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt)
 	// hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet.
 	// A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will
 	// not be updated even if there is a node is assigned to pod
 	// +optional
 	hostIP?: string @go(HostIP) @protobuf(5,bytes,opt)
 	// hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must
 	// match the hostIP field. This list is empty if the pod has not started yet.
 	// A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will
 	// not be updated even if there is a node is assigned to this pod.
 	// +optional
 	// +patchStrategy=merge
 	// +patchMergeKey=ip
 	// +listType=atomic
 	hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep)
 	// podIP address allocated to the pod. Routable at least within the cluster.
 	// Empty if not yet allocated.
 	// +optional
 	podIP?: string @go(PodIP) @protobuf(6,bytes,opt)
 	// podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must
 	// match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list
 	// is empty if no IPs have been allocated yet.
 	// +optional
 	// +patchStrategy=merge
 	// +patchMergeKey=ip
 	podIPs?: [...#PodIP] @go(PodIPs,[]PodIP) @protobuf(12,bytes,rep)
 	// RFC 3339 date and time at which the object was acknowledged by the Kubelet.
 	// This is before the Kubelet pulled the container image(s) for the pod.
 	// +optional
 	startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(7,bytes,opt)
 	// The list has one entry per init container in the manifest. The most recent successful
 	// init container will have ready = true, the most recently started container will have
 	// startTime set.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
 	initContainerStatuses?: [...#ContainerStatus] @go(InitContainerStatuses,[]ContainerStatus) @protobuf(10,bytes,rep)
 	// The list has one entry per container in the manifest.
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
 	// +optional
 	containerStatuses?: [...#ContainerStatus] @go(ContainerStatuses,[]ContainerStatus) @protobuf(8,bytes,rep)
 	// The Quality of Service (QOS) classification assigned to the pod based on resource requirements
 	// See PodQOSClass type for available QOS classes
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes
 	// +optional
 	qosClass?: #PodQOSClass @go(QOSClass) @protobuf(9,bytes,rep)
 	// Status for any ephemeral containers that have run in this pod.
 	// +optional
 	ephemeralContainerStatuses?: [...#ContainerStatus] @go(EphemeralContainerStatuses,[]ContainerStatus) @protobuf(13,bytes,rep)
 	// Status of resources resize desired for pod's containers.
 	// It is empty if no resources resize is pending.
 	// Any changes to container resources will automatically set this to "Proposed"
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus)
 	// Status of resource claims.
 	// +patchMergeKey=name
 	// +patchStrategy=merge,retainKeys
 	// +listType=map
 	// +listMapKey=name
 	// +featureGate=DynamicResourceAllocation
 	// +optional
 	resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep)
 }
 // PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded
 #PodStatusResult: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Most recently observed status of the pod.
 	// This data may not be up to date.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #PodStatus @go(Status) @protobuf(2,bytes,opt)
 }
 // Pod is a collection of containers that can run on a host. This resource is created
 // by clients and scheduled onto hosts.
 #Pod: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of the pod.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Most recently observed status of the pod.
 	// This data may not be up to date.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #PodStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // PodList is a list of Pods.
 #PodList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of pods.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
 	items: [...#Pod] @go(Items,[]Pod) @protobuf(2,bytes,rep)
 }
 // PodTemplateSpec describes the data a pod should have when created from a template
 #PodTemplateSpec: {
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of the pod.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // PodTemplate describes a template for creating copies of a predefined pod.
 #PodTemplate: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Template defines the pods that will be created from this pod template.
 	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	template?: #PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
 }
 // PodTemplateList is a list of PodTemplates.
 #PodTemplateList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of pod templates
 	items: [...#PodTemplate] @go(Items,[]PodTemplate) @protobuf(2,bytes,rep)
 }
 // ReplicationControllerSpec is the specification of a replication controller.
 #ReplicationControllerSpec: {
 	// Replicas is the number of desired replicas.
 	// This is a pointer to distinguish between explicit zero and unspecified.
 	// Defaults to 1.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
 	// +optional
 	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
 	// Minimum number of seconds for which a newly created pod should be ready
 	// without any of its container crashing, for it to be considered available.
 	// Defaults to 0 (pod will be considered available as soon as it is ready)
 	// +optional
 	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
 	// Selector is a label query over pods that should match the Replicas count.
 	// If Selector is empty, it is defaulted to the labels present on the Pod template.
 	// Label keys and values that must match in order to be controlled by this replication
 	// controller, if empty defaulted to labels on Pod template.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
 	// +optional
 	// +mapType=atomic
 	selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep)
 	// Template is the object that describes the pod that will be created if
 	// insufficient replicas are detected. This takes precedence over a TemplateRef.
 	// The only allowed template.spec.restartPolicy value is "Always".
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
 	// +optional
 	template?: null | #PodTemplateSpec @go(Template,*PodTemplateSpec) @protobuf(3,bytes,opt)
 }
 // ReplicationControllerStatus represents the current status of a replication
 // controller.
 #ReplicationControllerStatus: {
 	// Replicas is the most recently observed number of replicas.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
 	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
 	// The number of pods that have labels matching the labels of the pod template of the replication controller.
 	// +optional
 	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
 	// The number of ready replicas for this replication controller.
 	// +optional
 	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
 	// The number of available replicas (ready for at least minReadySeconds) for this replication controller.
 	// +optional
 	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
 	// ObservedGeneration reflects the generation of the most recently observed replication controller.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
 	// Represents the latest available observations of a replication controller's current state.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#ReplicationControllerCondition] @go(Conditions,[]ReplicationControllerCondition) @protobuf(6,bytes,rep)
 }
 #ReplicationControllerConditionType: string // #enumReplicationControllerConditionType
 #enumReplicationControllerConditionType:
 	#ReplicationControllerReplicaFailure
 // ReplicationControllerReplicaFailure is added in a replication controller when one of its pods
 // fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors,
 // etc. or deleted due to kubelet being down or finalizers are failing.
 #ReplicationControllerReplicaFailure: #ReplicationControllerConditionType & "ReplicaFailure"
 // ReplicationControllerCondition describes the state of a replication controller at a certain point.
 #ReplicationControllerCondition: {
 	// Type of replication controller condition.
 	type: #ReplicationControllerConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicationControllerConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// The last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// The reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// A human readable message indicating details about the transition.
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // ReplicationController represents the configuration of a replication controller.
 #ReplicationController: {
 	metav1.#TypeMeta
 	// If the Labels of a ReplicationController are empty, they are defaulted to
 	// be the same as the Pod(s) that the replication controller manages.
 	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the specification of the desired behavior of the replication controller.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #ReplicationControllerSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status is the most recently observed status of the replication controller.
 	// This data may be out of date by some window of time.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #ReplicationControllerStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ReplicationControllerList is a collection of replication controllers.
 #ReplicationControllerList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of replication controllers.
 	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
 	items: [...#ReplicationController] @go(Items,[]ReplicationController) @protobuf(2,bytes,rep)
 }
 // Session Affinity Type string
 // +enum
 #ServiceAffinity: string // #enumServiceAffinity
 #enumServiceAffinity:
 	#ServiceAffinityClientIP |
 	#ServiceAffinityNone
 // ServiceAffinityClientIP is the Client IP based.
 #ServiceAffinityClientIP: #ServiceAffinity & "ClientIP"
 // ServiceAffinityNone - no session affinity.
 #ServiceAffinityNone: #ServiceAffinity & "None"
 #DefaultClientIPServiceAffinitySeconds: int32 & 10800
 // SessionAffinityConfig represents the configurations of session affinity.
 #SessionAffinityConfig: {
 	// clientIP contains the configurations of Client IP based session affinity.
 	// +optional
 	clientIP?: null | #ClientIPConfig @go(ClientIP,*ClientIPConfig) @protobuf(1,bytes,opt)
 }
 // ClientIPConfig represents the configurations of Client IP based session affinity.
 #ClientIPConfig: {
 	// timeoutSeconds specifies the seconds of ClientIP type session sticky time.
 	// The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
 	// Default value is 10800(for 3 hours).
 	// +optional
 	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(1,varint,opt)
 }
 // Service Type string describes ingress methods for a service
 // +enum
 #ServiceType: string // #enumServiceType
 #enumServiceType:
 	#ServiceTypeClusterIP |
 	#ServiceTypeNodePort |
 	#ServiceTypeLoadBalancer |
 	#ServiceTypeExternalName
 // ServiceTypeClusterIP means a service will only be accessible inside the
 // cluster, via the cluster IP.
 #ServiceTypeClusterIP: #ServiceType & "ClusterIP"
 // ServiceTypeNodePort means a service will be exposed on one port of
 // every node, in addition to 'ClusterIP' type.
 #ServiceTypeNodePort: #ServiceType & "NodePort"
 // ServiceTypeLoadBalancer means a service will be exposed via an
 // external load balancer (if the cloud provider supports it), in addition
 // to 'NodePort' type.
 #ServiceTypeLoadBalancer: #ServiceType & "LoadBalancer"
 // ServiceTypeExternalName means a service consists of only a reference to
 // an external name that kubedns or equivalent will return as a CNAME
 // record, with no exposing or proxying of any pods involved.
 #ServiceTypeExternalName: #ServiceType & "ExternalName"
 // ServiceInternalTrafficPolicy describes how nodes distribute service traffic they
 // receive on the ClusterIP.
 // +enum
 #ServiceInternalTrafficPolicy: string // #enumServiceInternalTrafficPolicy
 #enumServiceInternalTrafficPolicy:
 	#ServiceInternalTrafficPolicyCluster |
 	#ServiceInternalTrafficPolicyLocal
 // ServiceInternalTrafficPolicyCluster routes traffic to all endpoints.
 #ServiceInternalTrafficPolicyCluster: #ServiceInternalTrafficPolicy & "Cluster"
 // ServiceInternalTrafficPolicyLocal routes traffic only to endpoints on the same
 // node as the client pod (dropping the traffic if there are no local endpoints).
 #ServiceInternalTrafficPolicyLocal: #ServiceInternalTrafficPolicy & "Local"
 // for backwards compat
 // +enum
 #ServiceInternalTrafficPolicyType: #ServiceInternalTrafficPolicy // #enumServiceInternalTrafficPolicyType
 #enumServiceInternalTrafficPolicyType:
 	#ServiceInternalTrafficPolicyCluster |
 	#ServiceInternalTrafficPolicyLocal
 // ServiceExternalTrafficPolicy describes how nodes distribute service traffic they
 // receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
 // and LoadBalancer IPs.
 // +enum
 #ServiceExternalTrafficPolicy: string // #enumServiceExternalTrafficPolicy
 #enumServiceExternalTrafficPolicy:
 	#ServiceExternalTrafficPolicyCluster |
 	#ServiceExternalTrafficPolicyLocal |
 	#ServiceExternalTrafficPolicyTypeLocal |
 	#ServiceExternalTrafficPolicyTypeCluster
 // ServiceExternalTrafficPolicyCluster routes traffic to all endpoints.
 #ServiceExternalTrafficPolicyCluster: #ServiceExternalTrafficPolicy & "Cluster"
 // ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by
 // routing only to endpoints on the same node as the traffic was received on
 // (dropping the traffic if there are no local endpoints).
 #ServiceExternalTrafficPolicyLocal: #ServiceExternalTrafficPolicy & "Local"
 // for backwards compat
 // +enum
 #ServiceExternalTrafficPolicyType: #ServiceExternalTrafficPolicy // #enumServiceExternalTrafficPolicyType
 #enumServiceExternalTrafficPolicyType:
 	#ServiceExternalTrafficPolicyCluster |
 	#ServiceExternalTrafficPolicyLocal |
 	#ServiceExternalTrafficPolicyTypeLocal |
 	#ServiceExternalTrafficPolicyTypeCluster
 #ServiceExternalTrafficPolicyTypeLocal:   #ServiceExternalTrafficPolicy & "Local"
 #ServiceExternalTrafficPolicyTypeCluster: #ServiceExternalTrafficPolicy & "Cluster"
 // LoadBalancerPortsError represents the condition of the requested ports
 // on the cloud load balancer instance.
 #LoadBalancerPortsError: "LoadBalancerPortsError"
 // LoadBalancerPortsErrorReason reason in ServiceStatus condition LoadBalancerPortsError
 // means the LoadBalancer was not able to be configured correctly.
 #LoadBalancerPortsErrorReason: "LoadBalancerMixedProtocolNotSupported"
 // ServiceStatus represents the current status of a service.
 #ServiceStatus: {
 	// LoadBalancer contains the current status of the load-balancer,
 	// if one is present.
 	// +optional
 	loadBalancer?: #LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt)
 	// Current service state
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
 	conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(2,bytes,rep)
 }
 // LoadBalancerStatus represents the status of a load-balancer.
 #LoadBalancerStatus: {
 	// Ingress is a list containing ingress points for the load-balancer.
 	// Traffic intended for the service should be sent to these ingress points.
 	// +optional
 	ingress?: [...#LoadBalancerIngress] @go(Ingress,[]LoadBalancerIngress) @protobuf(1,bytes,rep)
 }
 // LoadBalancerIngress represents the status of a load-balancer ingress point:
 // traffic intended for the service should be sent to an ingress point.
 #LoadBalancerIngress: {
 	// IP is set for load-balancer ingress points that are IP based
 	// (typically GCE or OpenStack load-balancers)
 	// +optional
 	ip?: string @go(IP) @protobuf(1,bytes,opt)
 	// Hostname is set for load-balancer ingress points that are DNS based
 	// (typically AWS load-balancers)
 	// +optional
 	hostname?: string @go(Hostname) @protobuf(2,bytes,opt)
 	// Ports is a list of records of service ports
 	// If used, every port defined in the service should have an entry in it
 	// +listType=atomic
 	// +optional
 	ports?: [...#PortStatus] @go(Ports,[]PortStatus) @protobuf(4,bytes,rep)
 }
 // IPFamily represents the IP Family (IPv4 or IPv6). This type is used
 // to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies).
 // +enum
 #IPFamily: string // #enumIPFamily
 #enumIPFamily:
 	#IPv4Protocol |
 	#IPv6Protocol
 // IPv4Protocol indicates that this IP is IPv4 protocol
 #IPv4Protocol: #IPFamily & "IPv4"
 // IPv6Protocol indicates that this IP is IPv6 protocol
 #IPv6Protocol: #IPFamily & "IPv6"
 // IPFamilyPolicy represents the dual-stack-ness requested or required by a Service
 // +enum
 #IPFamilyPolicy: string // #enumIPFamilyPolicy
 #enumIPFamilyPolicy:
 	#IPFamilyPolicySingleStack |
 	#IPFamilyPolicyPreferDualStack |
 	#IPFamilyPolicyRequireDualStack
 // IPFamilyPolicySingleStack indicates that this service is required to have a single IPFamily.
 // The IPFamily assigned is based on the default IPFamily used by the cluster
 // or as identified by service.spec.ipFamilies field
 #IPFamilyPolicySingleStack: #IPFamilyPolicy & "SingleStack"
 // IPFamilyPolicyPreferDualStack indicates that this service prefers dual-stack when
 // the cluster is configured for dual-stack. If the cluster is not configured
 // for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not
 // set in service.spec.ipFamilies then the service will be assigned the default IPFamily
 // configured on the cluster
 #IPFamilyPolicyPreferDualStack: #IPFamilyPolicy & "PreferDualStack"
 // IPFamilyPolicyRequireDualStack indicates that this service requires dual-stack. Using
 // IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The
 // IPFamilies (and their order) assigned  to this service is based on service.spec.ipFamilies. If
 // service.spec.ipFamilies was not provided then it will be assigned according to how they are
 // configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative
 // IPFamily will be added by apiserver
 #IPFamilyPolicyRequireDualStack: #IPFamilyPolicy & "RequireDualStack"
 // for backwards compat
 // +enum
 #IPFamilyPolicyType: #IPFamilyPolicy // #enumIPFamilyPolicyType
 #enumIPFamilyPolicyType:
 	#IPFamilyPolicySingleStack |
 	#IPFamilyPolicyPreferDualStack |
 	#IPFamilyPolicyRequireDualStack
 // ServiceSpec describes the attributes that a user creates on a service.
 #ServiceSpec: {
 	// The list of ports that are exposed by this service.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
 	// +patchMergeKey=port
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=port
 	// +listMapKey=protocol
 	ports?: [...#ServicePort] @go(Ports,[]ServicePort) @protobuf(1,bytes,rep)
 	// Route service traffic to pods with label keys and values matching this
 	// selector. If empty or not present, the service is assumed to have an
 	// external process managing its endpoints, which Kubernetes will not
 	// modify. Only applies to types ClusterIP, NodePort, and LoadBalancer.
 	// Ignored if type is ExternalName.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/
 	// +optional
 	// +mapType=atomic
 	selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep)
 	// clusterIP is the IP address of the service and is usually assigned
 	// randomly. If an address is specified manually, is in-range (as per
 	// system configuration), and is not in use, it will be allocated to the
 	// service; otherwise creation of the service will fail. This field may not
 	// be changed through updates unless the type field is also being changed
 	// to ExternalName (which requires this field to be blank) or the type
 	// field is being changed from ExternalName (in which case this field may
 	// optionally be specified, as describe above).  Valid values are "None",
 	// empty string (""), or a valid IP address. Setting this to "None" makes a
 	// "headless service" (no virtual IP), which is useful when direct endpoint
 	// connections are preferred and proxying is not required.  Only applies to
 	// types ClusterIP, NodePort, and LoadBalancer. If this field is specified
 	// when creating a Service of type ExternalName, creation will fail. This
 	// field will be wiped when updating a Service to type ExternalName.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
 	// +optional
 	clusterIP?: string @go(ClusterIP) @protobuf(3,bytes,opt)
 	// ClusterIPs is a list of IP addresses assigned to this service, and are
 	// usually assigned randomly.  If an address is specified manually, is
 	// in-range (as per system configuration), and is not in use, it will be
 	// allocated to the service; otherwise creation of the service will fail.
 	// This field may not be changed through updates unless the type field is
 	// also being changed to ExternalName (which requires this field to be
 	// empty) or the type field is being changed from ExternalName (in which
 	// case this field may optionally be specified, as describe above).  Valid
 	// values are "None", empty string (""), or a valid IP address.  Setting
 	// this to "None" makes a "headless service" (no virtual IP), which is
 	// useful when direct endpoint connections are preferred and proxying is
 	// not required.  Only applies to types ClusterIP, NodePort, and
 	// LoadBalancer. If this field is specified when creating a Service of type
 	// ExternalName, creation will fail. This field will be wiped when updating
 	// a Service to type ExternalName.  If this field is not specified, it will
 	// be initialized from the clusterIP field.  If this field is specified,
 	// clients must ensure that clusterIPs[0] and clusterIP have the same
 	// value.
 	//
 	// This field may hold a maximum of two entries (dual-stack IPs, in either order).
 	// These IPs must correspond to the values of the ipFamilies field. Both
 	// clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
 	// +listType=atomic
 	// +optional
 	clusterIPs?: [...string] @go(ClusterIPs,[]string) @protobuf(18,bytes,opt)
 	// type determines how the Service is exposed. Defaults to ClusterIP. Valid
 	// options are ExternalName, ClusterIP, NodePort, and LoadBalancer.
 	// "ClusterIP" allocates a cluster-internal IP address for load-balancing
 	// to endpoints. Endpoints are determined by the selector or if that is not
 	// specified, by manual construction of an Endpoints object or
 	// EndpointSlice objects. If clusterIP is "None", no virtual IP is
 	// allocated and the endpoints are published as a set of endpoints rather
 	// than a virtual IP.
 	// "NodePort" builds on ClusterIP and allocates a port on every node which
 	// routes to the same endpoints as the clusterIP.
 	// "LoadBalancer" builds on NodePort and creates an external load-balancer
 	// (if supported in the current cloud) which routes to the same endpoints
 	// as the clusterIP.
 	// "ExternalName" aliases this service to the specified externalName.
 	// Several other fields do not apply to ExternalName services.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
 	// +optional
 	type?: #ServiceType @go(Type) @protobuf(4,bytes,opt,casttype=ServiceType)
 	// externalIPs is a list of IP addresses for which nodes in the cluster
 	// will also accept traffic for this service.  These IPs are not managed by
 	// Kubernetes.  The user is responsible for ensuring that traffic arrives
 	// at a node with this IP.  A common example is external load-balancers
 	// that are not part of the Kubernetes system.
 	// +optional
 	externalIPs?: [...string] @go(ExternalIPs,[]string) @protobuf(5,bytes,rep)
 	// Supports "ClientIP" and "None". Used to maintain session affinity.
 	// Enable client IP based session affinity.
 	// Must be ClientIP or None.
 	// Defaults to None.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
 	// +optional
 	sessionAffinity?: #ServiceAffinity @go(SessionAffinity) @protobuf(7,bytes,opt,casttype=ServiceAffinity)
 	// Only applies to Service Type: LoadBalancer.
 	// This feature depends on whether the underlying cloud-provider supports specifying
 	// the loadBalancerIP when a load balancer is created.
 	// This field will be ignored if the cloud-provider does not support the feature.
 	// Deprecated: This field was under-specified and its meaning varies across implementations.
 	// Using it is non-portable and it may not support dual-stack.
 	// Users are encouraged to use implementation-specific annotations when available.
 	// +optional
 	loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt)
 	// If specified and supported by the platform, this will restrict traffic through the cloud-provider
 	// load-balancer will be restricted to the specified client IPs. This field will be ignored if the
 	// cloud-provider does not support the feature."
 	// More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
 	// +optional
 	loadBalancerSourceRanges?: [...string] @go(LoadBalancerSourceRanges,[]string) @protobuf(9,bytes,opt)
 	// externalName is the external reference that discovery mechanisms will
 	// return as an alias for this service (e.g. a DNS CNAME record). No
 	// proxying will be involved.  Must be a lowercase RFC-1123 hostname
 	// (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName".
 	// +optional
 	externalName?: string @go(ExternalName) @protobuf(10,bytes,opt)
 	// externalTrafficPolicy describes how nodes distribute service traffic they
 	// receive on one of the Service's "externally-facing" addresses (NodePorts,
 	// ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure
 	// the service in a way that assumes that external load balancers will take care
 	// of balancing the service traffic between nodes, and so each node will deliver
 	// traffic only to the node-local endpoints of the service, without masquerading
 	// the client source IP. (Traffic mistakenly sent to a node with no endpoints will
 	// be dropped.) The default value, "Cluster", uses the standard behavior of
 	// routing to all endpoints evenly (possibly modified by topology and other
 	// features). Note that traffic sent to an External IP or LoadBalancer IP from
 	// within the cluster will always get "Cluster" semantics, but clients sending to
 	// a NodePort from within the cluster may need to take traffic policy into account
 	// when picking a node.
 	// +optional
 	externalTrafficPolicy?: #ServiceExternalTrafficPolicy @go(ExternalTrafficPolicy) @protobuf(11,bytes,opt)
 	// healthCheckNodePort specifies the healthcheck nodePort for the service.
 	// This only applies when type is set to LoadBalancer and
 	// externalTrafficPolicy is set to Local. If a value is specified, is
 	// in-range, and is not in use, it will be used.  If not specified, a value
 	// will be automatically allocated.  External systems (e.g. load-balancers)
 	// can use this port to determine if a given node holds endpoints for this
 	// service or not.  If this field is specified when creating a Service
 	// which does not need it, creation will fail. This field will be wiped
 	// when updating a Service to no longer need it (e.g. changing type).
 	// This field cannot be updated once set.
 	// +optional
 	healthCheckNodePort?: int32 @go(HealthCheckNodePort) @protobuf(12,bytes,opt)
 	// publishNotReadyAddresses indicates that any agent which deals with endpoints for this
 	// Service should disregard any indications of ready/not-ready.
 	// The primary use case for setting this field is for a StatefulSet's Headless Service to
 	// propagate SRV DNS records for its Pods for the purpose of peer discovery.
 	// The Kubernetes controllers that generate Endpoints and EndpointSlice resources for
 	// Services interpret this to mean that all endpoints are considered "ready" even if the
 	// Pods themselves are not. Agents which consume only Kubernetes generated endpoints
 	// through the Endpoints or EndpointSlice resources can safely assume this behavior.
 	// +optional
 	publishNotReadyAddresses?: bool @go(PublishNotReadyAddresses) @protobuf(13,varint,opt)
 	// sessionAffinityConfig contains the configurations of session affinity.
 	// +optional
 	sessionAffinityConfig?: null | #SessionAffinityConfig @go(SessionAffinityConfig,*SessionAffinityConfig) @protobuf(14,bytes,opt)
 	// IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this
 	// service. This field is usually assigned automatically based on cluster
 	// configuration and the ipFamilyPolicy field. If this field is specified
 	// manually, the requested family is available in the cluster,
 	// and ipFamilyPolicy allows it, it will be used; otherwise creation of
 	// the service will fail. This field is conditionally mutable: it allows
 	// for adding or removing a secondary IP family, but it does not allow
 	// changing the primary IP family of the Service. Valid values are "IPv4"
 	// and "IPv6".  This field only applies to Services of types ClusterIP,
 	// NodePort, and LoadBalancer, and does apply to "headless" services.
 	// This field will be wiped when updating a Service to type ExternalName.
 	//
 	// This field may hold a maximum of two entries (dual-stack families, in
 	// either order).  These families must correspond to the values of the
 	// clusterIPs field, if specified. Both clusterIPs and ipFamilies are
 	// governed by the ipFamilyPolicy field.
 	// +listType=atomic
 	// +optional
 	ipFamilies?: [...#IPFamily] @go(IPFamilies,[]IPFamily) @protobuf(19,bytes,opt,casttype=IPFamily)
 	// IPFamilyPolicy represents the dual-stack-ness requested or required by
 	// this Service. If there is no value provided, then this field will be set
 	// to SingleStack. Services can be "SingleStack" (a single IP family),
 	// "PreferDualStack" (two IP families on dual-stack configured clusters or
 	// a single IP family on single-stack clusters), or "RequireDualStack"
 	// (two IP families on dual-stack configured clusters, otherwise fail). The
 	// ipFamilies and clusterIPs fields depend on the value of this field. This
 	// field will be wiped when updating a service to type ExternalName.
 	// +optional
 	ipFamilyPolicy?: null | #IPFamilyPolicy @go(IPFamilyPolicy,*IPFamilyPolicy) @protobuf(17,bytes,opt,casttype=IPFamilyPolicy)
 	// allocateLoadBalancerNodePorts defines if NodePorts will be automatically
 	// allocated for services with type LoadBalancer.  Default is "true". It
 	// may be set to "false" if the cluster load-balancer does not rely on
 	// NodePorts.  If the caller requests specific NodePorts (by specifying a
 	// value), those requests will be respected, regardless of this field.
 	// This field may only be set for services with type LoadBalancer and will
 	// be cleared if the type is changed to any other type.
 	// +optional
 	allocateLoadBalancerNodePorts?: null | bool @go(AllocateLoadBalancerNodePorts,*bool) @protobuf(20,bytes,opt)
 	// loadBalancerClass is the class of the load balancer implementation this Service belongs to.
 	// If specified, the value of this field must be a label-style identifier, with an optional prefix,
 	// e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users.
 	// This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load
 	// balancer implementation is used, today this is typically done through the cloud provider integration,
 	// but should apply for any default implementation. If set, it is assumed that a load balancer
 	// implementation is watching for Services with a matching class. Any default load balancer
 	// implementation (e.g. cloud providers) should ignore Services that set this field.
 	// This field can only be set when creating or updating a Service to type 'LoadBalancer'.
 	// Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
 	// +optional
 	loadBalancerClass?: null | string @go(LoadBalancerClass,*string) @protobuf(21,bytes,opt)
 	// InternalTrafficPolicy describes how nodes distribute service traffic they
 	// receive on the ClusterIP. If set to "Local", the proxy will assume that pods
 	// only want to talk to endpoints of the service on the same node as the pod,
 	// dropping the traffic if there are no local endpoints. The default value,
 	// "Cluster", uses the standard behavior of routing to all endpoints evenly
 	// (possibly modified by topology and other features).
 	// +optional
 	internalTrafficPolicy?: null | #ServiceInternalTrafficPolicy @go(InternalTrafficPolicy,*ServiceInternalTrafficPolicy) @protobuf(22,bytes,opt)
 }
 // ServicePort contains information on service's port.
 #ServicePort: {
 	// The name of this port within the service. This must be a DNS_LABEL.
 	// All ports within a ServiceSpec must have unique names. When considering
 	// the endpoints for a Service, this must match the 'name' field in the
 	// EndpointPort.
 	// Optional if only one ServicePort is defined on this service.
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
 	// Default is TCP.
 	// +default="TCP"
 	// +optional
 	protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol)
 	// The application protocol for this port.
 	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
 	// This field follows standard Kubernetes label syntax.
 	// Valid values are either:
 	//
 	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
 	// RFC-6335 and https://www.iana.org/assignments/service-names).
 	//
 	// * Kubernetes-defined prefixed names:
 	//   * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
 	//   * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
 	//   * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
 	//
 	// * Other protocols should use implementation-defined prefixed names such as
 	// mycompany.com/my-custom-protocol.
 	// +optional
 	appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt)
 	// The port that will be exposed by this service.
 	port: int32 @go(Port) @protobuf(3,varint,opt)
 	// Number or name of the port to access on the pods targeted by the service.
 	// Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
 	// If this is a string, it will be looked up as a named port in the
 	// target Pod's container ports. If this is not specified, the value
 	// of the 'port' field is used (an identity map).
 	// This field is ignored for services with clusterIP=None, and should be
 	// omitted or set equal to the 'port' field.
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
 	// +optional
 	targetPort?: intstr.#IntOrString @go(TargetPort) @protobuf(4,bytes,opt)
 	// The port on each node on which this service is exposed when type is
 	// NodePort or LoadBalancer.  Usually assigned by the system. If a value is
 	// specified, in-range, and not in use it will be used, otherwise the
 	// operation will fail.  If not specified, a port will be allocated if this
 	// Service requires one.  If this field is specified when creating a
 	// Service which does not need it, creation will fail. This field will be
 	// wiped when updating a Service to no longer need it (e.g. changing type
 	// from NodePort to ClusterIP).
 	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
 	// +optional
 	nodePort?: int32 @go(NodePort) @protobuf(5,varint,opt)
 }
 // Service is a named abstraction of software service (for example, mysql) consisting of local port
 // (for example 3306) that the proxy listens on, and the selector that determines which pods
 // will answer requests sent through the proxy.
 #Service: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the behavior of a service.
 	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #ServiceSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Most recently observed status of the service.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #ServiceStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ClusterIPNone - do not assign a cluster IP
 // no proxying required and no environment variables should be created for pods
 #ClusterIPNone: "None"
 // ServiceList holds a list of services.
 #ServiceList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of services
 	items: [...#Service] @go(Items,[]Service) @protobuf(2,bytes,rep)
 }
 // ServiceAccount binds together:
 // * a name, understood by users, and perhaps by peripheral systems, for an identity
 // * a principal that can be authenticated and authorized
 // * a set of secrets
 #ServiceAccount: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use.
 	// Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true".
 	// This field should not be used to find auto-generated service account token secrets for use outside of pods.
 	// Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created.
 	// More info: https://kubernetes.io/docs/concepts/configuration/secret
 	// +optional
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	secrets?: [...#ObjectReference] @go(Secrets,[]ObjectReference) @protobuf(2,bytes,rep)
 	// ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images
 	// in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets
 	// can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet.
 	// More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 	// +optional
 	imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(3,bytes,rep)
 	// AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted.
 	// Can be overridden at the pod level.
 	// +optional
 	automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(4,varint,opt)
 }
 // ServiceAccountList is a list of ServiceAccount objects
 #ServiceAccountList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of ServiceAccounts.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 	items: [...#ServiceAccount] @go(Items,[]ServiceAccount) @protobuf(2,bytes,rep)
 }
 // Endpoints is a collection of endpoints that implement the actual service. Example:
 //
 //	 Name: "mysvc",
 //	 Subsets: [
 //	   {
 //	     Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
 //	     Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
 //	   },
 //	   {
 //	     Addresses: [{"ip": "10.10.3.3"}],
 //	     Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
 //	   },
 //	]
 #Endpoints: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// The set of all endpoints is the union of all subsets. Addresses are placed into
 	// subsets according to the IPs they share. A single address with multiple ports,
 	// some of which are ready and some of which are not (because they come from
 	// different containers) will result in the address being displayed in different
 	// subsets for the different ports. No address will appear in both Addresses and
 	// NotReadyAddresses in the same subset.
 	// Sets of addresses and ports that comprise a service.
 	// +optional
 	subsets?: [...#EndpointSubset] @go(Subsets,[]EndpointSubset) @protobuf(2,bytes,rep)
 }
 // EndpointSubset is a group of addresses with a common set of ports. The
 // expanded set of endpoints is the Cartesian product of Addresses x Ports.
 // For example, given:
 //
 //	{
 //	  Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
 //	  Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
 //	}
 //
 // The resulting set of endpoints can be viewed as:
 //
 //	a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
 //	b: [ 10.10.1.1:309, 10.10.2.2:309 ]
 #EndpointSubset: {
 	// IP addresses which offer the related ports that are marked as ready. These endpoints
 	// should be considered safe for load balancers and clients to utilize.
 	// +optional
 	addresses?: [...#EndpointAddress] @go(Addresses,[]EndpointAddress) @protobuf(1,bytes,rep)
 	// IP addresses which offer the related ports but are not currently marked as ready
 	// because they have not yet finished starting, have recently failed a readiness check,
 	// or have recently failed a liveness check.
 	// +optional
 	notReadyAddresses?: [...#EndpointAddress] @go(NotReadyAddresses,[]EndpointAddress) @protobuf(2,bytes,rep)
 	// Port numbers available on the related IP addresses.
 	// +optional
 	ports?: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep)
 }
 // EndpointAddress is a tuple that describes single IP address.
 // +structType=atomic
 #EndpointAddress: {
 	// The IP of this endpoint.
 	// May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10),
 	// or link-local multicast (224.0.0.0/24 or ff02::/16).
 	ip: string @go(IP) @protobuf(1,bytes,opt)
 	// The Hostname of this endpoint
 	// +optional
 	hostname?: string @go(Hostname) @protobuf(3,bytes,opt)
 	// Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.
 	// +optional
 	nodeName?: null | string @go(NodeName,*string) @protobuf(4,bytes,opt)
 	// Reference to object providing the endpoint.
 	// +optional
 	targetRef?: null | #ObjectReference @go(TargetRef,*ObjectReference) @protobuf(2,bytes,opt)
 }
 // EndpointPort is a tuple that describes a single port.
 // +structType=atomic
 #EndpointPort: {
 	// The name of this port.  This must match the 'name' field in the
 	// corresponding ServicePort.
 	// Must be a DNS_LABEL.
 	// Optional only if one port is defined.
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// The port number of the endpoint.
 	port: int32 @go(Port) @protobuf(2,varint,opt)
 	// The IP protocol for this port.
 	// Must be UDP, TCP, or SCTP.
 	// Default is TCP.
 	// +optional
 	protocol?: #Protocol @go(Protocol) @protobuf(3,bytes,opt,casttype=Protocol)
 	// The application protocol for this port.
 	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
 	// This field follows standard Kubernetes label syntax.
 	// Valid values are either:
 	//
 	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
 	// RFC-6335 and https://www.iana.org/assignments/service-names).
 	//
 	// * Kubernetes-defined prefixed names:
 	//   * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
 	//   * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
 	//   * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
 	//
 	// * Other protocols should use implementation-defined prefixed names such as
 	// mycompany.com/my-custom-protocol.
 	// +optional
 	appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes,opt)
 }
 // EndpointsList is a list of endpoints.
 #EndpointsList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of endpoints.
 	items: [...#Endpoints] @go(Items,[]Endpoints) @protobuf(2,bytes,rep)
 }
 // NodeSpec describes the attributes that a node is created with.
 #NodeSpec: {
 	// PodCIDR represents the pod IP range assigned to the node.
 	// +optional
 	podCIDR?: string @go(PodCIDR) @protobuf(1,bytes,opt)
 	// podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this
 	// field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for
 	// each of IPv4 and IPv6.
 	// +optional
 	// +patchStrategy=merge
 	podCIDRs?: [...string] @go(PodCIDRs,[]string) @protobuf(7,bytes,opt)
 	// ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
 	// +optional
 	providerID?: string @go(ProviderID) @protobuf(3,bytes,opt)
 	// Unschedulable controls node schedulability of new pods. By default, node is schedulable.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration
 	// +optional
 	unschedulable?: bool @go(Unschedulable) @protobuf(4,varint,opt)
 	// If specified, the node's taints.
 	// +optional
 	taints?: [...#Taint] @go(Taints,[]Taint) @protobuf(5,bytes,opt)
 	// Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.
 	// +optional
 	configSource?: null | #NodeConfigSource @go(ConfigSource,*NodeConfigSource) @protobuf(6,bytes,opt)
 	// Deprecated. Not all kubelets will set this field. Remove field after 1.13.
 	// see: https://issues.k8s.io/61966
 	// +optional
 	externalID?: string @go(DoNotUseExternalID) @protobuf(2,bytes,opt)
 }
 // NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.
 // This API is deprecated since 1.22
 #NodeConfigSource: {
 	// ConfigMap is a reference to a Node's ConfigMap
 	configMap?: null | #ConfigMapNodeConfigSource @go(ConfigMap,*ConfigMapNodeConfigSource) @protobuf(2,bytes,opt)
 }
 // ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node.
 // This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration
 #ConfigMapNodeConfigSource: {
 	// Namespace is the metadata.namespace of the referenced ConfigMap.
 	// This field is required in all cases.
 	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
 	// Name is the metadata.name of the referenced ConfigMap.
 	// This field is required in all cases.
 	name: string @go(Name) @protobuf(2,bytes,opt)
 	// UID is the metadata.UID of the referenced ConfigMap.
 	// This field is forbidden in Node.Spec, and required in Node.Status.
 	// +optional
 	uid?: types.#UID @go(UID) @protobuf(3,bytes,opt)
 	// ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap.
 	// This field is forbidden in Node.Spec, and required in Node.Status.
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt)
 	// KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure
 	// This field is required in all cases.
 	kubeletConfigKey: string @go(KubeletConfigKey) @protobuf(5,bytes,opt)
 }
 // DaemonEndpoint contains information about a single Daemon endpoint.
 #DaemonEndpoint: {
 	// Port number of the given endpoint.
 	Port: int32 @protobuf(1,varint,opt)
 }
 // NodeDaemonEndpoints lists ports opened by daemons running on the Node.
 #NodeDaemonEndpoints: {
 	// Endpoint on which Kubelet is listening.
 	// +optional
 	kubeletEndpoint?: #DaemonEndpoint @go(KubeletEndpoint) @protobuf(1,bytes,opt)
 }
 // NodeSystemInfo is a set of ids/uuids to uniquely identify the node.
 #NodeSystemInfo: {
 	// MachineID reported by the node. For unique machine identification
 	// in the cluster this field is preferred. Learn more from man(5)
 	// machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html
 	machineID: string @go(MachineID) @protobuf(1,bytes,opt)
 	// SystemUUID reported by the node. For unique machine identification
 	// MachineID is preferred. This field is specific to Red Hat hosts
 	// https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid
 	systemUUID: string @go(SystemUUID) @protobuf(2,bytes,opt)
 	// Boot ID reported by the node.
 	bootID: string @go(BootID) @protobuf(3,bytes,opt)
 	// Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).
 	kernelVersion: string @go(KernelVersion) @protobuf(4,bytes,opt)
 	// OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).
 	osImage: string @go(OSImage) @protobuf(5,bytes,opt)
 	// ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2).
 	containerRuntimeVersion: string @go(ContainerRuntimeVersion) @protobuf(6,bytes,opt)
 	// Kubelet Version reported by the node.
 	kubeletVersion: string @go(KubeletVersion) @protobuf(7,bytes,opt)
 	// KubeProxy Version reported by the node.
 	kubeProxyVersion: string @go(KubeProxyVersion) @protobuf(8,bytes,opt)
 	// The Operating System reported by the node
 	operatingSystem: string @go(OperatingSystem) @protobuf(9,bytes,opt)
 	// The Architecture reported by the node
 	architecture: string @go(Architecture) @protobuf(10,bytes,opt)
 }
 // NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.
 #NodeConfigStatus: {
 	// Assigned reports the checkpointed config the node will try to use.
 	// When Node.Spec.ConfigSource is updated, the node checkpoints the associated
 	// config payload to local disk, along with a record indicating intended
 	// config. The node refers to this record to choose its config checkpoint, and
 	// reports this record in Assigned. Assigned only updates in the status after
 	// the record has been checkpointed to disk. When the Kubelet is restarted,
 	// it tries to make the Assigned config the Active config by loading and
 	// validating the checkpointed payload identified by Assigned.
 	// +optional
 	assigned?: null | #NodeConfigSource @go(Assigned,*NodeConfigSource) @protobuf(1,bytes,opt)
 	// Active reports the checkpointed config the node is actively using.
 	// Active will represent either the current version of the Assigned config,
 	// or the current LastKnownGood config, depending on whether attempting to use the
 	// Assigned config results in an error.
 	// +optional
 	active?: null | #NodeConfigSource @go(Active,*NodeConfigSource) @protobuf(2,bytes,opt)
 	// LastKnownGood reports the checkpointed config the node will fall back to
 	// when it encounters an error attempting to use the Assigned config.
 	// The Assigned config becomes the LastKnownGood config when the node determines
 	// that the Assigned config is stable and correct.
 	// This is currently implemented as a 10-minute soak period starting when the local
 	// record of Assigned config is updated. If the Assigned config is Active at the end
 	// of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is
 	// reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil,
 	// because the local default config is always assumed good.
 	// You should not make assumptions about the node's method of determining config stability
 	// and correctness, as this may change or become configurable in the future.
 	// +optional
 	lastKnownGood?: null | #NodeConfigSource @go(LastKnownGood,*NodeConfigSource) @protobuf(3,bytes,opt)
 	// Error describes any problems reconciling the Spec.ConfigSource to the Active config.
 	// Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned
 	// record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting
 	// to load or validate the Assigned config, etc.
 	// Errors may occur at different points while syncing config. Earlier errors (e.g. download or
 	// checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across
 	// Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in
 	// a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error
 	// by fixing the config assigned in Spec.ConfigSource.
 	// You can find additional information for debugging by searching the error message in the Kubelet log.
 	// Error is a human-readable description of the error state; machines can check whether or not Error
 	// is empty, but should not rely on the stability of the Error text across Kubelet versions.
 	// +optional
 	error?: string @go(Error) @protobuf(4,bytes,opt)
 }
 // NodeStatus is information about the current status of a node.
 #NodeStatus: {
 	// Capacity represents the total resources of a node.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
 	// +optional
 	capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Allocatable represents the resources of a node that are available for scheduling.
 	// Defaults to Capacity.
 	// +optional
 	allocatable?: #ResourceList @go(Allocatable) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// NodePhase is the recently observed lifecycle phase of the node.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#phase
 	// The field is never populated, and now is deprecated.
 	// +optional
 	phase?: #NodePhase @go(Phase) @protobuf(3,bytes,opt,casttype=NodePhase)
 	// Conditions is an array of current observed node conditions.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#condition
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#NodeCondition] @go(Conditions,[]NodeCondition) @protobuf(4,bytes,rep)
 	// List of addresses reachable to the node.
 	// Queried from cloud provider, if available.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses
 	// Note: This field is declared as mergeable, but the merge key is not sufficiently
 	// unique, which can cause data corruption when it is merged. Callers should instead
 	// use a full-replacement patch. See https://pr.k8s.io/79391 for an example.
 	// Consumers should assume that addresses can change during the
 	// lifetime of a Node. However, there are some exceptions where this may not
 	// be possible, such as Pods that inherit a Node's address in its own status or
 	// consumers of the downward API (status.hostIP).
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	addresses?: [...#NodeAddress] @go(Addresses,[]NodeAddress) @protobuf(5,bytes,rep)
 	// Endpoints of daemons running on the Node.
 	// +optional
 	daemonEndpoints?: #NodeDaemonEndpoints @go(DaemonEndpoints) @protobuf(6,bytes,opt)
 	// Set of ids/uuids to uniquely identify the node.
 	// More info: https://kubernetes.io/docs/concepts/nodes/node/#info
 	// +optional
 	nodeInfo?: #NodeSystemInfo @go(NodeInfo) @protobuf(7,bytes,opt)
 	// List of container images on this node
 	// +optional
 	images?: [...#ContainerImage] @go(Images,[]ContainerImage) @protobuf(8,bytes,rep)
 	// List of attachable volumes in use (mounted) by the node.
 	// +optional
 	volumesInUse?: [...#UniqueVolumeName] @go(VolumesInUse,[]UniqueVolumeName) @protobuf(9,bytes,rep)
 	// List of volumes that are attached to the node.
 	// +optional
 	volumesAttached?: [...#AttachedVolume] @go(VolumesAttached,[]AttachedVolume) @protobuf(10,bytes,rep)
 	// Status of the config assigned to the node via the dynamic Kubelet config feature.
 	// +optional
 	config?: null | #NodeConfigStatus @go(Config,*NodeConfigStatus) @protobuf(11,bytes,opt)
 }
 #UniqueVolumeName: string
 // AttachedVolume describes a volume attached to a node
 #AttachedVolume: {
 	// Name of the attached volume
 	name: #UniqueVolumeName @go(Name) @protobuf(1,bytes,rep)
 	// DevicePath represents the device path where the volume should be available
 	devicePath: string @go(DevicePath) @protobuf(2,bytes,rep)
 }
 // AvoidPods describes pods that should avoid this node. This is the value for a
 // Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and
 // will eventually become a field of NodeStatus.
 #AvoidPods: {
 	// Bounded-sized list of signatures of pods that should avoid this node, sorted
 	// in timestamp order from oldest to newest. Size of the slice is unspecified.
 	// +optional
 	preferAvoidPods?: [...#PreferAvoidPodsEntry] @go(PreferAvoidPods,[]PreferAvoidPodsEntry) @protobuf(1,bytes,rep)
 }
 // Describes a class of pods that should avoid this node.
 #PreferAvoidPodsEntry: {
 	// The class of pods.
 	podSignature: #PodSignature @go(PodSignature) @protobuf(1,bytes,opt)
 	// Time at which this entry was added to the list.
 	// +optional
 	evictionTime?: metav1.#Time @go(EvictionTime) @protobuf(2,bytes,opt)
 	// (brief) reason why this entry was added to the list.
 	// +optional
 	reason?: string @go(Reason) @protobuf(3,bytes,opt)
 	// Human readable message indicating why this entry was added to the list.
 	// +optional
 	message?: string @go(Message) @protobuf(4,bytes,opt)
 }
 // Describes the class of pods that should avoid this node.
 // Exactly one field should be set.
 #PodSignature: {
 	// Reference to controller whose pods should avoid this node.
 	// +optional
 	podController?: null | metav1.#OwnerReference @go(PodController,*metav1.OwnerReference) @protobuf(1,bytes,opt)
 }
 // Describe a container image
 #ContainerImage: {
 	// Names by which this image is known.
 	// e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"]
 	// +optional
 	names: [...string] @go(Names,[]string) @protobuf(1,bytes,rep)
 	// The size of the image in bytes.
 	// +optional
 	sizeBytes?: int64 @go(SizeBytes) @protobuf(2,varint,opt)
 }
 // +enum
 #NodePhase: string // #enumNodePhase
 #enumNodePhase:
 	#NodePending |
 	#NodeRunning |
 	#NodeTerminated
 // NodePending means the node has been created/added by the system, but not configured.
 #NodePending: #NodePhase & "Pending"
 // NodeRunning means the node has been configured and has Kubernetes components running.
 #NodeRunning: #NodePhase & "Running"
 // NodeTerminated means the node has been removed from the cluster.
 #NodeTerminated: #NodePhase & "Terminated"
 #NodeConditionType: string // #enumNodeConditionType
 #enumNodeConditionType:
 	#NodeReady |
 	#NodeMemoryPressure |
 	#NodeDiskPressure |
 	#NodePIDPressure |
 	#NodeNetworkUnavailable
 // NodeReady means kubelet is healthy and ready to accept pods.
 #NodeReady: #NodeConditionType & "Ready"
 // NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory.
 #NodeMemoryPressure: #NodeConditionType & "MemoryPressure"
 // NodeDiskPressure means the kubelet is under pressure due to insufficient available disk.
 #NodeDiskPressure: #NodeConditionType & "DiskPressure"
 // NodePIDPressure means the kubelet is under pressure due to insufficient available PID.
 #NodePIDPressure: #NodeConditionType & "PIDPressure"
 // NodeNetworkUnavailable means that network for the node is not correctly configured.
 #NodeNetworkUnavailable: #NodeConditionType & "NetworkUnavailable"
 // NodeCondition contains condition information for a node.
 #NodeCondition: {
 	// Type of node condition.
 	type: #NodeConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NodeConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// Last time we got an update on a given condition.
 	// +optional
 	lastHeartbeatTime?: metav1.#Time @go(LastHeartbeatTime) @protobuf(3,bytes,opt)
 	// Last time the condition transit from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// (brief) reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(5,bytes,opt)
 	// Human readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message) @protobuf(6,bytes,opt)
 }
 #NodeAddressType: string // #enumNodeAddressType
 #enumNodeAddressType:
 	#NodeHostName |
 	#NodeInternalIP |
 	#NodeExternalIP |
 	#NodeInternalDNS |
 	#NodeExternalDNS
 // NodeHostName identifies a name of the node. Although every node can be assumed
 // to have a NodeAddress of this type, its exact syntax and semantics are not
 // defined, and are not consistent between different clusters.
 #NodeHostName: #NodeAddressType & "Hostname"
 // NodeInternalIP identifies an IP address which is assigned to one of the node's
 // network interfaces. Every node should have at least one address of this type.
 //
 // An internal IP is normally expected to be reachable from every other node, but
 // may not be visible to hosts outside the cluster. By default it is assumed that
 // kube-apiserver can reach node internal IPs, though it is possible to configure
 // clusters where this is not the case.
 //
 // NodeInternalIP is the default type of node IP, and does not necessarily imply
 // that the IP is ONLY reachable internally. If a node has multiple internal IPs,
 // no specific semantics are assigned to the additional IPs.
 #NodeInternalIP: #NodeAddressType & "InternalIP"
 // NodeExternalIP identifies an IP address which is, in some way, intended to be
 // more usable from outside the cluster then an internal IP, though no specific
 // semantics are defined. It may be a globally routable IP, though it is not
 // required to be.
 //
 // External IPs may be assigned directly to an interface on the node, like a
 // NodeInternalIP, or alternatively, packets sent to the external IP may be NAT'ed
 // to an internal node IP rather than being delivered directly (making the IP less
 // efficient for node-to-node traffic than a NodeInternalIP).
 #NodeExternalIP: #NodeAddressType & "ExternalIP"
 // NodeInternalDNS identifies a DNS name which resolves to an IP address which has
 // the characteristics of a NodeInternalIP. The IP it resolves to may or may not
 // be a listed NodeInternalIP address.
 #NodeInternalDNS: #NodeAddressType & "InternalDNS"
 // NodeExternalDNS identifies a DNS name which resolves to an IP address which has
 // the characteristics of a NodeExternalIP. The IP it resolves to may or may not
 // be a listed NodeExternalIP address.
 #NodeExternalDNS: #NodeAddressType & "ExternalDNS"
 // NodeAddress contains information for the node's address.
 #NodeAddress: {
 	// Node address type, one of Hostname, ExternalIP or InternalIP.
 	type: #NodeAddressType @go(Type) @protobuf(1,bytes,opt,casttype=NodeAddressType)
 	// The node address.
 	address: string @go(Address) @protobuf(2,bytes,opt)
 }
 // ResourceName is the name identifying various resources in a ResourceList.
 #ResourceName: string // #enumResourceName
 #enumResourceName:
 	#ResourceCPU |
 	#ResourceMemory |
 	#ResourceStorage |
 	#ResourceEphemeralStorage |
 	#ResourcePods |
 	#ResourceServices |
 	#ResourceReplicationControllers |
 	#ResourceQuotas |
 	#ResourceSecrets |
 	#ResourceConfigMaps |
 	#ResourcePersistentVolumeClaims |
 	#ResourceServicesNodePorts |
 	#ResourceServicesLoadBalancers |
 	#ResourceRequestsCPU |
 	#ResourceRequestsMemory |
 	#ResourceRequestsStorage |
 	#ResourceRequestsEphemeralStorage |
 	#ResourceLimitsCPU |
 	#ResourceLimitsMemory |
 	#ResourceLimitsEphemeralStorage
 // CPU, in cores. (500m = .5 cores)
 #ResourceCPU: #ResourceName & "cpu"
 // Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 #ResourceMemory: #ResourceName & "memory"
 // Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024)
 #ResourceStorage: #ResourceName & "storage"
 // Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 // The resource name for ResourceEphemeralStorage is alpha and it can change across releases.
 #ResourceEphemeralStorage: #ResourceName & "ephemeral-storage"
 // Default namespace prefix.
 #ResourceDefaultNamespacePrefix: "kubernetes.io/"
 // Name prefix for huge page resources (alpha).
 #ResourceHugePagesPrefix: "hugepages-"
 // Name prefix for storage resource limits
 #ResourceAttachableVolumesPrefix: "attachable-volumes-"
 // ResourceList is a set of (resource name, quantity) pairs.
 #ResourceList: {[string]: resource.#Quantity}
 // Node is a worker node in Kubernetes.
 // Each node will have a unique identifier in the cache (i.e. in etcd).
 #Node: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the behavior of a node.
 	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #NodeSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Most recently observed status of the node.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #NodeStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // NodeList is the whole list of all Nodes which have been registered with master.
 #NodeList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of nodes
 	items: [...#Node] @go(Items,[]Node) @protobuf(2,bytes,rep)
 }
 // FinalizerName is the name identifying a finalizer during namespace lifecycle.
 #FinalizerName: string // #enumFinalizerName
 #enumFinalizerName:
 	#FinalizerKubernetes
 #FinalizerKubernetes: #FinalizerName & "kubernetes"
 // NamespaceSpec describes the attributes on a Namespace.
 #NamespaceSpec: {
 	// Finalizers is an opaque list of values that must be empty to permanently remove object from storage.
 	// More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
 	// +optional
 	finalizers?: [...#FinalizerName] @go(Finalizers,[]FinalizerName) @protobuf(1,bytes,rep,casttype=FinalizerName)
 }
 // NamespaceStatus is information about the current status of a Namespace.
 #NamespaceStatus: {
 	// Phase is the current lifecycle phase of the namespace.
 	// More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
 	// +optional
 	phase?: #NamespacePhase @go(Phase) @protobuf(1,bytes,opt,casttype=NamespacePhase)
 	// Represents the latest available observations of a namespace's current state.
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#NamespaceCondition] @go(Conditions,[]NamespaceCondition) @protobuf(2,bytes,rep)
 }
 // +enum
 #NamespacePhase: string // #enumNamespacePhase
 #enumNamespacePhase:
 	#NamespaceActive |
 	#NamespaceTerminating
 // NamespaceActive means the namespace is available for use in the system
 #NamespaceActive: #NamespacePhase & "Active"
 // NamespaceTerminating means the namespace is undergoing graceful termination
 #NamespaceTerminating: #NamespacePhase & "Terminating"
 // NamespaceTerminatingCause is returned as a defaults.cause item when a change is
 // forbidden due to the namespace being terminated.
 #NamespaceTerminatingCause: metav1.#CauseType & "NamespaceTerminating"
 #NamespaceConditionType: string // #enumNamespaceConditionType
 #enumNamespaceConditionType:
 	#NamespaceDeletionDiscoveryFailure |
 	#NamespaceDeletionContentFailure |
 	#NamespaceDeletionGVParsingFailure |
 	#NamespaceContentRemaining |
 	#NamespaceFinalizersRemaining
 // NamespaceDeletionDiscoveryFailure contains information about namespace deleter errors during resource discovery.
 #NamespaceDeletionDiscoveryFailure: #NamespaceConditionType & "NamespaceDeletionDiscoveryFailure"
 // NamespaceDeletionContentFailure contains information about namespace deleter errors during deletion of resources.
 #NamespaceDeletionContentFailure: #NamespaceConditionType & "NamespaceDeletionContentFailure"
 // NamespaceDeletionGVParsingFailure contains information about namespace deleter errors parsing GV for legacy types.
 #NamespaceDeletionGVParsingFailure: #NamespaceConditionType & "NamespaceDeletionGroupVersionParsingFailure"
 // NamespaceContentRemaining contains information about resources remaining in a namespace.
 #NamespaceContentRemaining: #NamespaceConditionType & "NamespaceContentRemaining"
 // NamespaceFinalizersRemaining contains information about which finalizers are on resources remaining in a namespace.
 #NamespaceFinalizersRemaining: #NamespaceConditionType & "NamespaceFinalizersRemaining"
 // NamespaceCondition contains details about state of namespace.
 #NamespaceCondition: {
 	// Type of namespace controller condition.
 	type: #NamespaceConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NamespaceConditionType)
 	// Status of the condition, one of True, False, Unknown.
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// +optional
 	reason?: string @go(Reason) @protobuf(5,bytes,opt)
 	// +optional
 	message?: string @go(Message) @protobuf(6,bytes,opt)
 }
 // Namespace provides a scope for Names.
 // Use of multiple namespaces is optional.
 #Namespace: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the behavior of the Namespace.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #NamespaceSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status describes the current status of a Namespace.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #NamespaceStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // NamespaceList is a list of Namespaces.
 #NamespaceList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is the list of Namespace objects in the list.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
 	items: [...#Namespace] @go(Items,[]Namespace) @protobuf(2,bytes,rep)
 }
 // Binding ties one object to another; for example, a pod is bound to a node by a scheduler.
 // Deprecated in 1.7, please use the bindings subresource of pods instead.
 #Binding: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// The target object that you want to bind to the standard object.
 	target: #ObjectReference @go(Target) @protobuf(2,bytes,opt)
 }
 // Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
 // +k8s:openapi-gen=false
 #Preconditions: {
 	// Specifies the target UID.
 	// +optional
 	uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID)
 }
 // PodLogOptions is the query options for a Pod's logs REST call.
 #PodLogOptions: {
 	metav1.#TypeMeta
 	// The container for which to stream logs. Defaults to only container if there is one container in the pod.
 	// +optional
 	container?: string @go(Container) @protobuf(1,bytes,opt)
 	// Follow the log stream of the pod. Defaults to false.
 	// +optional
 	follow?: bool @go(Follow) @protobuf(2,varint,opt)
 	// Return previous terminated container logs. Defaults to false.
 	// +optional
 	previous?: bool @go(Previous) @protobuf(3,varint,opt)
 	// A relative time in seconds before the current time from which to show logs. If this value
 	// precedes the time a pod was started, only logs since the pod start will be returned.
 	// If this value is in the future, no logs will be returned.
 	// Only one of sinceSeconds or sinceTime may be specified.
 	// +optional
 	sinceSeconds?: null | int64 @go(SinceSeconds,*int64) @protobuf(4,varint,opt)
 	// An RFC3339 timestamp from which to show logs. If this value
 	// precedes the time a pod was started, only logs since the pod start will be returned.
 	// If this value is in the future, no logs will be returned.
 	// Only one of sinceSeconds or sinceTime may be specified.
 	// +optional
 	sinceTime?: null | metav1.#Time @go(SinceTime,*metav1.Time) @protobuf(5,bytes,opt)
 	// If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line
 	// of log output. Defaults to false.
 	// +optional
 	timestamps?: bool @go(Timestamps) @protobuf(6,varint,opt)
 	// If set, the number of lines from the end of the logs to show. If not specified,
 	// logs are shown from the creation of the container or sinceSeconds or sinceTime
 	// +optional
 	tailLines?: null | int64 @go(TailLines,*int64) @protobuf(7,varint,opt)
 	// If set, the number of bytes to read from the server before terminating the
 	// log output. This may not display a complete final line of logging, and may return
 	// slightly more or slightly less than the specified limit.
 	// +optional
 	limitBytes?: null | int64 @go(LimitBytes,*int64) @protobuf(8,varint,opt)
 	// insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the
 	// serving certificate of the backend it is connecting to.  This will make the HTTPS connection between the apiserver
 	// and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real
 	// kubelet.  If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the
 	// connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept
 	// the actual log data coming from the real kubelet).
 	// +optional
 	insecureSkipTLSVerifyBackend?: bool @go(InsecureSkipTLSVerifyBackend) @protobuf(9,varint,opt)
 }
 // PodAttachOptions is the query options to a Pod's remote attach call.
 // ---
 // TODO: merge w/ PodExecOptions below for stdin, stdout, etc
 // and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
 #PodAttachOptions: {
 	metav1.#TypeMeta
 	// Stdin if true, redirects the standard input stream of the pod for this call.
 	// Defaults to false.
 	// +optional
 	stdin?: bool @go(Stdin) @protobuf(1,varint,opt)
 	// Stdout if true indicates that stdout is to be redirected for the attach call.
 	// Defaults to true.
 	// +optional
 	stdout?: bool @go(Stdout) @protobuf(2,varint,opt)
 	// Stderr if true indicates that stderr is to be redirected for the attach call.
 	// Defaults to true.
 	// +optional
 	stderr?: bool @go(Stderr) @protobuf(3,varint,opt)
 	// TTY if true indicates that a tty will be allocated for the attach call.
 	// This is passed through the container runtime so the tty
 	// is allocated on the worker node by the container runtime.
 	// Defaults to false.
 	// +optional
 	tty?: bool @go(TTY) @protobuf(4,varint,opt)
 	// The container in which to execute the command.
 	// Defaults to only container if there is only one container in the pod.
 	// +optional
 	container?: string @go(Container) @protobuf(5,bytes,opt)
 }
 // PodExecOptions is the query options to a Pod's remote exec call.
 // ---
 // TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging
 // and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
 #PodExecOptions: {
 	metav1.#TypeMeta
 	// Redirect the standard input stream of the pod for this call.
 	// Defaults to false.
 	// +optional
 	stdin?: bool @go(Stdin) @protobuf(1,varint,opt)
 	// Redirect the standard output stream of the pod for this call.
 	// +optional
 	stdout?: bool @go(Stdout) @protobuf(2,varint,opt)
 	// Redirect the standard error stream of the pod for this call.
 	// +optional
 	stderr?: bool @go(Stderr) @protobuf(3,varint,opt)
 	// TTY if true indicates that a tty will be allocated for the exec call.
 	// Defaults to false.
 	// +optional
 	tty?: bool @go(TTY) @protobuf(4,varint,opt)
 	// Container in which to execute the command.
 	// Defaults to only container if there is only one container in the pod.
 	// +optional
 	container?: string @go(Container) @protobuf(5,bytes,opt)
 	// Command is the remote command to execute. argv array. Not executed within a shell.
 	command: [...string] @go(Command,[]string) @protobuf(6,bytes,rep)
 }
 // PodPortForwardOptions is the query options to a Pod's port forward call
 // when using WebSockets.
 // The `port` query parameter must specify the port or
 // ports (comma separated) to forward over.
 // Port forwarding over SPDY does not use these options. It requires the port
 // to be passed in the `port` header as part of request.
 #PodPortForwardOptions: {
 	metav1.#TypeMeta
 	// List of ports to forward
 	// Required when using WebSockets
 	// +optional
 	ports?: [...int32] @go(Ports,[]int32) @protobuf(1,varint,rep)
 }
 // PodProxyOptions is the query options to a Pod's proxy call.
 #PodProxyOptions: {
 	metav1.#TypeMeta
 	// Path is the URL path to use for the current proxy request to pod.
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 }
 // NodeProxyOptions is the query options to a Node's proxy call.
 #NodeProxyOptions: {
 	metav1.#TypeMeta
 	// Path is the URL path to use for the current proxy request to node.
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 }
 // ServiceProxyOptions is the query options to a Service's proxy call.
 #ServiceProxyOptions: {
 	metav1.#TypeMeta
 	// Path is the part of URLs that include service endpoints, suffixes,
 	// and parameters to use for the current proxy request to service.
 	// For example, the whole request URL is
 	// http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy.
 	// Path is _search?q=user:kimchy.
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 }
 // ObjectReference contains enough information to let you inspect or modify the referred object.
 // ---
 // New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
 //  1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
 //  2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
 //     restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
 //     Those cannot be well described when embedded.
 //  3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
 //  4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
 //     during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
 //     and the version of the actual struct is irrelevant.
 //  5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
 //     will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
 //
 // Instead of using this type, create a locally provided and used type that is well-focused on your reference.
 // For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +structType=atomic
 #ObjectReference: {
 	// Kind of the referent.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	kind?: string @go(Kind) @protobuf(1,bytes,opt)
 	// Namespace of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(2,bytes,opt)
 	// Name of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	// +optional
 	name?: string @go(Name) @protobuf(3,bytes,opt)
 	// UID of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
 	// +optional
 	uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID)
 	// API version of the referent.
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(5,bytes,opt)
 	// Specific resourceVersion to which this reference is made, if any.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt)
 	// If referring to a piece of an object instead of an entire object, this string
 	// should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
 	// For example, if the object reference is to a container within a pod, this would take on a value like:
 	// "spec.containers{name}" (where "name" refers to the name of the container that triggered
 	// the event) or if no container name is specified "spec.containers[2]" (container with
 	// index 2 in this pod). This syntax is chosen only to have some well-defined way of
 	// referencing a part of an object.
 	// TODO: this design is not final and this field is subject to change in the future.
 	// +optional
 	fieldPath?: string @go(FieldPath) @protobuf(7,bytes,opt)
 }
 // LocalObjectReference contains enough information to let you locate the
 // referenced object inside the same namespace.
 // +structType=atomic
 #LocalObjectReference: {
 	// Name of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	// TODO: Add other useful fields. apiVersion, kind, uid?
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 }
 // TypedLocalObjectReference contains enough information to let you locate the
 // typed referenced object inside the same namespace.
 // +structType=atomic
 #TypedLocalObjectReference: {
 	// APIGroup is the group for the resource being referenced.
 	// If APIGroup is not specified, the specified Kind must be in the core API group.
 	// For any other third-party types, APIGroup is required.
 	// +optional
 	apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt)
 	// Kind is the type of resource being referenced
 	kind: string @go(Kind) @protobuf(2,bytes,opt)
 	// Name is the name of resource being referenced
 	name: string @go(Name) @protobuf(3,bytes,opt)
 }
 // SerializedReference is a reference to serialized object.
 #SerializedReference: {
 	metav1.#TypeMeta
 	// The reference to an object in the system.
 	// +optional
 	reference?: #ObjectReference @go(Reference) @protobuf(1,bytes,opt)
 }
 // EventSource contains information for an event.
 #EventSource: {
 	// Component from which the event is generated.
 	// +optional
 	component?: string @go(Component) @protobuf(1,bytes,opt)
 	// Node name on which the event is generated.
 	// +optional
 	host?: string @go(Host) @protobuf(2,bytes,opt)
 }
 // Information only and will not cause any problems
 #EventTypeNormal: "Normal"
 // These events are to warn that something might go wrong
 #EventTypeWarning: "Warning"
 // Event is a report of an event somewhere in the cluster.  Events
 // have a limited retention time and triggers and messages may evolve
 // with time.  Event consumers should not rely on the timing of an event
 // with a given Reason reflecting a consistent underlying trigger, or the
 // continued existence of events with that Reason.  Events should be
 // treated as informative, best-effort, supplemental data.
 #Event: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// The object that this event is about.
 	involvedObject: #ObjectReference @go(InvolvedObject) @protobuf(2,bytes,opt)
 	// This should be a short, machine understandable string that gives the reason
 	// for the transition into the object's current status.
 	// TODO: provide exact specification for format.
 	// +optional
 	reason?: string @go(Reason) @protobuf(3,bytes,opt)
 	// A human-readable description of the status of this operation.
 	// TODO: decide on maximum length.
 	// +optional
 	message?: string @go(Message) @protobuf(4,bytes,opt)
 	// The component reporting this event. Should be a short machine understandable string.
 	// +optional
 	source?: #EventSource @go(Source) @protobuf(5,bytes,opt)
 	// The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)
 	// +optional
 	firstTimestamp?: metav1.#Time @go(FirstTimestamp) @protobuf(6,bytes,opt)
 	// The time at which the most recent occurrence of this event was recorded.
 	// +optional
 	lastTimestamp?: metav1.#Time @go(LastTimestamp) @protobuf(7,bytes,opt)
 	// The number of times this event has occurred.
 	// +optional
 	count?: int32 @go(Count) @protobuf(8,varint,opt)
 	// Type of this event (Normal, Warning), new types could be added in the future
 	// +optional
 	type?: string @go(Type) @protobuf(9,bytes,opt)
 	// Time when this Event was first observed.
 	// +optional
 	eventTime?: metav1.#MicroTime @go(EventTime) @protobuf(10,bytes,opt)
 	// Data about the Event series this event represents or nil if it's a singleton Event.
 	// +optional
 	series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(11,bytes,opt)
 	// What action was taken/failed regarding to the Regarding object.
 	// +optional
 	action?: string @go(Action) @protobuf(12,bytes,opt)
 	// Optional secondary object for more complex actions.
 	// +optional
 	related?: null | #ObjectReference @go(Related,*ObjectReference) @protobuf(13,bytes,opt)
 	// Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
 	// +optional
 	reportingComponent: string @go(ReportingController) @protobuf(14,bytes,opt)
 	// ID of the controller instance, e.g. `kubelet-xyzf`.
 	// +optional
 	reportingInstance: string @go(ReportingInstance) @protobuf(15,bytes,opt)
 }
 // EventSeries contain information on series of events, i.e. thing that was/is happening
 // continuously for some time.
 #EventSeries: {
 	// Number of occurrences in this series up to the last heartbeat time
 	count?: int32 @go(Count) @protobuf(1,varint)
 	// Time of the last occurrence observed
 	lastObservedTime?: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes)
 }
 // EventList is a list of events.
 #EventList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of events
 	items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep)
 }
 // List holds a list of objects, which may not be known by the server.
 #List: metav1.#List
 // LimitType is a type of object that is limited. It can be Pod, Container, PersistentVolumeClaim or
 // a fully qualified resource name.
 #LimitType: string // #enumLimitType
 #enumLimitType:
 	#LimitTypePod |
 	#LimitTypeContainer |
 	#LimitTypePersistentVolumeClaim
 // Limit that applies to all pods in a namespace
 #LimitTypePod: #LimitType & "Pod"
 // Limit that applies to all containers in a namespace
 #LimitTypeContainer: #LimitType & "Container"
 // Limit that applies to all persistent volume claims in a namespace
 #LimitTypePersistentVolumeClaim: #LimitType & "PersistentVolumeClaim"
 // LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
 #LimitRangeItem: {
 	// Type of resource that this limit applies to.
 	type: #LimitType @go(Type) @protobuf(1,bytes,opt,casttype=LimitType)
 	// Max usage constraints on this kind by resource name.
 	// +optional
 	max?: #ResourceList @go(Max) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Min usage constraints on this kind by resource name.
 	// +optional
 	min?: #ResourceList @go(Min) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Default resource requirement limit value by resource name if resource limit is omitted.
 	// +optional
 	default?: #ResourceList @go(Default) @protobuf(4,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
 	// +optional
 	defaultRequest?: #ResourceList @go(DefaultRequest) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
 	// +optional
 	maxLimitRequestRatio?: #ResourceList @go(MaxLimitRequestRatio) @protobuf(6,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 }
 // LimitRangeSpec defines a min/max usage limit for resources that match on kind.
 #LimitRangeSpec: {
 	// Limits is the list of LimitRangeItem objects that are enforced.
 	limits: [...#LimitRangeItem] @go(Limits,[]LimitRangeItem) @protobuf(1,bytes,rep)
 }
 // LimitRange sets resource usage limits for each kind of resource in a Namespace.
 #LimitRange: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the limits enforced.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #LimitRangeSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // LimitRangeList is a list of LimitRange items.
 #LimitRangeList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of LimitRange objects.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	items: [...#LimitRange] @go(Items,[]LimitRange) @protobuf(2,bytes,rep)
 }
 // Pods, number
 #ResourcePods: #ResourceName & "pods"
 // Services, number
 #ResourceServices: #ResourceName & "services"
 // ReplicationControllers, number
 #ResourceReplicationControllers: #ResourceName & "replicationcontrollers"
 // ResourceQuotas, number
 #ResourceQuotas: #ResourceName & "resourcequotas"
 // ResourceSecrets, number
 #ResourceSecrets: #ResourceName & "secrets"
 // ResourceConfigMaps, number
 #ResourceConfigMaps: #ResourceName & "configmaps"
 // ResourcePersistentVolumeClaims, number
 #ResourcePersistentVolumeClaims: #ResourceName & "persistentvolumeclaims"
 // ResourceServicesNodePorts, number
 #ResourceServicesNodePorts: #ResourceName & "services.nodeports"
 // ResourceServicesLoadBalancers, number
 #ResourceServicesLoadBalancers: #ResourceName & "services.loadbalancers"
 // CPU request, in cores. (500m = .5 cores)
 #ResourceRequestsCPU: #ResourceName & "requests.cpu"
 // Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 #ResourceRequestsMemory: #ResourceName & "requests.memory"
 // Storage request, in bytes
 #ResourceRequestsStorage: #ResourceName & "requests.storage"
 // Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 #ResourceRequestsEphemeralStorage: #ResourceName & "requests.ephemeral-storage"
 // CPU limit, in cores. (500m = .5 cores)
 #ResourceLimitsCPU: #ResourceName & "limits.cpu"
 // Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 #ResourceLimitsMemory: #ResourceName & "limits.memory"
 // Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 #ResourceLimitsEphemeralStorage: #ResourceName & "limits.ephemeral-storage"
 // HugePages request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
 // As burst is not supported for HugePages, we would only quota its request, and ignore the limit.
 #ResourceRequestsHugePagesPrefix: "requests.hugepages-"
 // Default resource requests prefix
 #DefaultResourceRequestsPrefix: "requests."
 // A ResourceQuotaScope defines a filter that must match each object tracked by a quota
 // +enum
 #ResourceQuotaScope: string // #enumResourceQuotaScope
 #enumResourceQuotaScope:
 	#ResourceQuotaScopeTerminating |
 	#ResourceQuotaScopeNotTerminating |
 	#ResourceQuotaScopeBestEffort |
 	#ResourceQuotaScopeNotBestEffort |
 	#ResourceQuotaScopePriorityClass |
 	#ResourceQuotaScopeCrossNamespacePodAffinity
 // Match all pod objects where spec.activeDeadlineSeconds >=0
 #ResourceQuotaScopeTerminating: #ResourceQuotaScope & "Terminating"
 // Match all pod objects where spec.activeDeadlineSeconds is nil
 #ResourceQuotaScopeNotTerminating: #ResourceQuotaScope & "NotTerminating"
 // Match all pod objects that have best effort quality of service
 #ResourceQuotaScopeBestEffort: #ResourceQuotaScope & "BestEffort"
 // Match all pod objects that do not have best effort quality of service
 #ResourceQuotaScopeNotBestEffort: #ResourceQuotaScope & "NotBestEffort"
 // Match all pod objects that have priority class mentioned
 #ResourceQuotaScopePriorityClass: #ResourceQuotaScope & "PriorityClass"
 // Match all pod objects that have cross-namespace pod (anti)affinity mentioned.
 #ResourceQuotaScopeCrossNamespacePodAffinity: #ResourceQuotaScope & "CrossNamespacePodAffinity"
 // ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
 #ResourceQuotaSpec: {
 	// hard is the set of desired hard limits for each named resource.
 	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
 	// +optional
 	hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// A collection of filters that must match each object tracked by a quota.
 	// If not specified, the quota matches all objects.
 	// +optional
 	scopes?: [...#ResourceQuotaScope] @go(Scopes,[]ResourceQuotaScope) @protobuf(2,bytes,rep,casttype=ResourceQuotaScope)
 	// scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
 	// but expressed using ScopeSelectorOperator in combination with possible values.
 	// For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
 	// +optional
 	scopeSelector?: null | #ScopeSelector @go(ScopeSelector,*ScopeSelector) @protobuf(3,bytes,opt)
 }
 // A scope selector represents the AND of the selectors represented
 // by the scoped-resource selector requirements.
 // +structType=atomic
 #ScopeSelector: {
 	// A list of scope selector requirements by scope of the resources.
 	// +optional
 	matchExpressions?: [...#ScopedResourceSelectorRequirement] @go(MatchExpressions,[]ScopedResourceSelectorRequirement) @protobuf(1,bytes,rep)
 }
 // A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator
 // that relates the scope name and values.
 #ScopedResourceSelectorRequirement: {
 	// The name of the scope that the selector applies to.
 	scopeName: #ResourceQuotaScope @go(ScopeName) @protobuf(1,bytes,opt)
 	// Represents a scope's relationship to a set of values.
 	// Valid operators are In, NotIn, Exists, DoesNotExist.
 	operator: #ScopeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=ScopedResourceSelectorOperator)
 	// An array of string values. If the operator is In or NotIn,
 	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
 	// the values array must be empty.
 	// This array is replaced during a strategic merge patch.
 	// +optional
 	values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep)
 }
 // A scope selector operator is the set of operators that can be used in
 // a scope selector requirement.
 // +enum
 #ScopeSelectorOperator: string // #enumScopeSelectorOperator
 #enumScopeSelectorOperator:
 	#ScopeSelectorOpIn |
 	#ScopeSelectorOpNotIn |
 	#ScopeSelectorOpExists |
 	#ScopeSelectorOpDoesNotExist
 #ScopeSelectorOpIn:           #ScopeSelectorOperator & "In"
 #ScopeSelectorOpNotIn:        #ScopeSelectorOperator & "NotIn"
 #ScopeSelectorOpExists:       #ScopeSelectorOperator & "Exists"
 #ScopeSelectorOpDoesNotExist: #ScopeSelectorOperator & "DoesNotExist"
 // ResourceQuotaStatus defines the enforced hard limits and observed use.
 #ResourceQuotaStatus: {
 	// Hard is the set of enforced hard limits for each named resource.
 	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
 	// +optional
 	hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 	// Used is the current observed total usage of the resource in the namespace.
 	// +optional
 	used?: #ResourceList @go(Used) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName)
 }
 // ResourceQuota sets aggregate quota restrictions enforced per namespace
 #ResourceQuota: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Spec defines the desired quota.
 	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #ResourceQuotaSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Status defines the actual enforced quota and its current usage.
 	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #ResourceQuotaStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // ResourceQuotaList is a list of ResourceQuota items.
 #ResourceQuotaList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of ResourceQuota objects.
 	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
 	items: [...#ResourceQuota] @go(Items,[]ResourceQuota) @protobuf(2,bytes,rep)
 }
 // Secret holds secret data of a certain type. The total bytes of the values in
 // the Data field must be less than MaxSecretSize bytes.
 #Secret: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Immutable, if set to true, ensures that data stored in the Secret cannot
 	// be updated (only object metadata can be modified).
 	// If not set to true, the field can be modified at any time.
 	// Defaulted to nil.
 	// +optional
 	immutable?: null | bool @go(Immutable,*bool) @protobuf(5,varint,opt)
 	// Data contains the secret data. Each key must consist of alphanumeric
 	// characters, '-', '_' or '.'. The serialized form of the secret data is a
 	// base64 encoded string, representing the arbitrary (possibly non-string)
 	// data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
 	// +optional
 	data?: {[string]: bytes} @go(Data,map[string][]byte) @protobuf(2,bytes,rep)
 	// stringData allows specifying non-binary secret data in string form.
 	// It is provided as a write-only input field for convenience.
 	// All keys and values are merged into the data field on write, overwriting any existing values.
 	// The stringData field is never output when reading from the API.
 	// +k8s:conversion-gen=false
 	// +optional
 	stringData?: {[string]: string} @go(StringData,map[string]string) @protobuf(4,bytes,rep)
 	// Used to facilitate programmatic handling of secret data.
 	// More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
 	// +optional
 	type?: #SecretType @go(Type) @protobuf(3,bytes,opt,casttype=SecretType)
 }
 #MaxSecretSize: 1048576
 #SecretType: string // #enumSecretType
 #enumSecretType:
 	#SecretTypeOpaque |
 	#SecretTypeServiceAccountToken |
 	#SecretTypeDockercfg |
 	#SecretTypeDockerConfigJson |
 	#SecretTypeBasicAuth |
 	#SecretTypeSSHAuth |
 	#SecretTypeTLS |
 	#SecretTypeBootstrapToken
 // SecretTypeOpaque is the default. Arbitrary user-defined data
 #SecretTypeOpaque: #SecretType & "Opaque"
 // SecretTypeServiceAccountToken contains a token that identifies a service account to the API
 //
 // Required fields:
 // - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies
 // - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies
 // - Secret.Data["token"] - a token that identifies the service account to the API
 #SecretTypeServiceAccountToken: #SecretType & "kubernetes.io/service-account-token"
 // ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
 #ServiceAccountNameKey: "kubernetes.io/service-account.name"
 // ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
 #ServiceAccountUIDKey: "kubernetes.io/service-account.uid"
 // ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets
 #ServiceAccountTokenKey: "token"
 // ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets
 #ServiceAccountKubeconfigKey: "kubernetes.kubeconfig"
 // ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets
 #ServiceAccountRootCAKey: "ca.crt"
 // ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls
 #ServiceAccountNamespaceKey: "namespace"
 // SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg
 //
 // Required fields:
 // - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file
 #SecretTypeDockercfg: #SecretType & "kubernetes.io/dockercfg"
 // DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets
 #DockerConfigKey: ".dockercfg"
 // SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json
 //
 // Required fields:
 // - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file
 #SecretTypeDockerConfigJson: #SecretType & "kubernetes.io/dockerconfigjson"
 // DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets
 #DockerConfigJsonKey: ".dockerconfigjson"
 // SecretTypeBasicAuth contains data needed for basic authentication.
 //
 // Required at least one of fields:
 // - Secret.Data["username"] - username used for authentication
 // - Secret.Data["password"] - password or token needed for authentication
 #SecretTypeBasicAuth: #SecretType & "kubernetes.io/basic-auth"
 // BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets
 #BasicAuthUsernameKey: "username"
 // BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets
 #BasicAuthPasswordKey: "password"
 // SecretTypeSSHAuth contains data needed for SSH authetication.
 //
 // Required field:
 // - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication
 #SecretTypeSSHAuth: #SecretType & "kubernetes.io/ssh-auth"
 // SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets
 #SSHAuthPrivateKey: "ssh-privatekey"
 // SecretTypeTLS contains information about a TLS client or server secret. It
 // is primarily used with TLS termination of the Ingress resource, but may be
 // used in other types.
 //
 // Required fields:
 // - Secret.Data["tls.key"] - TLS private key.
 //   Secret.Data["tls.crt"] - TLS certificate.
 // TODO: Consider supporting different formats, specifying CA/destinationCA.
 #SecretTypeTLS: #SecretType & "kubernetes.io/tls"
 // TLSCertKey is the key for tls certificates in a TLS secret.
 #TLSCertKey: "tls.crt"
 // TLSPrivateKeyKey is the key for the private key field in a TLS secret.
 #TLSPrivateKeyKey: "tls.key"
 // SecretTypeBootstrapToken is used during the automated bootstrap process (first
 // implemented by kubeadm). It stores tokens that are used to sign well known
 // ConfigMaps. They are used for authn.
 #SecretTypeBootstrapToken: #SecretType & "bootstrap.kubernetes.io/token"
 // SecretList is a list of Secret.
 #SecretList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of secret objects.
 	// More info: https://kubernetes.io/docs/concepts/configuration/secret
 	items: [...#Secret] @go(Items,[]Secret) @protobuf(2,bytes,rep)
 }
 // ConfigMap holds configuration data for pods to consume.
 #ConfigMap: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Immutable, if set to true, ensures that data stored in the ConfigMap cannot
 	// be updated (only object metadata can be modified).
 	// If not set to true, the field can be modified at any time.
 	// Defaulted to nil.
 	// +optional
 	immutable?: null | bool @go(Immutable,*bool) @protobuf(4,varint,opt)
 	// Data contains the configuration data.
 	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
 	// Values with non-UTF-8 byte sequences must use the BinaryData field.
 	// The keys stored in Data must not overlap with the keys in
 	// the BinaryData field, this is enforced during validation process.
 	// +optional
 	data?: {[string]: string} @go(Data,map[string]string) @protobuf(2,bytes,rep)
 	// BinaryData contains the binary data.
 	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
 	// BinaryData can contain byte sequences that are not in the UTF-8 range.
 	// The keys stored in BinaryData must not overlap with the ones in
 	// the Data field, this is enforced during validation process.
 	// Using this field will require 1.10+ apiserver and
 	// kubelet.
 	// +optional
 	binaryData?: {[string]: bytes} @go(BinaryData,map[string][]byte) @protobuf(3,bytes,rep)
 }
 // ConfigMapList is a resource containing a list of ConfigMap objects.
 #ConfigMapList: {
 	metav1.#TypeMeta
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is the list of ConfigMaps.
 	items: [...#ConfigMap] @go(Items,[]ConfigMap) @protobuf(2,bytes,rep)
 }
 // Type and constants for component health validation.
 #ComponentConditionType: string // #enumComponentConditionType
 #enumComponentConditionType:
 	#ComponentHealthy
 #ComponentHealthy: #ComponentConditionType & "Healthy"
 // Information about the condition of a component.
 #ComponentCondition: {
 	// Type of condition for a component.
 	// Valid value: "Healthy"
 	type: #ComponentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ComponentConditionType)
 	// Status of the condition for a component.
 	// Valid values for "Healthy": "True", "False", or "Unknown".
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// Message about the condition for a component.
 	// For example, information about a health check.
 	// +optional
 	message?: string @go(Message) @protobuf(3,bytes,opt)
 	// Condition error code for a component.
 	// For example, a health check error code.
 	// +optional
 	error?: string @go(Error) @protobuf(4,bytes,opt)
 }
 // ComponentStatus (and ComponentStatusList) holds the cluster validation info.
 // Deprecated: This API is deprecated in v1.19+
 #ComponentStatus: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// List of component conditions observed
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	conditions?: [...#ComponentCondition] @go(Conditions,[]ComponentCondition) @protobuf(2,bytes,rep)
 }
 // Status of all the conditions for the component as a list of ComponentStatus objects.
 // Deprecated: This API is deprecated in v1.19+
 #ComponentStatusList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of ComponentStatus objects.
 	items: [...#ComponentStatus] @go(Items,[]ComponentStatus) @protobuf(2,bytes,rep)
 }
 // DownwardAPIVolumeSource represents a volume containing downward API info.
 // Downward API volumes support ownership management and SELinux relabeling.
 #DownwardAPIVolumeSource: {
 	// Items is a list of downward API volume file
 	// +optional
 	items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep)
 	// Optional: mode bits to use on created files by default. Must be a
 	// Optional: mode bits used to set permissions on created files by default.
 	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
 	// Defaults to 0644.
 	// Directories within the path are not affected by this setting.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt)
 }
 #DownwardAPIVolumeSourceDefaultMode: int32 & 0o644
 // DownwardAPIVolumeFile represents information to create the file containing the pod field
 #DownwardAPIVolumeFile: {
 	// Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
 	path: string @go(Path) @protobuf(1,bytes,opt)
 	// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
 	// +optional
 	fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(2,bytes,opt)
 	// Selects a resource of the container: only resources limits and requests
 	// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
 	// +optional
 	resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(3,bytes,opt)
 	// Optional: mode bits used to set permissions on this file, must be an octal value
 	// between 0000 and 0777 or a decimal value between 0 and 511.
 	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
 	// If not specified, the volume defaultMode will be used.
 	// This might be in conflict with other options that affect the file
 	// mode, like fsGroup, and the result can be other mode bits set.
 	// +optional
 	mode?: null | int32 @go(Mode,*int32) @protobuf(4,varint,opt)
 }
 // Represents downward API info for projecting into a projected volume.
 // Note that this is identical to a downwardAPI volume source without the default
 // mode.
 #DownwardAPIProjection: {
 	// Items is a list of DownwardAPIVolume file
 	// +optional
 	items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep)
 }
 // SecurityContext holds security configuration that will be applied to a container.
 // Some fields are present in both SecurityContext and PodSecurityContext.  When both
 // are set, the values in SecurityContext take precedence.
 #SecurityContext: {
 	// The capabilities to add/drop when running containers.
 	// Defaults to the default set of capabilities granted by the container runtime.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	capabilities?: null | #Capabilities @go(Capabilities,*Capabilities) @protobuf(1,bytes,opt)
 	// Run container in privileged mode.
 	// Processes in privileged containers are essentially equivalent to root on the host.
 	// Defaults to false.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	privileged?: null | bool @go(Privileged,*bool) @protobuf(2,varint,opt)
 	// The SELinux context to be applied to the container.
 	// If unspecified, the container runtime will allocate a random SELinux context for each
 	// container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(3,bytes,opt)
 	// The Windows specific settings applied to all containers.
 	// If unspecified, the options from the PodSecurityContext will be used.
 	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// Note that this field cannot be set when spec.os.name is linux.
 	// +optional
 	windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(10,bytes,opt)
 	// The UID to run the entrypoint of the container process.
 	// Defaults to user specified in image metadata if unspecified.
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(4,varint,opt)
 	// The GID to run the entrypoint of the container process.
 	// Uses runtime default if unset.
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(8,varint,opt)
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
 	// If unset or false, no such validation will be performed.
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(5,varint,opt)
 	// Whether this container has a read-only root filesystem.
 	// Default is false.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	readOnlyRootFilesystem?: null | bool @go(ReadOnlyRootFilesystem,*bool) @protobuf(6,varint,opt)
 	// AllowPrivilegeEscalation controls whether a process can gain more
 	// privileges than its parent process. This bool directly controls if
 	// the no_new_privs flag will be set on the container process.
 	// AllowPrivilegeEscalation is true always when the container is:
 	// 1) run as Privileged
 	// 2) has CAP_SYS_ADMIN
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(7,varint,opt)
 	// procMount denotes the type of proc mount to use for the containers.
 	// The default is DefaultProcMount which uses the container runtime defaults for
 	// readonly paths and masked paths.
 	// This requires the ProcMountType feature flag to be enabled.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	procMount?: null | #ProcMountType @go(ProcMount,*ProcMountType) @protobuf(9,bytes,opt)
 	// The seccomp options to use by this container. If seccomp options are
 	// provided at both the pod & container level, the container options
 	// override the pod options.
 	// Note that this field cannot be set when spec.os.name is windows.
 	// +optional
 	seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(11,bytes,opt)
 }
 // +enum
 #ProcMountType: string // #enumProcMountType
 #enumProcMountType:
 	#DefaultProcMount |
 	#UnmaskedProcMount
 // DefaultProcMount uses the container runtime defaults for readonly and masked
 // paths for /proc.  Most container runtimes mask certain paths in /proc to avoid
 // accidental security exposure of special devices or information.
 #DefaultProcMount: #ProcMountType & "Default"
 // UnmaskedProcMount bypasses the default masking behavior of the container
 // runtime and ensures the newly created /proc the container stays in tact with
 // no modifications.
 #UnmaskedProcMount: #ProcMountType & "Unmasked"
 // SELinuxOptions are the labels to be applied to the container
 #SELinuxOptions: {
 	// User is a SELinux user label that applies to the container.
 	// +optional
 	user?: string @go(User) @protobuf(1,bytes,opt)
 	// Role is a SELinux role label that applies to the container.
 	// +optional
 	role?: string @go(Role) @protobuf(2,bytes,opt)
 	// Type is a SELinux type label that applies to the container.
 	// +optional
 	type?: string @go(Type) @protobuf(3,bytes,opt)
 	// Level is SELinux level label that applies to the container.
 	// +optional
 	level?: string @go(Level) @protobuf(4,bytes,opt)
 }
 // WindowsSecurityContextOptions contain Windows-specific options and credentials.
 #WindowsSecurityContextOptions: {
 	// GMSACredentialSpecName is the name of the GMSA credential spec to use.
 	// +optional
 	gmsaCredentialSpecName?: null | string @go(GMSACredentialSpecName,*string) @protobuf(1,bytes,opt)
 	// GMSACredentialSpec is where the GMSA admission webhook
 	// (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
 	// GMSA credential spec named by the GMSACredentialSpecName field.
 	// +optional
 	gmsaCredentialSpec?: null | string @go(GMSACredentialSpec,*string) @protobuf(2,bytes,opt)
 	// The UserName in Windows to run the entrypoint of the container process.
 	// Defaults to the user specified in image metadata if unspecified.
 	// May also be set in PodSecurityContext. If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
 	runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt)
 	// HostProcess determines if a container should be run as a 'Host Process' container.
 	// All of a Pod's containers must have the same effective HostProcess value
 	// (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
 	// In addition, if HostProcess is true then HostNetwork must also be set to true.
 	// +optional
 	hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt)
 }
 // RangeAllocation is not a public type.
 #RangeAllocation: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Range is string that identifies the range represented by 'data'.
 	range: string @go(Range) @protobuf(2,bytes,opt)
 	// Data is a bit array containing all allocated addresses in the previous segment.
 	data: bytes @go(Data,[]byte) @protobuf(3,bytes,opt)
 }
 // DefaultSchedulerName defines the name of default scheduler.
 #DefaultSchedulerName: "default-scheduler"
 // RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule
 // corresponding to every RequiredDuringScheduling affinity rule.
 // When the --hard-pod-affinity-weight scheduler flag is not specified,
 // DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule.
 #DefaultHardPodAffinitySymmetricWeight: int32 & 1
 // Sysctl defines a kernel parameter to be set
 #Sysctl: {
 	// Name of a property to set
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// Value of a property to set
 	value: string @go(Value) @protobuf(2,bytes,opt)
 }
 // NodeResources is an object for conveying resource information about a node.
 // see https://kubernetes.io/docs/concepts/architecture/nodes/#capacity for more details.
 #NodeResources: {
 	// Capacity represents the available resources of a node
 	Capacity: #ResourceList @protobuf(1,bytes,rep,name=capacity,casttype=ResourceList,castkey=ResourceName)
 }
 // Enable stdin for remote command execution
 #ExecStdinParam: "input"
 // Enable stdout for remote command execution
 #ExecStdoutParam: "output"
 // Enable stderr for remote command execution
 #ExecStderrParam: "error"
 // Enable TTY for remote command execution
 #ExecTTYParam: "tty"
 // Command to run for remote command execution
 #ExecCommandParam: "command"
 // Name of header that specifies stream type
 #StreamType: "streamType"
 // Value for streamType header for stdin stream
 #StreamTypeStdin: "stdin"
 // Value for streamType header for stdout stream
 #StreamTypeStdout: "stdout"
 // Value for streamType header for stderr stream
 #StreamTypeStderr: "stderr"
 // Value for streamType header for data stream
 #StreamTypeData: "data"
 // Value for streamType header for error stream
 #StreamTypeError: "error"
 // Value for streamType header for terminal resize stream
 #StreamTypeResize: "resize"
 // Name of header that specifies the port being forwarded
 #PortHeader: "port"
 // Name of header that specifies a request ID used to associate the error
 // and data streams for a single forwarded connection
 #PortForwardRequestIDHeader: "requestID"
 // MixedProtocolNotSupported error in PortStatus means that the cloud provider
 // can't publish the port on the load balancer because mixed values of protocols
 // on the same LoadBalancer type of Service are not supported by the cloud provider.
 #MixedProtocolNotSupported: "MixedProtocolNotSupported"
 #PortStatus: {
 	// Port is the port number of the service port of which status is recorded here
 	port: int32 @go(Port) @protobuf(1,varint,opt)
 	// Protocol is the protocol of the service port of which status is recorded here
 	// The supported values are: "TCP", "UDP", "SCTP"
 	protocol: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol)
 	// Error is to record the problem with the service port
 	// The format of the error shall comply with the following rules:
 	// - built-in error values shall be specified in this file and those shall use
 	//   CamelCase names
 	// - cloud provider specific error values must have names that comply with the
 	//   format foo.example.com/CamelCase.
 	// ---
 	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
 	// +optional
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
 	// +kubebuilder:validation:MaxLength=316
 	error?: null | string @go(Error,*string) @protobuf(3,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,59 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 package v1
 #LabelHostname: "kubernetes.io/hostname"
 // Label value is the network location of kube-apiserver stored as <ip:port>
 // Stored in APIServer Identity lease objects to view what address is used for peer proxy
 #AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address"
 #LabelTopologyZone:              "topology.kubernetes.io/zone"
 #LabelTopologyRegion:            "topology.kubernetes.io/region"
 // These label have been deprecated since 1.17, but will be supported for
 // the foreseeable future, to accommodate things like long-lived PVs that
 // use them.  New users should prefer the "topology.kubernetes.io/*"
 // equivalents.
 #LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
 #LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
 // Retained for compat when vendored.  Do not use these consts in new code.
 #LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
 #LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
 #LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
 #LabelZoneRegionStable:        "topology.kubernetes.io/region"
 #LabelInstanceType:            "beta.kubernetes.io/instance-type"
 #LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
 #LabelOSStable:                "kubernetes.io/os"
 #LabelArchStable:              "kubernetes.io/arch"
 // LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
 // It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
 #LabelWindowsBuild: "node.kubernetes.io/windows-build"
 // LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
 #LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
 // LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
 #LabelNamespaceSuffixNode: "node.kubernetes.io"
 // LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
 #LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
 // IsHeadlessService is added by Controller to an Endpoint denoting if its parent
 // Service is Headless. The existence of this label can be used further by other
 // controllers and kube-proxy to check if the Endpoint objects should be replicated when
 // using Headless Services
 #IsHeadlessService: "service.kubernetes.io/headless"
 // LabelNodeExcludeBalancers specifies that the node should not be considered as a target
 // for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
 // understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
 // any backends on excluded nodes are not reachable by those external load-balancers.
 // Implementations of this exclusion may vary based on provider.
 #LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
 // LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
 #LabelMetadataName: "kubernetes.io/metadata.name"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,38 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/core/v1
 package v1
 // TaintNodeNotReady will be added when node is not ready
 // and removed when node becomes ready.
 #TaintNodeNotReady: "node.kubernetes.io/not-ready"
 // TaintNodeUnreachable will be added when node becomes unreachable
 // (corresponding to NodeReady status ConditionUnknown)
 // and removed when node becomes reachable (NodeReady status ConditionTrue).
 #TaintNodeUnreachable: "node.kubernetes.io/unreachable"
 // TaintNodeUnschedulable will be added when node becomes unschedulable
 // and removed when node becomes schedulable.
 #TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
 // TaintNodeMemoryPressure will be added when node has memory pressure
 // and removed when node has enough memory.
 #TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
 // TaintNodeDiskPressure will be added when node has disk pressure
 // and removed when node has enough disk.
 #TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
 // TaintNodeNetworkUnavailable will be added when node's network is unavailable
 // and removed when network becomes ready.
 #TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
 // TaintNodePIDPressure will be added when node has pid pressure
 // and removed when node has enough pid.
 #TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"
 // TaintNodeOutOfService can be added when node is out of service in case of
 // a non-graceful shutdown
 #TaintNodeOutOfService: "node.kubernetes.io/out-of-service"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/discovery/v1
 package v1
 #GroupName: "discovery.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue

@@ -0,0 +1,206 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/discovery/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/api/core/v1"
 )
 // EndpointSlice represents a subset of the endpoints that implement a service.
 // For a given service there may be multiple EndpointSlice objects, selected by
 // labels, which must be joined to produce the full set of endpoints.
 #EndpointSlice: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// addressType specifies the type of address carried by this EndpointSlice.
 	// All addresses in this slice must be the same type. This field is
 	// immutable after creation. The following address types are currently
 	// supported:
 	// * IPv4: Represents an IPv4 Address.
 	// * IPv6: Represents an IPv6 Address.
 	// * FQDN: Represents a Fully Qualified Domain Name.
 	addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep)
 	// endpoints is a list of unique endpoints in this slice. Each slice may
 	// include a maximum of 1000 endpoints.
 	// +listType=atomic
 	endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep)
 	// ports specifies the list of network ports exposed by each endpoint in
 	// this slice. Each port must have a unique name. When ports is empty, it
 	// indicates that there are no defined ports. When a port is defined with a
 	// nil port value, it indicates "all ports". Each slice may include a
 	// maximum of 100 ports.
 	// +optional
 	// +listType=atomic
 	ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep)
 }
 // AddressType represents the type of address referred to by an endpoint.
 // +enum
 #AddressType: string // #enumAddressType
 #enumAddressType:
 	#AddressTypeIPv4 |
 	#AddressTypeIPv6 |
 	#AddressTypeFQDN
 // AddressTypeIPv4 represents an IPv4 Address.
 #AddressTypeIPv4: #AddressType & "IPv4"
 // AddressTypeIPv6 represents an IPv6 Address.
 #AddressTypeIPv6: #AddressType & "IPv6"
 // AddressTypeFQDN represents a FQDN.
 #AddressTypeFQDN: #AddressType & "FQDN"
 // Endpoint represents a single logical "backend" implementing a service.
 #Endpoint: {
 	// addresses of this endpoint. The contents of this field are interpreted
 	// according to the corresponding EndpointSlice addressType field. Consumers
 	// must handle different types of addresses in the context of their own
 	// capabilities. This must contain at least one address but no more than
 	// 100. These are all assumed to be fungible and clients may choose to only
 	// use the first element. Refer to: https://issue.k8s.io/106267
 	// +listType=set
 	addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep)
 	// conditions contains information about the current status of the endpoint.
 	conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt)
 	// hostname of this endpoint. This field may be used by consumers of
 	// endpoints to distinguish endpoints from each other (e.g. in DNS names).
 	// Multiple endpoints which use the same hostname should be considered
 	// fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
 	// Label (RFC 1123) validation.
 	// +optional
 	hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt)
 	// targetRef is a reference to a Kubernetes object that represents this
 	// endpoint.
 	// +optional
 	targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt)
 	// deprecatedTopology contains topology information part of the v1beta1
 	// API. This field is deprecated, and will be removed when the v1beta1
 	// API is removed (no sooner than kubernetes v1.24).  While this field can
 	// hold values, it is not writable through the v1 API, and any attempts to
 	// write to it will be silently ignored. Topology information can be found
 	// in the zone and nodeName fields instead.
 	// +optional
 	deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt)
 	// nodeName represents the name of the Node hosting this endpoint. This can
 	// be used to determine endpoints local to a Node.
 	// +optional
 	nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt)
 	// zone is the name of the Zone this endpoint exists in.
 	// +optional
 	zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt)
 	// hints contains information associated with how an endpoint should be
 	// consumed.
 	// +optional
 	hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt)
 }
 // EndpointConditions represents the current condition of an endpoint.
 #EndpointConditions: {
 	// ready indicates that this endpoint is prepared to receive traffic,
 	// according to whatever system is managing the endpoint. A nil value
 	// indicates an unknown state. In most cases consumers should interpret this
 	// unknown state as ready. For compatibility reasons, ready should never be
 	// "true" for terminating endpoints, except when the normal readiness
 	// behavior is being explicitly overridden, for example when the associated
 	// Service has set the publishNotReadyAddresses flag.
 	// +optional
 	ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes)
 	// serving is identical to ready except that it is set regardless of the
 	// terminating state of endpoints. This condition should be set to true for
 	// a ready endpoint that is terminating. If nil, consumers should defer to
 	// the ready condition.
 	// +optional
 	serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes)
 	// terminating indicates that this endpoint is terminating. A nil value
 	// indicates an unknown state. Consumers should interpret this unknown state
 	// to mean that the endpoint is not terminating.
 	// +optional
 	terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes)
 }
 // EndpointHints provides hints describing how an endpoint should be consumed.
 #EndpointHints: {
 	// forZones indicates the zone(s) this endpoint should be consumed by to
 	// enable topology aware routing.
 	// +listType=atomic
 	forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes)
 }
 // ForZone provides information about which zones should consume this endpoint.
 #ForZone: {
 	// name represents the name of the zone.
 	name: string @go(Name) @protobuf(1,bytes)
 }
 // EndpointPort represents a Port used by an EndpointSlice
 // +structType=atomic
 #EndpointPort: {
 	// name represents the name of this port. All ports in an EndpointSlice must have a unique name.
 	// If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name.
 	// Name must either be an empty string or pass DNS_LABEL validation:
 	// * must be no more than 63 characters long.
 	// * must consist of lower case alphanumeric characters or '-'.
 	// * must start and end with an alphanumeric character.
 	// Default is empty string.
 	name?: null | string @go(Name,*string) @protobuf(1,bytes)
 	// protocol represents the IP protocol for this port.
 	// Must be UDP, TCP, or SCTP.
 	// Default is TCP.
 	protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes)
 	// port represents the port number of the endpoint.
 	// If this is not specified, ports are not restricted and must be
 	// interpreted in the context of the specific consumer.
 	port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt)
 	// The application protocol for this port.
 	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
 	// This field follows standard Kubernetes label syntax.
 	// Valid values are either:
 	//
 	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
 	// RFC-6335 and https://www.iana.org/assignments/service-names).
 	//
 	// * Kubernetes-defined prefixed names:
 	//   * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
 	//   * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
 	//   * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
 	//
 	// * Other protocols should use implementation-defined prefixed names such as
 	// mycompany.com/my-custom-protocol.
 	// +optional
 	appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes)
 }
 // EndpointSliceList represents a list of endpoint slices
 #EndpointSliceList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of endpoint slices
 	items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,20 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/discovery/v1
 package v1
 // LabelServiceName is used to indicate the name of a Kubernetes service.
 #LabelServiceName: "kubernetes.io/service-name"
 // LabelManagedBy is used to indicate the controller or entity that manages
 // an EndpointSlice. This label aims to enable different EndpointSlice
 // objects to be managed by different controllers or entities within the
 // same cluster. It is highly recommended to configure this label for all
 // EndpointSlices.
 #LabelManagedBy: "endpointslice.kubernetes.io/managed-by"
 // LabelSkipMirror can be set to true on an Endpoints resource to indicate
 // that the EndpointSliceMirroring controller should not mirror this
 // resource with EndpointSlices.
 #LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/events/v1
 package v1
 #GroupName: "events.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue

@@ -0,0 +1,111 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/events/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 // Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
 // Events have a limited retention time and triggers and messages may evolve
 // with time.  Event consumers should not rely on the timing of an event
 // with a given Reason reflecting a consistent underlying trigger, or the
 // continued existence of events with that Reason.  Events should be
 // treated as informative, best-effort, supplemental data.
 #Event: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// eventTime is the time when this Event was first observed. It is required.
 	eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt)
 	// series is data about the Event series this event represents or nil if it's a singleton Event.
 	// +optional
 	series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt)
 	// reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
 	// This field cannot be empty for new Events.
 	reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt)
 	// reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
 	// This field cannot be empty for new Events and it can have at most 128 characters.
 	reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt)
 	// action is what action was taken/failed regarding to the regarding object. It is machine-readable.
 	// This field cannot be empty for new Events and it can have at most 128 characters.
 	action?: string @go(Action) @protobuf(6,bytes)
 	// reason is why the action was taken. It is human-readable.
 	// This field cannot be empty for new Events and it can have at most 128 characters.
 	reason?: string @go(Reason) @protobuf(7,bytes)
 	// regarding contains the object this Event is about. In most cases it's an Object reporting controller
 	// implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
 	// it acts on some changes in a ReplicaSet object.
 	// +optional
 	regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt)
 	// related is the optional secondary object for more complex actions. E.g. when regarding object triggers
 	// a creation or deletion of related object.
 	// +optional
 	related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt)
 	// note is a human-readable description of the status of this operation.
 	// Maximal length of the note is 1kB, but libraries should be prepared to
 	// handle values up to 64kB.
 	// +optional
 	note?: string @go(Note) @protobuf(10,bytes,opt)
 	// type is the type of this event (Normal, Warning), new types could be added in the future.
 	// It is machine-readable.
 	// This field cannot be empty for new Events.
 	type?: string @go(Type) @protobuf(11,bytes,opt)
 	// deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
 	// +optional
 	deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt)
 	// deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
 	// +optional
 	deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt)
 	// deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
 	// +optional
 	deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt)
 	// deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
 	// +optional
 	deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt)
 }
 // EventSeries contain information on series of events, i.e. thing that was/is happening
 // continuously for some time. How often to update the EventSeries is up to the event reporters.
 // The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows
 // how this struct is updated on heartbeats and can guide customized reporter implementations.
 #EventSeries: {
 	// count is the number of occurrences in this series up to the last heartbeat time.
 	count: int32 @go(Count) @protobuf(1,varint,opt)
 	// lastObservedTime is the time when last Event from the series was seen before last heartbeat.
 	lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt)
 }
 // EventList is a list of Event objects.
 #EventList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of schema objects.
 	items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/networking/v1
 package v1
 #GroupName: "networking.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue

@@ -0,0 +1,588 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/networking/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 // NetworkPolicy describes what network traffic is allowed for a set of Pods
 #NetworkPolicy: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec represents the specification of the desired behavior for this NetworkPolicy.
 	// +optional
 	spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // PolicyType string describes the NetworkPolicy type
 // This type is beta-level in 1.8
 // +enum
 #PolicyType: string // #enumPolicyType
 #enumPolicyType:
 	#PolicyTypeIngress |
 	#PolicyTypeEgress
 // PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
 #PolicyTypeIngress: #PolicyType & "Ingress"
 // PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
 #PolicyTypeEgress: #PolicyType & "Egress"
 // NetworkPolicySpec provides the specification of a NetworkPolicy
 #NetworkPolicySpec: {
 	// podSelector selects the pods to which this NetworkPolicy object applies.
 	// The array of ingress rules is applied to any pods selected by this field.
 	// Multiple network policies can select the same set of pods. In this case,
 	// the ingress rules for each are combined additively.
 	// This field is NOT optional and follows standard label selector semantics.
 	// An empty podSelector matches all pods in this namespace.
 	podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt)
 	// ingress is a list of ingress rules to be applied to the selected pods.
 	// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
 	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
 	// the pod's local node, OR if the traffic matches at least one ingress rule
 	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
 	// this field is empty then this NetworkPolicy does not allow any traffic (and serves
 	// solely to ensure that the pods it selects are isolated by default)
 	// +optional
 	ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep)
 	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
 	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
 	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
 	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
 	// solely to ensure that the pods it selects are isolated by default).
 	// This field is beta-level in 1.8
 	// +optional
 	egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep)
 	// policyTypes is a list of rule types that the NetworkPolicy relates to.
 	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
 	// If this field is not specified, it will default based on the existence of ingress or egress rules;
 	// policies that contain an egress section are assumed to affect egress, and all policies
 	// (whether or not they contain an ingress section) are assumed to affect ingress.
 	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
 	// Likewise, if you want to write a policy that specifies that no egress is allowed,
 	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
 	// an egress section and would otherwise default to just [ "Ingress" ]).
 	// This field is beta-level in 1.8
 	// +optional
 	policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType)
 }
 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
 #NetworkPolicyIngressRule: {
 	// ports is a list of ports which should be made accessible on the pods selected for
 	// this rule. Each item in this list is combined using a logical OR. If this field is
 	// empty or missing, this rule matches all ports (traffic not restricted by port).
 	// If this field is present and contains at least one item, then this rule allows
 	// traffic only if the traffic matches at least one port in the list.
 	// +optional
 	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
 	// from is a list of sources which should be able to access the pods selected for this rule.
 	// Items in this list are combined using a logical OR operation. If this field is
 	// empty or missing, this rule matches all sources (traffic not restricted by
 	// source). If this field is present and contains at least one item, this rule
 	// allows traffic only if the traffic matches at least one item in the from list.
 	// +optional
 	from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
 }
 // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
 // This type is beta-level in 1.8
 #NetworkPolicyEgressRule: {
 	// ports is a list of destination ports for outgoing traffic.
 	// Each item in this list is combined using a logical OR. If this field is
 	// empty or missing, this rule matches all ports (traffic not restricted by port).
 	// If this field is present and contains at least one item, then this rule allows
 	// traffic only if the traffic matches at least one port in the list.
 	// +optional
 	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
 	// to is a list of destinations for outgoing traffic of pods selected for this rule.
 	// Items in this list are combined using a logical OR operation. If this field is
 	// empty or missing, this rule matches all destinations (traffic not restricted by
 	// destination). If this field is present and contains at least one item, this rule
 	// allows traffic only if the traffic matches at least one item in the to list.
 	// +optional
 	to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
 }
 // NetworkPolicyPort describes a port to allow traffic on
 #NetworkPolicyPort: {
 	// protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
 	// If not specified, this field defaults to TCP.
 	// +optional
 	protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol)
 	// port represents the port on the given protocol. This can either be a numerical or named
 	// port on a pod. If this field is not provided, this matches all port names and
 	// numbers.
 	// If present, only traffic on the specified protocol AND port will be matched.
 	// +optional
 	port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt)
 	// endPort indicates that the range of ports from port to endPort if set, inclusive,
 	// should be allowed by the policy. This field cannot be defined if the port field
 	// is not defined or if the port field is defined as a named (string) port.
 	// The endPort must be equal or greater than port.
 	// +optional
 	endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt)
 }
 // IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
 // to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
 // that should not be included within this rule.
 #IPBlock: {
 	// cidr is a string representing the IPBlock
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 	cidr: string @go(CIDR) @protobuf(1,bytes)
 	// except is a slice of CIDRs that should not be included within an IPBlock
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 	// Except values will be rejected if they are outside the cidr range
 	// +optional
 	except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep)
 }
 // NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
 // fields are allowed
 #NetworkPolicyPeer: {
 	// podSelector is a label selector which selects pods. This field follows standard label
 	// selector semantics; if present but empty, it selects all pods.
 	//
 	// If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
 	// the pods matching podSelector in the Namespaces selected by NamespaceSelector.
 	// Otherwise it selects the pods matching podSelector in the policy's own namespace.
 	// +optional
 	podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
 	// namespaceSelector selects namespaces using cluster-scoped labels. This field follows
 	// standard label selector semantics; if present but empty, it selects all namespaces.
 	//
 	// If podSelector is also set, then the NetworkPolicyPeer as a whole selects
 	// the pods matching podSelector in the namespaces selected by namespaceSelector.
 	// Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 	// +optional
 	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// ipBlock defines policy on a particular IPBlock. If this field is set then
 	// neither of the other fields can be.
 	// +optional
 	ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep)
 }
 // NetworkPolicyList is a list of NetworkPolicy objects.
 #NetworkPolicyList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of schema objects.
 	items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep)
 }
 // Ingress is a collection of rules that allow inbound connections to reach the
 // endpoints defined by a backend. An Ingress can be configured to give services
 // externally-reachable urls, load balance traffic, terminate SSL, offer name
 // based virtual hosting etc.
 #Ingress: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec is the desired state of the Ingress.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status is the current state of the Ingress.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // IngressList is a collection of Ingress.
 #IngressList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of Ingress.
 	items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep)
 }
 // IngressSpec describes the Ingress the user wishes to exist.
 #IngressSpec: {
 	// ingressClassName is the name of an IngressClass cluster resource. Ingress
 	// controller implementations use this field to know whether they should be
 	// serving this Ingress resource, by a transitive connection
 	// (controller -> IngressClass -> Ingress resource). Although the
 	// `kubernetes.io/ingress.class` annotation (simple constant name) was never
 	// formally defined, it was widely supported by Ingress controllers to create
 	// a direct binding between Ingress controller and Ingress resources. Newly
 	// created Ingress resources should prefer using the field. However, even
 	// though the annotation is officially deprecated, for backwards compatibility
 	// reasons, ingress controllers should still honor that annotation if present.
 	// +optional
 	ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt)
 	// defaultBackend is the backend that should handle requests that don't
 	// match any rule. If Rules are not specified, DefaultBackend must be specified.
 	// If DefaultBackend is not set, the handling of requests that do not match any
 	// of the rules will be up to the Ingress controller.
 	// +optional
 	defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt)
 	// tls represents the TLS configuration. Currently the Ingress only supports a
 	// single TLS port, 443. If multiple members of this list specify different hosts,
 	// they will be multiplexed on the same port according to the hostname specified
 	// through the SNI TLS extension, if the ingress controller fulfilling the
 	// ingress supports SNI.
 	// +listType=atomic
 	// +optional
 	tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep)
 	// rules is a list of host rules used to configure the Ingress. If unspecified,
 	// or no rule matches, all traffic is sent to the default backend.
 	// +listType=atomic
 	// +optional
 	rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep)
 }
 // IngressTLS describes the transport layer security associated with an ingress.
 #IngressTLS: {
 	// hosts is a list of hosts included in the TLS certificate. The values in
 	// this list must match the name/s used in the tlsSecret. Defaults to the
 	// wildcard host setting for the loadbalancer controller fulfilling this
 	// Ingress, if left unspecified.
 	// +listType=atomic
 	// +optional
 	hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep)
 	// secretName is the name of the secret used to terminate TLS traffic on
 	// port 443. Field is left optional to allow TLS routing based on SNI
 	// hostname alone. If the SNI host in a listener conflicts with the "Host"
 	// header field used by an IngressRule, the SNI host is used for termination
 	// and value of the "Host" header is used for routing.
 	// +optional
 	secretName?: string @go(SecretName) @protobuf(2,bytes,opt)
 }
 // IngressStatus describe the current state of the Ingress.
 #IngressStatus: {
 	// loadBalancer contains the current status of the load-balancer.
 	// +optional
 	loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt)
 }
 // IngressLoadBalancerStatus represents the status of a load-balancer.
 #IngressLoadBalancerStatus: {
 	// ingress is a list containing ingress points for the load-balancer.
 	// +optional
 	ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep)
 }
 // IngressLoadBalancerIngress represents the status of a load-balancer ingress point.
 #IngressLoadBalancerIngress: {
 	// ip is set for load-balancer ingress points that are IP based.
 	// +optional
 	ip?: string @go(IP) @protobuf(1,bytes,opt)
 	// hostname is set for load-balancer ingress points that are DNS based.
 	// +optional
 	hostname?: string @go(Hostname) @protobuf(2,bytes,opt)
 	// ports provides information about the ports exposed by this LoadBalancer.
 	// +listType=atomic
 	// +optional
 	ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep)
 }
 // IngressPortStatus represents the error condition of a service port
 #IngressPortStatus: {
 	// port is the port number of the ingress port.
 	port: int32 @go(Port) @protobuf(1,varint,opt)
 	// protocol is the protocol of the ingress port.
 	// The supported values are: "TCP", "UDP", "SCTP"
 	protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol)
 	// error is to record the problem with the service port
 	// The format of the error shall comply with the following rules:
 	// - built-in error values shall be specified in this file and those shall use
 	//   CamelCase names
 	// - cloud provider specific error values must have names that comply with the
 	//   format foo.example.com/CamelCase.
 	// ---
 	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
 	// +optional
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
 	// +kubebuilder:validation:MaxLength=316
 	error?: null | string @go(Error,*string) @protobuf(3,bytes,opt)
 }
 // IngressRule represents the rules mapping the paths under a specified host to
 // the related backend services. Incoming requests are first evaluated for a host
 // match, then routed to the backend associated with the matching IngressRuleValue.
 #IngressRule: {
 	// host is the fully qualified domain name of a network host, as defined by RFC 3986.
 	// Note the following deviations from the "host" part of the
 	// URI as defined in RFC 3986:
 	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
 	//    the IP in the Spec of the parent Ingress.
 	// 2. The `:` delimiter is not respected because ports are not allowed.
 	//	  Currently the port of an Ingress is implicitly :80 for http and
 	//	  :443 for https.
 	// Both these may change in the future.
 	// Incoming requests are matched against the host before the
 	// IngressRuleValue. If the host is unspecified, the Ingress routes all
 	// traffic based on the specified IngressRuleValue.
 	//
 	// host can be "precise" which is a domain name without the terminating dot of
 	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
 	// prefixed with a single wildcard label (e.g. "*.foo.com").
 	// The wildcard character '*' must appear by itself as the first DNS label and
 	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
 	// Requests will be matched against the Host field in the following way:
 	// 1. If host is precise, the request matches this rule if the http host header is equal to Host.
 	// 2. If host is a wildcard, then the request matches this rule if the http host header
 	// is to equal to the suffix (removing the first label) of the wildcard rule.
 	// +optional
 	host?: string @go(Host) @protobuf(1,bytes,opt)
 	#IngressRuleValue
 }
 // IngressRuleValue represents a rule to apply against incoming requests. If the
 // rule is satisfied, the request is routed to the specified backend. Currently
 // mixing different types of rules in a single Ingress is disallowed, so exactly
 // one of the following must be set.
 #IngressRuleValue: {
 	// +optional
 	http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt)
 }
 // HTTPIngressRuleValue is a list of http selectors pointing to backends.
 // In the example: http://<host>/<path>?<searchpart> -> backend where
 // where parts of the url correspond to RFC 3986, this resource will be used
 // to match against everything after the last '/' and before the first '?'
 // or '#'.
 #HTTPIngressRuleValue: {
 	// paths is a collection of paths that map requests to backends.
 	// +listType=atomic
 	paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep)
 }
 // PathType represents the type of path referred to by a HTTPIngressPath.
 // +enum
 #PathType: string // #enumPathType
 #enumPathType:
 	#PathTypeExact |
 	#PathTypePrefix |
 	#PathTypeImplementationSpecific
 // PathTypeExact matches the URL path exactly and with case sensitivity.
 #PathTypeExact: #PathType & "Exact"
 // PathTypePrefix matches based on a URL path prefix split by '/'. Matching
 // is case sensitive and done on a path element by element basis. A path
 // element refers to the list of labels in the path split by the '/'
 // separator. A request is a match for path p if every p is an element-wise
 // prefix of p of the request path. Note that if the last element of the
 // path is a substring of the last element in request path, it is not a
 // match (e.g. /foo/bar matches /foo/bar/baz, but does not match
 // /foo/barbaz). If multiple matching paths exist in an Ingress spec, the
 // longest matching path is given priority.
 // Examples:
 // - /foo/bar does not match requests to /foo/barbaz
 // - /foo/bar matches request to /foo/bar and /foo/bar/baz
 // - /foo and /foo/ both match requests to /foo and /foo/. If both paths are
 //   present in an Ingress spec, the longest matching path (/foo/) is given
 //   priority.
 #PathTypePrefix: #PathType & "Prefix"
 // PathTypeImplementationSpecific matching is up to the IngressClass.
 // Implementations can treat this as a separate PathType or treat it
 // identically to Prefix or Exact path types.
 #PathTypeImplementationSpecific: #PathType & "ImplementationSpecific"
 // HTTPIngressPath associates a path with a backend. Incoming urls matching the
 // path are forwarded to the backend.
 #HTTPIngressPath: {
 	// path is matched against the path of an incoming request. Currently it can
 	// contain characters disallowed from the conventional "path" part of a URL
 	// as defined by RFC 3986. Paths must begin with a '/' and must be present
 	// when using PathType with value "Exact" or "Prefix".
 	// +optional
 	path?: string @go(Path) @protobuf(1,bytes,opt)
 	// pathType determines the interpretation of the path matching. PathType can
 	// be one of the following values:
 	// * Exact: Matches the URL path exactly.
 	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
 	//   done on a path element by element basis. A path element refers is the
 	//   list of labels in the path split by the '/' separator. A request is a
 	//   match for path p if every p is an element-wise prefix of p of the
 	//   request path. Note that if the last element of the path is a substring
 	//   of the last element in request path, it is not a match (e.g. /foo/bar
 	//   matches /foo/bar/baz, but does not match /foo/barbaz).
 	// * ImplementationSpecific: Interpretation of the Path matching is up to
 	//   the IngressClass. Implementations can treat this as a separate PathType
 	//   or treat it identically to Prefix or Exact path types.
 	// Implementations are required to support all path types.
 	pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt)
 	// backend defines the referenced service endpoint to which the traffic
 	// will be forwarded to.
 	backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt)
 }
 // IngressBackend describes all endpoints for a given service and port.
 #IngressBackend: {
 	// service references a service as a backend.
 	// This is a mutually exclusive setting with "Resource".
 	// +optional
 	service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt)
 	// resource is an ObjectRef to another Kubernetes resource in the namespace
 	// of the Ingress object. If resource is specified, a service.Name and
 	// service.Port must not be specified.
 	// This is a mutually exclusive setting with "Service".
 	// +optional
 	resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt)
 }
 // IngressServiceBackend references a Kubernetes Service as a Backend.
 #IngressServiceBackend: {
 	// name is the referenced service. The service must exist in
 	// the same namespace as the Ingress object.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// port of the referenced service. A port name or port number
 	// is required for a IngressServiceBackend.
 	port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt)
 }
 // ServiceBackendPort is the service port being referenced.
 #ServiceBackendPort: {
 	// name is the name of the port on the Service.
 	// This is a mutually exclusive setting with "Number".
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// number is the numerical port number (e.g. 80) on the Service.
 	// This is a mutually exclusive setting with "Name".
 	// +optional
 	number?: int32 @go(Number) @protobuf(2,bytes,opt)
 }
 // IngressClass represents the class of the Ingress, referenced by the Ingress
 // Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
 // used to indicate that an IngressClass should be considered default. When a
 // single IngressClass resource has this annotation set to true, new Ingress
 // resources without a class specified will be assigned this default class.
 #IngressClass: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec is the desired state of the IngressClass.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // IngressClassSpec provides information about the class of an Ingress.
 #IngressClassSpec: {
 	// controller refers to the name of the controller that should handle this
 	// class. This allows for different "flavors" that are controlled by the
 	// same controller. For example, you may have different parameters for the
 	// same implementing controller. This should be specified as a
 	// domain-prefixed path no more than 250 characters in length, e.g.
 	// "acme.io/ingress-controller". This field is immutable.
 	controller?: string @go(Controller) @protobuf(1,bytes,opt)
 	// parameters is a link to a custom resource containing additional
 	// configuration for the controller. This is optional if the controller does
 	// not require extra parameters.
 	// +optional
 	parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt)
 }
 // IngressClassParametersReferenceScopeNamespace indicates that the
 // referenced Parameters resource is namespace-scoped.
 #IngressClassParametersReferenceScopeNamespace: "Namespace"
 // IngressClassParametersReferenceScopeCluster indicates that the
 // referenced Parameters resource is cluster-scoped.
 #IngressClassParametersReferenceScopeCluster: "Cluster"
 // IngressClassParametersReference identifies an API object. This can be used
 // to specify a cluster or namespace-scoped resource.
 #IngressClassParametersReference: {
 	// apiGroup is the group for the resource being referenced. If APIGroup is
 	// not specified, the specified Kind must be in the core API group. For any
 	// other third-party types, APIGroup is required.
 	// +optional
 	apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup)
 	// kind is the type of resource being referenced.
 	kind: string @go(Kind) @protobuf(2,bytes,opt)
 	// name is the name of resource being referenced.
 	name: string @go(Name) @protobuf(3,bytes,opt)
 	// scope represents if this refers to a cluster or namespace scoped resource.
 	// This may be set to "Cluster" (default) or "Namespace".
 	// +optional
 	scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt)
 	// namespace is the namespace of the resource being referenced. This field is
 	// required when scope is set to "Namespace" and must be unset when scope is set to
 	// "Cluster".
 	// +optional
 	namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt)
 }
 // IngressClassList is a collection of IngressClasses.
 #IngressClassList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of IngressClasses.
 	items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue

@@ -0,0 +1,11 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/networking/v1
 package v1
 // AnnotationIsDefaultIngressClass can be used to indicate that an
 // IngressClass should be considered default. When a single IngressClass
 // resource has this annotation set to true, new Ingress resources without a
 // class specified will be assigned this default class.
 #AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/node/v1
 package v1
 #GroupName: "node.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue

@@ -0,0 +1,90 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/node/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 // RuntimeClass defines a class of container runtime supported in the cluster.
 // The RuntimeClass is used to determine which container runtime is used to run
 // all containers in a pod. RuntimeClasses are manually defined by a
 // user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
 // responsible for resolving the RuntimeClassName reference before running the
 // pod.  For more details, see
 // https://kubernetes.io/docs/concepts/containers/runtime-class/
 #RuntimeClass: {
 	metav1.#TypeMeta
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// handler specifies the underlying runtime and configuration that the CRI
 	// implementation will use to handle pods of this class. The possible values
 	// are specific to the node & CRI configuration.  It is assumed that all
 	// handlers are available on every node, and handlers of the same name are
 	// equivalent on every node.
 	// For example, a handler called "runc" might specify that the runc OCI
 	// runtime (using native Linux containers) will be used to run the containers
 	// in a pod.
 	// The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
 	// and is immutable.
 	handler: string @go(Handler) @protobuf(2,bytes,opt)
 	// overhead represents the resource overhead associated with running a pod for a
 	// given RuntimeClass. For more details, see
 	//  https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
 	// +optional
 	overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt)
 	// scheduling holds the scheduling constraints to ensure that pods running
 	// with this RuntimeClass are scheduled to nodes that support it.
 	// If scheduling is nil, this RuntimeClass is assumed to be supported by all
 	// nodes.
 	// +optional
 	scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt)
 }
 // Overhead structure represents the resource overhead associated with running a pod.
 #Overhead: {
 	// podFixed represents the fixed resource overhead associated with running a pod.
 	// +optional
 	podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity)
 }
 // Scheduling specifies the scheduling constraints for nodes supporting a
 // RuntimeClass.
 #Scheduling: {
 	// nodeSelector lists labels that must be present on nodes that support this
 	// RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
 	// node matched by this selector. The RuntimeClass nodeSelector is merged
 	// with a pod's existing nodeSelector. Any conflicts will cause the pod to
 	// be rejected in admission.
 	// +optional
 	// +mapType=atomic
 	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt)
 	// tolerations are appended (excluding duplicates) to pods running with this
 	// RuntimeClass during admission, effectively unioning the set of nodes
 	// tolerated by the pod and the RuntimeClass.
 	// +optional
 	// +listType=atomic
 	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep)
 }
 // RuntimeClassList is a list of RuntimeClass objects.
 #RuntimeClassList: {
 	metav1.#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is a list of schema objects.
 	items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue

@@ -0,0 +1,8 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/policy/v1
 // Package policy is for any kind of policy object.  Suitable examples, even if
 // they aren't all here, are PodDisruptionBudget, PodSecurityPolicy,
 // NetworkPolicy, etc.
 package v1

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/policy/v1
 package v1
 #GroupName: "policy"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue

@@ -0,0 +1,204 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/policy/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 #DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget"
 // PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
 #PodDisruptionBudgetSpec: {
 	// An eviction is allowed if at least "minAvailable" pods selected by
 	// "selector" will still be available after the eviction, i.e. even in the
 	// absence of the evicted pod.  So for example you can prevent all voluntary
 	// evictions by specifying "100%".
 	// +optional
 	minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
 	// Label query over pods whose evictions are managed by the disruption
 	// budget.
 	// A null selector will match no pods, while an empty ({}) selector will select
 	// all pods within the namespace.
 	// +patchStrategy=replace
 	// +optional
 	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// An eviction is allowed if at most "maxUnavailable" pods selected by
 	// "selector" are unavailable after the eviction, i.e. even in absence of
 	// the evicted pod. For example, one can prevent all voluntary evictions
 	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
 	// +optional
 	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt)
 	// UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods
 	// should be considered for eviction. Current implementation considers healthy pods,
 	// as pods that have status.conditions item with type="Ready",status="True".
 	//
 	// Valid policies are IfHealthyBudget and AlwaysAllow.
 	// If no policy is specified, the default behavior will be used,
 	// which corresponds to the IfHealthyBudget policy.
 	//
 	// IfHealthyBudget policy means that running pods (status.phase="Running"),
 	// but not yet healthy can be evicted only if the guarded application is not
 	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
 	// Healthy pods will be subject to the PDB for eviction.
 	//
 	// AlwaysAllow policy means that all running pods (status.phase="Running"),
 	// but not yet healthy are considered disrupted and can be evicted regardless
 	// of whether the criteria in a PDB is met. This means perspective running
 	// pods of a disrupted application might not get a chance to become healthy.
 	// Healthy pods will be subject to the PDB for eviction.
 	//
 	// Additional policies may be added in the future.
 	// Clients making eviction decisions should disallow eviction of unhealthy pods
 	// if they encounter an unrecognized policy in this field.
 	//
 	// This field is beta-level. The eviction API uses this field when
 	// the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).
 	// +optional
 	unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt)
 }
 // UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods
 // should be considered for eviction.
 // +enum
 #UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType
 #enumUnhealthyPodEvictionPolicyType:
 	#IfHealthyBudget |
 	#AlwaysAllow
 // IfHealthyBudget policy means that running pods (status.phase="Running"),
 // but not yet healthy can be evicted only if the guarded application is not
 // disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
 // Healthy pods will be subject to the PDB for eviction.
 #IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget"
 // AlwaysAllow policy means that all running pods (status.phase="Running"),
 // but not yet healthy are considered disrupted and can be evicted regardless
 // of whether the criteria in a PDB is met. This means perspective running
 // pods of a disrupted application might not get a chance to become healthy.
 // Healthy pods will be subject to the PDB for eviction.
 #AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow"
 // PodDisruptionBudgetStatus represents information about the status of a
 // PodDisruptionBudget. Status may trail the actual state of a system.
 #PodDisruptionBudgetStatus: {
 	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
 	// status information is valid only if observedGeneration equals to PDB's object generation.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
 	// DisruptedPods contains information about pods whose eviction was
 	// processed by the API server eviction subresource handler but has not
 	// yet been observed by the PodDisruptionBudget controller.
 	// A pod will be in this map from the time when the API server processed the
 	// eviction request to the time when the pod is seen by PDB controller
 	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
 	// and the value is the time when the API server processed the eviction request. If
 	// the deletion didn't occur and a pod is still there it will be removed from
 	// the list automatically by PodDisruptionBudget controller after some time.
 	// If everything goes smooth this map should be empty for the most of the time.
 	// Large number of entries in the map may indicate problems with pod deletions.
 	// +optional
 	disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep)
 	// Number of pod disruptions that are currently allowed.
 	disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt)
 	// current number of healthy pods
 	currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt)
 	// minimum desired number of healthy pods
 	desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt)
 	// total number of pods counted by this disruption budget
 	expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt)
 	// Conditions contain conditions for PDB. The disruption controller sets the
 	// DisruptionAllowed condition. The following are known values for the reason field
 	// (additional reasons could be added in the future):
 	// - SyncFailed: The controller encountered an error and wasn't able to compute
 	//               the number of allowed disruptions. Therefore no disruptions are
 	//               allowed and the status of the condition will be False.
 	// - InsufficientPods: The number of pods are either at or below the number
 	//                     required by the PodDisruptionBudget. No disruptions are
 	//                     allowed and the status of the condition will be False.
 	// - SufficientPods: There are more pods than required by the PodDisruptionBudget.
 	//                   The condition will be True, and the number of allowed
 	//                   disruptions are provided by the disruptionsAllowed property.
 	//
 	// +optional
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=type
 	conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep)
 }
 // DisruptionAllowedCondition is a condition set by the disruption controller
 // that signal whether any of the pods covered by the PDB can be disrupted.
 #DisruptionAllowedCondition: "DisruptionAllowed"
 // SyncFailedReason is set on the DisruptionAllowed condition if reconcile
 // of the PDB failed and therefore disruption of pods are not allowed.
 #SyncFailedReason: "SyncFailed"
 // SufficientPodsReason is set on the DisruptionAllowed condition if there are
 // more pods covered by the PDB than required and at least one can be disrupted.
 #SufficientPodsReason: "SufficientPods"
 // InsufficientPodsReason is set on the DisruptionAllowed condition if the number
 // of pods are equal to or fewer than required by the PDB.
 #InsufficientPodsReason: "InsufficientPods"
 // PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
 #PodDisruptionBudget: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Specification of the desired behavior of the PodDisruptionBudget.
 	// +optional
 	spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt)
 	// Most recently observed status of the PodDisruptionBudget.
 	// +optional
 	status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
 #PodDisruptionBudgetList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of PodDisruptionBudgets
 	items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep)
 }
 // Eviction evicts a pod from its node subject to certain policies and safety constraints.
 // This is a subresource of Pod.  A request to cause such an eviction is
 // created by POSTing to .../pods/<pod name>/evictions.
 #Eviction: {
 	metav1.#TypeMeta
 	// ObjectMeta describes the pod that is being evicted.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// DeleteOptions may be provided
 	// +optional
 	deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/rbac/v1
 package v1
 #GroupName: "rbac.authorization.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue

@@ -0,0 +1,207 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/rbac/v1
 package v1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 #APIGroupAll:        "*"
 #ResourceAll:        "*"
 #VerbAll:            "*"
 #NonResourceAll:     "*"
 #GroupKind:          "Group"
 #ServiceAccountKind: "ServiceAccount"
 #UserKind:           "User"
 // AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
 #AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate"
 // PolicyRule holds information that describes a policy rule, but does not contain information
 // about who the rule applies to or which namespace the rule applies to.
 #PolicyRule: {
 	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
 	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
 	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
 	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
 	// +optional
 	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
 	// Resources is a list of resources this rule applies to. '*' represents all resources.
 	// +optional
 	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
 	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
 	// +optional
 	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
 	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
 	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
 	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
 	// +optional
 	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep)
 }
 // Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
 // or a value for non-objects such as user and group names.
 // +structType=atomic
 #Subject: {
 	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
 	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
 	kind: string @go(Kind) @protobuf(1,bytes,opt)
 	// APIGroup holds the API group of the referenced subject.
 	// Defaults to "" for ServiceAccount subjects.
 	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
 	// +optional
 	apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup)
 	// Name of the object being referenced.
 	name: string @go(Name) @protobuf(3,bytes,opt)
 	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
 	// the Authorizer should report an error.
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(4,bytes,opt)
 }
 // RoleRef contains information that points to the role being used
 // +structType=atomic
 #RoleRef: {
 	// APIGroup is the group for the resource being referenced
 	apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt)
 	// Kind is the type of resource being referenced
 	kind: string @go(Kind) @protobuf(2,bytes,opt)
 	// Name is the name of resource being referenced
 	name: string @go(Name) @protobuf(3,bytes,opt)
 }
 // Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
 #Role: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Rules holds all the PolicyRules for this Role
 	// +optional
 	rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
 }
 // RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
 // It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
 // namespace only have effect in that namespace.
 #RoleBinding: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Subjects holds references to the objects the role applies to.
 	// +optional
 	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
 	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
 	// If the RoleRef cannot be resolved, the Authorizer must return an error.
 	// This field is immutable.
 	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
 }
 // RoleBindingList is a collection of RoleBindings
 #RoleBindingList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of RoleBindings
 	items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep)
 }
 // RoleList is a collection of Roles
 #RoleList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of Roles
 	items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep)
 }
 // ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
 #ClusterRole: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Rules holds all the PolicyRules for this ClusterRole
 	// +optional
 	rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
 	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
 	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
 	// stomped by the controller.
 	// +optional
 	aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt)
 }
 // AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
 #AggregationRule: {
 	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
 	// If any of the selectors match, then the ClusterRole's permissions will be added
 	// +optional
 	clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep)
 }
 // ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
 // and adds who information via Subject.
 #ClusterRoleBinding: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// Subjects holds references to the objects the role applies to.
 	// +optional
 	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
 	// RoleRef can only reference a ClusterRole in the global namespace.
 	// If the RoleRef cannot be resolved, the Authorizer must return an error.
 	// This field is immutable.
 	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
 }
 // ClusterRoleBindingList is a collection of ClusterRoleBindings
 #ClusterRoleBindingList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of ClusterRoleBindings
 	items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep)
 }
 // ClusterRoleList is a collection of ClusterRoles
 #ClusterRoleList: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Items is a list of ClusterRoles
 	items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/scheduling/v1
 package v1
 #GroupName: "scheduling.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue

@@ -0,0 +1,57 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/scheduling/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apiv1 "k8s.io/api/core/v1"
 )
 // PriorityClass defines mapping from a priority class name to the priority
 // integer value. The value can be any valid integer.
 #PriorityClass: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// value represents the integer value of this priority class. This is the actual priority that pods
 	// receive when they have the name of this class in their pod spec.
 	value: int32 @go(Value) @protobuf(2,bytes,opt)
 	// globalDefault specifies whether this PriorityClass should be considered as
 	// the default priority for pods that do not have any priority class.
 	// Only one PriorityClass can be marked as `globalDefault`. However, if more than
 	// one PriorityClasses exists with their `globalDefault` field set to true,
 	// the smallest value of such global default PriorityClasses will be used as the default priority.
 	// +optional
 	globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt)
 	// description is an arbitrary string that usually provides guidelines on
 	// when this priority class should be used.
 	// +optional
 	description?: string @go(Description) @protobuf(4,bytes,opt)
 	// preemptionPolicy is the Policy for preempting pods with lower priority.
 	// One of Never, PreemptLowerPriority.
 	// Defaults to PreemptLowerPriority if unset.
 	// +optional
 	preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt)
 }
 // PriorityClassList is a collection of priority classes.
 #PriorityClassList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of PriorityClasses
 	items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/storage/v1
 package v1
 #GroupName: "storage.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue

@@ -0,0 +1,652 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/api/storage/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 // StorageClass describes the parameters for a class of storage for
 // which PersistentVolumes can be dynamically provisioned.
 //
 // StorageClasses are non-namespaced; the name of the storage class
 // according to etcd is in ObjectMeta.Name.
 #StorageClass: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// provisioner indicates the type of the provisioner.
 	provisioner: string @go(Provisioner) @protobuf(2,bytes,opt)
 	// parameters holds the parameters for the provisioner that should
 	// create volumes of this storage class.
 	// +optional
 	parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep)
 	// reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class.
 	// Defaults to Delete.
 	// +optional
 	reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy)
 	// mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class.
 	// e.g. ["ro", "soft"]. Not validated -
 	// mount of the PVs will simply fail if one is invalid.
 	// +optional
 	mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt)
 	// allowVolumeExpansion shows whether the storage class allow volume expand.
 	// +optional
 	allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt)
 	// volumeBindingMode indicates how PersistentVolumeClaims should be
 	// provisioned and bound.  When unset, VolumeBindingImmediate is used.
 	// This field is only honored by servers that enable the VolumeScheduling feature.
 	// +optional
 	volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt)
 	// allowedTopologies restrict the node topologies where volumes can be dynamically provisioned.
 	// Each volume plugin defines its own supported topology specifications.
 	// An empty TopologySelectorTerm list means there is no topology restriction.
 	// This field is only honored by servers that enable the VolumeScheduling feature.
 	// +optional
 	// +listType=atomic
 	allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep)
 }
 // StorageClassList is a collection of storage classes.
 #StorageClassList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of StorageClasses
 	items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep)
 }
 // VolumeBindingMode indicates how PersistentVolumeClaims should be bound.
 // +enum
 #VolumeBindingMode: string // #enumVolumeBindingMode
 #enumVolumeBindingMode:
 	#VolumeBindingImmediate |
 	#VolumeBindingWaitForFirstConsumer
 // VolumeBindingImmediate indicates that PersistentVolumeClaims should be
 // immediately provisioned and bound.  This is the default mode.
 #VolumeBindingImmediate: #VolumeBindingMode & "Immediate"
 // VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims
 // should not be provisioned and bound until the first Pod is created that
 // references the PeristentVolumeClaim.  The volume provisioning and
 // binding will occur during Pod scheduing.
 #VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer"
 // VolumeAttachment captures the intent to attach or detach the specified volume
 // to/from the specified node.
 //
 // VolumeAttachment objects are non-namespaced.
 #VolumeAttachment: {
 	metav1.#TypeMeta
 	// Standard object metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec represents specification of the desired attach/detach volume behavior.
 	// Populated by the Kubernetes system.
 	spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status represents status of the VolumeAttachment request.
 	// Populated by the entity completing the attach or detach
 	// operation, i.e. the external-attacher.
 	// +optional
 	status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // VolumeAttachmentList is a collection of VolumeAttachment objects.
 #VolumeAttachmentList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of VolumeAttachments
 	items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep)
 }
 // VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 #VolumeAttachmentSpec: {
 	// attacher indicates the name of the volume driver that MUST handle this
 	// request. This is the name returned by GetPluginName().
 	attacher: string @go(Attacher) @protobuf(1,bytes,opt)
 	// source represents the volume that should be attached.
 	source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt)
 	// nodeName represents the node that the volume should be attached to.
 	nodeName: string @go(NodeName) @protobuf(3,bytes,opt)
 }
 // VolumeAttachmentSource represents a volume that should be attached.
 // Right now only PersistenVolumes can be attached via external attacher,
 // in future we may allow also inline volumes in pods.
 // Exactly one member can be set.
 #VolumeAttachmentSource: {
 	// persistentVolumeName represents the name of the persistent volume to attach.
 	// +optional
 	persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt)
 	// inlineVolumeSpec contains all the information necessary to attach
 	// a persistent volume defined by a pod's inline VolumeSource. This field
 	// is populated only for the CSIMigration feature. It contains
 	// translated fields from a pod's inline VolumeSource to a
 	// PersistentVolumeSpec. This field is beta-level and is only
 	// honored by servers that enabled the CSIMigration feature.
 	// +optional
 	inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt)
 }
 // VolumeAttachmentStatus is the status of a VolumeAttachment request.
 #VolumeAttachmentStatus: {
 	// attached indicates the volume is successfully attached.
 	// This field must only be set by the entity completing the attach
 	// operation, i.e. the external-attacher.
 	attached: bool @go(Attached) @protobuf(1,varint,opt)
 	// attachmentMetadata is populated with any
 	// information returned by the attach operation, upon successful attach, that must be passed
 	// into subsequent WaitForAttach or Mount calls.
 	// This field must only be set by the entity completing the attach
 	// operation, i.e. the external-attacher.
 	// +optional
 	attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep)
 	// attachError represents the last error encountered during attach operation, if any.
 	// This field must only be set by the entity completing the attach
 	// operation, i.e. the external-attacher.
 	// +optional
 	attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError)
 	// detachError represents the last error encountered during detach operation, if any.
 	// This field must only be set by the entity completing the detach
 	// operation, i.e. the external-attacher.
 	// +optional
 	detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError)
 }
 // VolumeError captures an error encountered during a volume operation.
 #VolumeError: {
 	// time represents the time the error was encountered.
 	// +optional
 	time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt)
 	// message represents the error encountered during Attach or Detach operation.
 	// This string may be logged, so it should not contain sensitive
 	// information.
 	// +optional
 	message?: string @go(Message) @protobuf(2,bytes,opt)
 }
 // CSIDriver captures information about a Container Storage Interface (CSI)
 // volume driver deployed on the cluster.
 // Kubernetes attach detach controller uses this object to determine whether attach is required.
 // Kubelet uses this object to determine whether pod information needs to be passed on mount.
 // CSIDriver objects are non-namespaced.
 #CSIDriver: {
 	metav1.#TypeMeta
 	// Standard object metadata.
 	// metadata.Name indicates the name of the CSI driver that this object
 	// refers to; it MUST be the same name returned by the CSI GetPluginName()
 	// call for that driver.
 	// The driver name must be 63 characters or less, beginning and ending with
 	// an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
 	// alphanumerics between.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec represents the specification of the CSI Driver.
 	spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // CSIDriverList is a collection of CSIDriver objects.
 #CSIDriverList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of CSIDriver
 	items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep)
 }
 // CSIDriverSpec is the specification of a CSIDriver.
 #CSIDriverSpec: {
 	// attachRequired indicates this CSI volume driver requires an attach
 	// operation (because it implements the CSI ControllerPublishVolume()
 	// method), and that the Kubernetes attach detach controller should call
 	// the attach volume interface which checks the volumeattachment status
 	// and waits until the volume is attached before proceeding to mounting.
 	// The CSI external-attacher coordinates with CSI volume driver and updates
 	// the volumeattachment status when the attach operation is complete.
 	// If the CSIDriverRegistry feature gate is enabled and the value is
 	// specified to false, the attach operation will be skipped.
 	// Otherwise the attach operation will be called.
 	//
 	// This field is immutable.
 	//
 	// +optional
 	attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt)
 	// podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.)
 	// during mount operations, if set to true.
 	// If set to false, pod information will not be passed on mount.
 	// Default is false.
 	//
 	// The CSI driver specifies podInfoOnMount as part of driver deployment.
 	// If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls.
 	// The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.
 	//
 	// The following VolumeConext will be passed if podInfoOnMount is set to true.
 	// This list might grow, but the prefix will be used.
 	// "csi.storage.k8s.io/pod.name": pod.Name
 	// "csi.storage.k8s.io/pod.namespace": pod.Namespace
 	// "csi.storage.k8s.io/pod.uid": string(pod.UID)
 	// "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
 	//                                 defined by a CSIVolumeSource, otherwise "false"
 	//
 	// "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
 	// required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
 	// Other drivers can leave pod info disabled and/or ignore this field.
 	// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
 	// deployed on such a cluster and the deployment determines which mode that is, for example
 	// via a command line parameter of the driver.
 	//
 	// This field is immutable.
 	//
 	// +optional
 	podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt)
 	// volumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
 	// The default if the list is empty is "Persistent", which is the usage defined by the
 	// CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
 	//
 	// The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec
 	// with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod.
 	// A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.
 	//
 	// For more information about implementing this mode, see
 	// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
 	// A driver can support one or more of these modes and more modes may be added in the future.
 	//
 	// This field is beta.
 	// This field is immutable.
 	//
 	// +optional
 	// +listType=set
 	volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt)
 	// storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage
 	// capacity that the driver deployment will report by creating
 	// CSIStorageCapacity objects with capacity information, if set to true.
 	//
 	// The check can be enabled immediately when deploying a driver.
 	// In that case, provisioning new volumes with late binding
 	// will pause until the driver deployment has published
 	// some suitable CSIStorageCapacity object.
 	//
 	// Alternatively, the driver can be deployed with the field
 	// unset or false and it can be flipped later when storage
 	// capacity information has been published.
 	//
 	// This field was immutable in Kubernetes <= 1.22 and now is mutable.
 	//
 	// +optional
 	// +featureGate=CSIStorageCapacity
 	storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt)
 	// fsGroupPolicy defines if the underlying volume supports changing ownership and
 	// permission of the volume before being mounted.
 	// Refer to the specific FSGroupPolicy values for additional details.
 	//
 	// This field is immutable.
 	//
 	// Defaults to ReadWriteOnceWithFSType, which will examine each volume
 	// to determine if Kubernetes should modify ownership and permissions of the volume.
 	// With the default policy the defined fsGroup will only be applied
 	// if a fstype is defined and the volume's access mode contains ReadWriteOnce.
 	//
 	// +optional
 	fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt)
 	// tokenRequests indicates the CSI driver needs pods' service account
 	// tokens it is mounting volume for to do necessary authentication. Kubelet
 	// will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
 	// The CSI driver should parse and validate the following VolumeContext:
 	// "csi.storage.k8s.io/serviceAccount.tokens": {
 	//   "<audience>": {
 	//     "token": <token>,
 	//     "expirationTimestamp": <expiration timestamp in RFC3339>,
 	//   },
 	//   ...
 	// }
 	//
 	// Note: Audience in each TokenRequest should be different and at
 	// most one token is empty string. To receive a new token after expiry,
 	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
 	//
 	// +optional
 	// +listType=atomic
 	tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt)
 	// requiresRepublish indicates the CSI driver wants `NodePublishVolume`
 	// being periodically called to reflect any possible change in the mounted
 	// volume. This field defaults to false.
 	//
 	// Note: After a successful initial NodePublishVolume call, subsequent calls
 	// to NodePublishVolume should only update the contents of the volume. New
 	// mount points will not be seen by a running container.
 	//
 	// +optional
 	requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt)
 	// seLinuxMount specifies if the CSI driver supports "-o context"
 	// mount option.
 	//
 	// When "true", the CSI driver must ensure that all volumes provided by this CSI
 	// driver can be mounted separately with different `-o context` options. This is
 	// typical for storage backends that provide volumes as filesystems on block
 	// devices or as independent shared volumes.
 	// Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount
 	// option when mounting a ReadWriteOncePod volume used in Pod that has
 	// explicitly set SELinux context. In the future, it may be expanded to other
 	// volume AccessModes. In any case, Kubernetes will ensure that the volume is
 	// mounted only with a single SELinux context.
 	//
 	// When "false", Kubernetes won't pass any special SELinux mount options to the driver.
 	// This is typical for volumes that represent subdirectories of a bigger shared filesystem.
 	//
 	// Default is "false".
 	//
 	// +featureGate=SELinuxMountReadWriteOncePod
 	// +optional
 	seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt)
 }
 // FSGroupPolicy specifies if a CSI Driver supports modifying
 // volume ownership and permissions of the volume to be mounted.
 // More modes may be added in the future.
 #FSGroupPolicy: string // #enumFSGroupPolicy
 #enumFSGroupPolicy:
 	#ReadWriteOnceWithFSTypeFSGroupPolicy |
 	#FileFSGroupPolicy |
 	#NoneFSGroupPolicy
 // ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
 // to determine if the volume ownership and permissions
 // should be modified. If a fstype is defined and the volume's access mode
 // contains ReadWriteOnce, then the defined fsGroup will be applied.
 // This mode should be defined if it's expected that the
 // fsGroup may need to be modified depending on the pod's SecurityPolicy.
 // This is the default behavior if no other FSGroupPolicy is defined.
 #ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType"
 // FileFSGroupPolicy indicates that CSI driver supports volume ownership
 // and permission change via fsGroup, and Kubernetes will change the permissions
 // and ownership of every file in the volume to match the user requested fsGroup in
 // the pod's SecurityPolicy regardless of fstype or access mode.
 // Use this mode if Kubernetes should modify the permissions and ownership
 // of the volume.
 #FileFSGroupPolicy: #FSGroupPolicy & "File"
 // NoneFSGroupPolicy indicates that volumes will be mounted without performing
 // any ownership or permission modifications, as the CSIDriver does not support
 // these operations.
 // This mode should be selected if the CSIDriver does not support fsGroup modifications,
 // for example when Kubernetes cannot change ownership and permissions on a volume due
 // to root-squash settings on a NFS volume.
 #NoneFSGroupPolicy: #FSGroupPolicy & "None"
 // VolumeLifecycleMode is an enumeration of possible usage modes for a volume
 // provided by a CSI driver. More modes may be added in the future.
 #VolumeLifecycleMode: string // #enumVolumeLifecycleMode
 #enumVolumeLifecycleMode:
 	#VolumeLifecyclePersistent |
 	#VolumeLifecycleEphemeral
 // TokenRequest contains parameters of a service account token.
 #TokenRequest: {
 	// audience is the intended audience of the token in "TokenRequestSpec".
 	// It will default to the audiences of kube apiserver.
 	audience: string @go(Audience) @protobuf(1,bytes,opt)
 	// expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
 	// It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
 	//
 	// +optional
 	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt)
 }
 // VolumeLifecyclePersistent explicitly confirms that the driver implements
 // the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not
 // set. Such volumes are managed in Kubernetes via the persistent volume
 // claim mechanism and have a lifecycle that is independent of the pods which
 // use them.
 #VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent"
 // VolumeLifecycleEphemeral indicates that the driver can be used for
 // ephemeral inline volumes. Such volumes are specified inside the pod
 // spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have
 // a lifecycle that is tied to the lifecycle of the pod. For example, such
 // a volume might contain data that gets created specifically for that pod,
 // like secrets.
 // But how the volume actually gets created and managed is entirely up to
 // the driver. It might also use reference counting to share the same volume
 // instance among different pods if the CSIVolumeSource of those pods is
 // identical.
 #VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral"
 // CSINode holds information about all CSI drivers installed on a node.
 // CSI drivers do not need to create the CSINode object directly. As long as
 // they use the node-driver-registrar sidecar container, the kubelet will
 // automatically populate the CSINode object for the CSI driver as part of
 // kubelet plugin registration.
 // CSINode has the same name as a node. If the object is missing, it means either
 // there are no CSI Drivers available on the node, or the Kubelet version is low
 // enough that it doesn't create this object.
 // CSINode has an OwnerReference that points to the corresponding node object.
 #CSINode: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// metadata.name must be the Kubernetes node name.
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec is the specification of CSINode
 	spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt)
 }
 // CSINodeSpec holds information about the specification of all CSI drivers installed on a node
 #CSINodeSpec: {
 	// drivers is a list of information of all CSI Drivers existing on a node.
 	// If all drivers in the list are uninstalled, this can become empty.
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep)
 }
 // CSINodeDriver holds information about the specification of one CSI driver installed on a node
 #CSINodeDriver: {
 	// name represents the name of the CSI driver that this object refers to.
 	// This MUST be the same name returned by the CSI GetPluginName() call for
 	// that driver.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// nodeID of the node from the driver point of view.
 	// This field enables Kubernetes to communicate with storage systems that do
 	// not share the same nomenclature for nodes. For example, Kubernetes may
 	// refer to a given node as "node1", but the storage system may refer to
 	// the same node as "nodeA". When Kubernetes issues a command to the storage
 	// system to attach a volume to a specific node, it can use this field to
 	// refer to the node name using the ID that the storage system will
 	// understand, e.g. "nodeA" instead of "node1". This field is required.
 	nodeID: string @go(NodeID) @protobuf(2,bytes,opt)
 	// topologyKeys is the list of keys supported by the driver.
 	// When a driver is initialized on a cluster, it provides a set of topology
 	// keys that it understands (e.g. "company.com/zone", "company.com/region").
 	// When a driver is initialized on a node, it provides the same topology keys
 	// along with values. Kubelet will expose these topology keys as labels
 	// on its own node object.
 	// When Kubernetes does topology aware provisioning, it can use this list to
 	// determine which labels it should retrieve from the node object and pass
 	// back to the driver.
 	// It is possible for different nodes to use different topology keys.
 	// This can be empty if driver does not support topology.
 	// +optional
 	topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep)
 	// allocatable represents the volume resources of a node that are available for scheduling.
 	// This field is beta.
 	// +optional
 	allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt)
 }
 // VolumeNodeResources is a set of resource limits for scheduling of volumes.
 #VolumeNodeResources: {
 	// count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node.
 	// A volume that is both attached and mounted on a node is considered to be used once, not twice.
 	// The same rule applies for a unique volume that is shared among multiple pods on the same node.
 	// If this field is not specified, then the supported number of volumes on this node is unbounded.
 	// +optional
 	count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt)
 }
 // CSINodeList is a collection of CSINode objects.
 #CSINodeList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of CSINode
 	items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep)
 }
 // CSIStorageCapacity stores the result of one CSI GetCapacity call.
 // For a given StorageClass, this describes the available capacity in a
 // particular topology segment.  This can be used when considering where to
 // instantiate new PersistentVolumes.
 //
 // For example this can express things like:
 // - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
 // - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
 //
 // The following three cases all imply that no capacity is available for
 // a certain combination:
 // - no object exists with suitable topology and storage class name
 // - such an object exists, but the capacity is unset
 // - such an object exists, but the capacity is zero
 //
 // The producer of these objects can decide which approach is more suitable.
 //
 // They are consumed by the kube-scheduler when a CSI driver opts into
 // capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler
 // compares the MaximumVolumeSize against the requested size of pending volumes
 // to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back
 // to a comparison against the less precise Capacity. If that is also unset,
 // the scheduler assumes that capacity is insufficient and tries some other
 // node.
 #CSIStorageCapacity: {
 	metav1.#TypeMeta
 	// Standard object's metadata.
 	// The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters).
 	// To ensure that there are no conflicts with other CSI drivers on the cluster,
 	// the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name
 	// which ends with the unique CSI driver name.
 	//
 	// Objects are namespaced.
 	//
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// nodeTopology defines which nodes have access to the storage
 	// for which capacity was reported. If not set, the storage is
 	// not accessible from any node in the cluster. If empty, the
 	// storage is accessible from all nodes. This field is
 	// immutable.
 	//
 	// +optional
 	nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt)
 	// storageClassName represents the name of the StorageClass that the reported capacity applies to.
 	// It must meet the same requirements as the name of a StorageClass
 	// object (non-empty, DNS subdomain). If that object no longer exists,
 	// the CSIStorageCapacity object is obsolete and should be removed by its
 	// creator.
 	// This field is immutable.
 	storageClassName: string @go(StorageClassName) @protobuf(3,bytes)
 	// capacity is the value reported by the CSI driver in its GetCapacityResponse
 	// for a GetCapacityRequest with topology and parameters that match the
 	// previous fields.
 	//
 	// The semantic is currently (CSI spec 1.2) defined as:
 	// The available capacity, in bytes, of the storage that can be used
 	// to provision volumes. If not set, that information is currently
 	// unavailable.
 	//
 	// +optional
 	capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt)
 	// maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
 	// for a GetCapacityRequest with topology and parameters that match the
 	// previous fields.
 	//
 	// This is defined since CSI spec 1.4.0 as the largest size
 	// that may be used in a
 	// CreateVolumeRequest.capacity_range.required_bytes field to
 	// create a volume with the same parameters as those in
 	// GetCapacityRequest. The corresponding value in the Kubernetes
 	// API is ResourceRequirements.Requests in a volume claim.
 	//
 	// +optional
 	maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt)
 }
 // CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
 #CSIStorageCapacityList: {
 	metav1.#TypeMeta
 	// Standard list metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items is the list of CSIStorageCapacity objects.
 	// +listType=map
 	// +listMapKey=name
 	items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 // Package v1 is the v1 version of the API.
 package v1

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 package v1
 #GroupName: "apiextensions.k8s.io"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 // ConversionStrategyType describes different conversion types.
 #ConversionStrategyType: string // #enumConversionStrategyType
 #enumConversionStrategyType:
 	#NoneConverter |
 	#WebhookConverter
 // KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
 // The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
 // If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
 #KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
 // NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
 #NoneConverter: #ConversionStrategyType & "None"
 // WebhookConverter is a converter that calls to an external webhook to convert the CR.
 #WebhookConverter: #ConversionStrategyType & "Webhook"
 // CustomResourceDefinitionSpec describes how a user wants their resource to appear
 #CustomResourceDefinitionSpec: {
 	// group is the API group of the defined custom resource.
 	// The custom resources are served under `/apis/<group>/...`.
 	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
 	group: string @go(Group) @protobuf(1,bytes,opt)
 	// names specify the resource and kind names for the custom resource.
 	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
 	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
 	// Allowed values are `Cluster` and `Namespaced`.
 	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
 	// versions is the list of all API versions of the defined custom resource.
 	// Version names are used to compute the order in which served versions are listed in API discovery.
 	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
 	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
 	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
 	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
 	// major version, then minor version. An example sorted list of versions:
 	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
 	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
 	// conversion defines conversion settings for the CRD.
 	// +optional
 	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
 	// preserveUnknownFields indicates that object fields which are not specified
 	// in the OpenAPI schema should be preserved when persisting to storage.
 	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
 	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
 	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
 	// +optional
 	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
 }
 // CustomResourceConversion describes how to convert different versions of a CR.
 #CustomResourceConversion: {
 	// strategy specifies how custom resources are converted between versions. Allowed values are:
 	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
 	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
 	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
 	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
 	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
 	// +optional
 	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
 }
 // WebhookConversion describes how to call a conversion webhook
 #WebhookConversion: {
 	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
 	// +optional
 	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
 	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
 	// versions the Webhook expects. The API server will use the first version in
 	// the list which it supports. If none of the versions specified in this list
 	// are supported by API server, conversion will fail for the custom resource.
 	// If a persisted Webhook configuration specifies allowed versions and does not
 	// include any versions known to the API Server, calls to the webhook will fail.
 	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
 }
 // WebhookClientConfig contains the information to make a TLS connection with the webhook.
 #WebhookClientConfig: {
 	// url gives the location of the webhook, in standard URL form
 	// (`scheme://host:port/path`). Exactly one of `url` or `service`
 	// must be specified.
 	//
 	// The `host` should not refer to a service running in the cluster; use
 	// the `service` field instead. The host might be resolved via external
 	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
 	// in-cluster DNS as that would be a layering violation). `host` may
 	// also be an IP address.
 	//
 	// Please note that using `localhost` or `127.0.0.1` as a `host` is
 	// risky unless you take great care to run this webhook on all hosts
 	// which run an apiserver which might need to make calls to this
 	// webhook. Such installs are likely to be non-portable, i.e., not easy
 	// to turn up in a new cluster.
 	//
 	// The scheme must be "https"; the URL must begin with "https://".
 	//
 	// A path is optional, and if present may be any string permissible in
 	// a URL. You may use the path to pass an arbitrary string to the
 	// webhook, for example, a cluster identifier.
 	//
 	// Attempting to use a user or basic auth e.g. "user:password@" is not
 	// allowed. Fragments ("#...") and query parameters ("?...") are not
 	// allowed, either.
 	//
 	// +optional
 	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
 	// service is a reference to the service for this webhook. Either
 	// service or url must be specified.
 	//
 	// If the webhook is running within the cluster, then you should use `service`.
 	//
 	// +optional
 	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
 	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
 	// If unspecified, system trust roots on the apiserver are used.
 	// +optional
 	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
 }
 // ServiceReference holds a reference to Service.legacy.k8s.io
 #ServiceReference: {
 	// namespace is the namespace of the service.
 	// Required
 	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
 	// name is the name of the service.
 	// Required
 	name: string @go(Name) @protobuf(2,bytes,opt)
 	// path is an optional URL path at which the webhook will be contacted.
 	// +optional
 	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
 	// port is an optional service port at which the webhook will be contacted.
 	// `port` should be a valid port number (1-65535, inclusive).
 	// Defaults to 443 for backward compatibility.
 	// +optional
 	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
 }
 // CustomResourceDefinitionVersion describes a version for CRD.
 #CustomResourceDefinitionVersion: {
 	// name is the version name, e.g. “v1”, “v2beta1”, etc.
 	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// served is a flag enabling/disabling this version from being served via REST APIs
 	served: bool @go(Served) @protobuf(2,varint,opt)
 	// storage indicates this version should be used when persisting custom resources to storage.
 	// There must be exactly one version with storage=true.
 	storage: bool @go(Storage) @protobuf(3,varint,opt)
 	// deprecated indicates this version of the custom resource API is deprecated.
 	// When set to true, API requests to this version receive a warning header in the server response.
 	// Defaults to false.
 	// +optional
 	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
 	// deprecationWarning overrides the default warning returned to API clients.
 	// May only be set when `deprecated` is true.
 	// The default warning indicates this version is deprecated and recommends use
 	// of the newest served version of equal or greater stability, if one exists.
 	// +optional
 	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
 	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
 	// +optional
 	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
 	// subresources specify what subresources this version of the defined custom resource have.
 	// +optional
 	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
 	// additionalPrinterColumns specifies additional columns returned in Table output.
 	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
 	// If no columns are specified, a single column displaying the age of the custom resource is used.
 	// +optional
 	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
 }
 // CustomResourceColumnDefinition specifies a column for server side printing.
 #CustomResourceColumnDefinition: {
 	// name is a human readable name for the column.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// type is an OpenAPI type definition for this column.
 	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
 	type: string @go(Type) @protobuf(2,bytes,opt)
 	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
 	// to the primary identifier column to assist in clients identifying column is the resource name.
 	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
 	// +optional
 	format?: string @go(Format) @protobuf(3,bytes,opt)
 	// description is a human readable description of this column.
 	// +optional
 	description?: string @go(Description) @protobuf(4,bytes,opt)
 	// priority is an integer defining the relative importance of this column compared to others. Lower
 	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
 	// should be given a priority greater than 0.
 	// +optional
 	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
 	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
 	// each custom resource to produce the value for this column.
 	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
 }
 // CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
 #CustomResourceDefinitionNames: {
 	// plural is the plural name of the resource to serve.
 	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
 	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
 	// Must be all lowercase.
 	plural: string @go(Plural) @protobuf(1,bytes,opt)
 	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
 	// +optional
 	singular?: string @go(Singular) @protobuf(2,bytes,opt)
 	// shortNames are short names for the resource, exposed in API discovery documents,
 	// and used by clients to support invocations like `kubectl get <shortname>`.
 	// It must be all lowercase.
 	// +optional
 	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
 	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
 	// Custom resource instances will use this value as the `kind` attribute in API calls.
 	kind: string @go(Kind) @protobuf(4,bytes,opt)
 	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
 	// +optional
 	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
 	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
 	// This is published in API discovery documents, and used by clients to support invocations like
 	// `kubectl get all`.
 	// +optional
 	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
 }
 // ResourceScope is an enum defining the different scopes available to a custom resource
 #ResourceScope: string // #enumResourceScope
 #enumResourceScope:
 	#ClusterScoped |
 	#NamespaceScoped
 #ClusterScoped:   #ResourceScope & "Cluster"
 #NamespaceScoped: #ResourceScope & "Namespaced"
 #ConditionStatus: string // #enumConditionStatus
 #enumConditionStatus:
 	#ConditionTrue |
 	#ConditionFalse |
 	#ConditionUnknown
 #ConditionTrue:    #ConditionStatus & "True"
 #ConditionFalse:   #ConditionStatus & "False"
 #ConditionUnknown: #ConditionStatus & "Unknown"
 // CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
 #CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
 #enumCustomResourceDefinitionConditionType:
 	#Established |
 	#NamesAccepted |
 	#NonStructuralSchema |
 	#Terminating |
 	#KubernetesAPIApprovalPolicyConformant
 // Established means that the resource has become active. A resource is established when all names are
 // accepted without a conflict for the first time. A resource stays established until deleted, even during
 // a later NamesAccepted due to changed names. Note that not all names can be changed.
 #Established: #CustomResourceDefinitionConditionType & "Established"
 // NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
 // the group and are therefore accepted.
 #NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
 // NonStructuralSchema means that one or more OpenAPI schema is not structural.
 //
 // A schema is structural if it specifies types for all values, with the only exceptions of those with
 // - x-kubernetes-int-or-string: true — for fields which can be integer or string
 // - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
 // and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
 // specified under allOf, anyOf, oneOf or not.
 //
 // Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
 // available for non-structural CRDs:
 // - pruning
 // - defaulting
 // - read-only
 // - OpenAPI publishing
 // - webhook conversion
 #NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
 // Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
 #Terminating: #CustomResourceDefinitionConditionType & "Terminating"
 // KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
 // outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
 // be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
 // See https://github.com/kubernetes/enhancements/pull/1111 for more details.
 #KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
 // CustomResourceDefinitionCondition contains details for the current condition of this pod.
 #CustomResourceDefinitionCondition: {
 	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
 	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
 	// status is the status of the condition.
 	// Can be True, False, Unknown.
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
 	// lastTransitionTime last time the condition transitioned from one status to another.
 	// +optional
 	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
 	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason) @protobuf(4,bytes,opt)
 	// message is a human-readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message) @protobuf(5,bytes,opt)
 }
 // CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
 #CustomResourceDefinitionStatus: {
 	// conditions indicate state for particular aspects of a CustomResourceDefinition
 	// +optional
 	// +listType=map
 	// +listMapKey=type
 	conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
 	// acceptedNames are the names that are actually being used to serve discovery.
 	// They may be different than the names in spec.
 	// +optional
 	acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
 	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
 	// versions allows a migration path for stored versions in etcd. The field is mutable
 	// so a migration controller can finish a migration to another version (ensuring
 	// no old objects are left in storage), and then remove the rest of the
 	// versions from this list.
 	// Versions may not be removed from `spec.versions` while they exist in this list.
 	// +optional
 	storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
 }
 #CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
 // CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
 // <.spec.name>.<.spec.group>.
 #CustomResourceDefinition: {
 	metav1.#TypeMeta
 	// Standard object's metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 	// spec describes how the user wants the resources to appear
 	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
 	// status indicates the actual state of the CustomResourceDefinition
 	// +optional
 	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
 }
 // CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
 #CustomResourceDefinitionList: {
 	metav1.#TypeMeta
 	// Standard object's metadata
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items list individual CustomResourceDefinition objects
 	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
 }
 // CustomResourceValidation is a list of validation methods for CustomResources.
 #CustomResourceValidation: {
 	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
 	// +optional
 	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
 }
 // CustomResourceSubresources defines the status and scale subresources for CustomResources.
 #CustomResourceSubresources: {
 	// status indicates the custom resource should serve a `/status` subresource.
 	// When enabled:
 	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
 	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
 	// +optional
 	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
 	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
 	// +optional
 	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
 }
 // CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
 // Status is represented by the `.status` JSON path inside of a CustomResource. When set,
 // * exposes a /status subresource for the custom resource
 // * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
 // * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
 #CustomResourceSubresourceStatus: {
 }
 // CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
 #CustomResourceSubresourceScale: {
 	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
 	// Only JSON paths without the array notation are allowed.
 	// Must be a JSON Path under `.spec`.
 	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
 	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
 	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
 	// Only JSON paths without the array notation are allowed.
 	// Must be a JSON Path under `.status`.
 	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
 	// will default to 0.
 	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
 	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
 	// Only JSON paths without the array notation are allowed.
 	// Must be a JSON Path under `.status` or `.spec`.
 	// Must be set to work with HorizontalPodAutoscaler.
 	// The field pointed by this JSON path must be a string field (not a complex selector struct)
 	// which contains a serialized label selector in string form.
 	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
 	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
 	// subresource will default to the empty string.
 	// +optional
 	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
 }
 // ConversionReview describes a conversion request/response.
 #ConversionReview: {
 	metav1.#TypeMeta
 	// request describes the attributes for the conversion request.
 	// +optional
 	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
 	// response describes the attributes for the conversion response.
 	// +optional
 	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
 }
 // ConversionRequest describes the conversion request parameters.
 #ConversionRequest: {
 	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
 	// otherwise identical (parallel requests, etc).
 	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
 	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
 	uid: types.#UID @go(UID) @protobuf(1,bytes)
 	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
 	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
 	// objects is the list of custom resource objects to be converted.
 	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
 }
 // ConversionResponse describes a conversion response.
 #ConversionResponse: {
 	// uid is an identifier for the individual request/response.
 	// This should be copied over from the corresponding `request.uid`.
 	uid: types.#UID @go(UID) @protobuf(1,bytes)
 	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
 	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
 	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
 	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
 	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
 	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
 	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
 	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
 	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
 	// will be used to construct an error message for the end user.
 	result: metav1.#Status @go(Result) @protobuf(3,bytes)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,317 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
 package v1
 // FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation.
 // +enum
 #FieldValueErrorReason: string // #enumFieldValueErrorReason
 #enumFieldValueErrorReason:
 	#FieldValueRequired |
 	#FieldValueDuplicate |
 	#FieldValueInvalid |
 	#FieldValueForbidden
 // FieldValueRequired is used to report required values that are not
 // provided (e.g. empty strings, null values, or empty arrays).
 #FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired"
 // FieldValueDuplicate is used to report collisions of values that must be
 // unique (e.g. unique IDs).
 #FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate"
 // FieldValueInvalid is used to report malformed values (e.g. failed regex
 // match, too long, out of bounds).
 #FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid"
 // FieldValueForbidden is used to report valid (as per formatting rules)
 // values which would be accepted under some conditions, but which are not
 // permitted by the current conditions (such as security policy).
 #FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden"
 // JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
 #JSONSchemaProps: {
 	id?:          string         @go(ID) @protobuf(1,bytes,opt)
 	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
 	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
 	description?: string         @go(Description) @protobuf(4,bytes,opt)
 	type?:        string         @go(Type) @protobuf(5,bytes,opt)
 	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
 	//
 	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
 	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
 	// - email: an email address as parsed by Golang net/mail.ParseAddress
 	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
 	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
 	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
 	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
 	// - mac: a MAC address as parsed by Golang net.ParseMAC
 	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
 	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
 	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
 	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
 	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
 	// - isbn10: an ISBN10 number string like "0321751043"
 	// - isbn13: an ISBN13 number string like "978-0321751041"
 	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
 	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
 	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
 	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
 	// - byte: base64 encoded binary data
 	// - password: any kind of string
 	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
 	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
 	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
 	format?: string @go(Format) @protobuf(6,bytes,opt)
 	title?:  string @go(Title) @protobuf(7,bytes,opt)
 	// default is a default value for undefined object fields.
 	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
 	// Defaulting requires spec.preserveUnknownFields to be false.
 	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
 	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
 	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
 	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
 	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
 	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
 	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
 	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
 	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
 	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
 	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
 	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
 	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
 	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
 	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
 	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
 	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
 	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
 	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
 	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
 	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
 	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
 	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
 	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
 	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
 	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
 	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
 	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
 	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
 	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
 	// x-kubernetes-preserve-unknown-fields stops the API server
 	// decoding step from pruning fields which are not specified
 	// in the validation schema. This affects fields recursively,
 	// but switches back to normal pruning behaviour if nested
 	// properties or additionalProperties are specified in the schema.
 	// This can either be true or undefined. False is forbidden.
 	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
 	// x-kubernetes-embedded-resource defines that the value is an
 	// embedded Kubernetes runtime.Object, with TypeMeta and
 	// ObjectMeta. The type must be object. It is allowed to further
 	// restrict the embedded object. kind, apiVersion and metadata
 	// are validated automatically. x-kubernetes-preserve-unknown-fields
 	// is allowed to be true, but does not have to be if the object
 	// is fully specified (up to kind, apiVersion, metadata).
 	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
 	// x-kubernetes-int-or-string specifies that this value is
 	// either an integer or a string. If this is true, an empty
 	// type is allowed and type as child of anyOf is permitted
 	// if following one of the following patterns:
 	//
 	// 1) anyOf:
 	//    - type: integer
 	//    - type: string
 	// 2) allOf:
 	//    - anyOf:
 	//      - type: integer
 	//      - type: string
 	//    - ... zero or more
 	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
 	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
 	// as the index of the map.
 	//
 	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
 	// extension set to "map". Also, the values specified for this attribute must
 	// be a scalar typed field of the child structure (no nesting is supported).
 	//
 	// The properties specified must either be required or have a default value,
 	// to ensure those properties are present for all list items.
 	//
 	// +optional
 	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
 	// x-kubernetes-list-type annotates an array to further describe its topology.
 	// This extension must only be used on lists and may have 3 possible values:
 	//
 	// 1) `atomic`: the list is treated as a single entity, like a scalar.
 	//      Atomic lists will be entirely replaced when updated. This extension
 	//      may be used on any type of list (struct, scalar, ...).
 	// 2) `set`:
 	//      Sets are lists that must not have multiple items with the same value. Each
 	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
 	//      array with x-kubernetes-list-type `atomic`.
 	// 3) `map`:
 	//      These lists are like maps in that their elements have a non-index key
 	//      used to identify them. Order is preserved upon merge. The map tag
 	//      must only be used on a list with elements of type object.
 	// Defaults to atomic for arrays.
 	// +optional
 	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
 	// x-kubernetes-map-type annotates an object to further describe its topology.
 	// This extension must only be used when type is object and may have 2 possible values:
 	//
 	// 1) `granular`:
 	//      These maps are actual maps (key-value pairs) and each fields are independent
 	//      from each other (they can each be manipulated by separate actors). This is
 	//      the default behaviour for all maps.
 	// 2) `atomic`: the list is treated as a single entity, like a scalar.
 	//      Atomic maps will be entirely replaced when updated.
 	// +optional
 	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
 	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
 	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
 	// +patchMergeKey=rule
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=rule
 	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
 }
 // ValidationRules describes a list of validation rules written in the CEL expression language.
 #ValidationRules: [...#ValidationRule]
 // ValidationRule describes a validation rule written in the CEL expression language.
 #ValidationRule: {
 	// Rule represents the expression which will be evaluated by CEL.
 	// ref: https://github.com/google/cel-spec
 	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
 	// The `self` variable in the CEL expression is bound to the scoped value.
 	// Example:
 	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
 	//
 	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
 	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
 	// absent fields in CEL expressions.
 	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
 	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
 	// are accessible via CEL macros and functions such as `self.all(...)`.
 	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
 	// functions.
 	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
 	// Examples:
 	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
 	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
 	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
 	//
 	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
 	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
 	//
 	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
 	// expressions. This includes:
 	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
 	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
 	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
 	//   - An array where the items schema is of an "unknown type"
 	//   - An object where the additionalProperties schema is of an "unknown type"
 	//
 	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
 	// Accessible property names are escaped according to the following rules when accessed in the expression:
 	// - '__' escapes to '__underscores__'
 	// - '.' escapes to '__dot__'
 	// - '-' escapes to '__dash__'
 	// - '/' escapes to '__slash__'
 	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
 	//	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
 	//	  "import", "let", "loop", "package", "namespace", "return".
 	// Examples:
 	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
 	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
 	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
 	//
 	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
 	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
 	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
 	//     non-intersecting elements in `Y` are appended, retaining their partial order.
 	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
 	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
 	//     non-intersecting keys are appended, retaining their partial order.
 	rule: string @go(Rule) @protobuf(1,bytes,opt)
 	// Message represents the message displayed when validation fails. The message is required if the Rule contains
 	// line breaks. The message must not contain line breaks.
 	// If unset, the message is "failed rule: {Rule}".
 	// e.g. "must be a URL with the host matching spec.host"
 	message?: string @go(Message) @protobuf(2,bytes,opt)
 	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
 	// Since messageExpression is used as a failure message, it must evaluate to a string.
 	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
 	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
 	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
 	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
 	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
 	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
 	// Example:
 	// "x must be less than max ("+string(self.max)+")"
 	// +optional
 	messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt)
 	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
 	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
 	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
 	// If not set, default to use "FieldValueInvalid".
 	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
 	// +optional
 	reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt)
 	// fieldPath represents the field path returned when the validation fails.
 	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
 	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
 	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
 	// It does not support list numeric index.
 	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
 	// Numeric index of array is not supported.
 	// For field name which contains special characters, use `['specialName']` to refer the field name.
 	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
 	// +optional
 	fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt)
 }
 // JSON represents any valid JSON value.
 // These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
 #JSON: _
 // JSONSchemaURL represents a schema url.
 #JSONSchemaURL: string
 // JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
 // or an array of JSONSchemaProps. Mainly here for serialization purposes.
 #JSONSchemaPropsOrArray: _
 // JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
 // Defaults to true for the boolean property.
 #JSONSchemaPropsOrBool: _
 // JSONSchemaDependencies represent a dependencies property.
 #JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
 // JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
 #JSONSchemaPropsOrStringArray: _
 // JSONSchemaDefinitions contains the models explicitly defined in this spec.
 #JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
 // ExternalDocumentation allows referencing an external resource for extended documentation.
 #ExternalDocumentation: {
 	description?: string @go(Description) @protobuf(1,bytes,opt)
 	url?:         string @go(URL) @protobuf(2,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
 package resource
 // Scale is used for getting and setting the base-10 scaled value.
 // Base-2 scales are omitted for mathematical simplicity.
 // See Quantity.ScaledValue for more details.
 #Scale: int32 // #enumScale
 #enumScale:
 	#Nano |
 	#Micro |
 	#Milli |
 	#Kilo |
 	#Mega |
 	#Giga |
 	#Tera |
 	#Peta |
 	#Exa
 #values_Scale: {
 	Nano:  #Nano
 	Micro: #Micro
 	Milli: #Milli
 	Kilo:  #Kilo
 	Mega:  #Mega
 	Giga:  #Giga
 	Tera:  #Tera
 	Peta:  #Peta
 	Exa:   #Exa
 }
 #Nano:  #Scale & -9
 #Micro: #Scale & -6
 #Milli: #Scale & -3
 #Kilo:  #Scale & 3
 #Mega:  #Scale & 6
 #Giga:  #Scale & 9
 #Tera:  #Scale & 12
 #Peta:  #Scale & 15
 #Exa:   #Scale & 18
 // infDecAmount implements common operations over an inf.Dec that are specific to the quantity
 // representation.
 _#infDecAmount: string

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
 package resource
 // maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
 // It is also the maximum decimal digits that can be represented with an int64.
 _#maxInt64Factors: 18
 _#mostNegative: -9223372036854775808
 _#mostPositive: 9223372036854775807

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,107 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
 package resource
 // Quantity is a fixed-point representation of a number.
 // It provides convenient marshaling/unmarshaling in JSON and YAML,
 // in addition to String() and AsInt64() accessors.
 //
 // The serialization format is:
 //
 // ```
 // <quantity>        ::= <signedNumber><suffix>
 //
 //	(Note that <suffix> may be empty, from the "" case in <decimalSI>.)
 //
 // <digit>           ::= 0 | 1 | ... | 9
 // <digits>          ::= <digit> | <digit><digits>
 // <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
 // <sign>            ::= "+" | "-"
 // <signedNumber>    ::= <number> | <sign><number>
 // <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
 // <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
 //
 //	(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
 //
 // <decimalSI>       ::= m | "" | k | M | G | T | P | E
 //
 //	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
 //
 // <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
 // ```
 //
 // No matter which of the three exponent forms is used, no quantity may represent
 // a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
 // places. Numbers larger or more precise will be capped or rounded up.
 // (E.g.: 0.1m will rounded up to 1m.)
 // This may be extended in the future if we require larger or smaller quantities.
 //
 // When a Quantity is parsed from a string, it will remember the type of suffix
 // it had, and will use the same type again when it is serialized.
 //
 // Before serializing, Quantity will be put in "canonical form".
 // This means that Exponent/suffix will be adjusted up or down (with a
 // corresponding increase or decrease in Mantissa) such that:
 //
 // - No precision is lost
 // - No fractional digits will be emitted
 // - The exponent (or suffix) is as large as possible.
 //
 // The sign will be omitted unless the number is negative.
 //
 // Examples:
 //
 // - 1.5 will be serialized as "1500m"
 // - 1.5Gi will be serialized as "1536Mi"
 //
 // Note that the quantity will NEVER be internally represented by a
 // floating point number. That is the whole point of this exercise.
 //
 // Non-canonical values will still parse as long as they are well formed,
 // but will be re-emitted in their canonical form. (So always use canonical
 // form, or don't diff.)
 //
 // This format is intended to make it difficult to use these numbers without
 // writing some sort of special handling code in the hopes that that will
 // cause implementors to also use a fixed point implementation.
 //
 // +protobuf=true
 // +protobuf.embed=string
 // +protobuf.options.marshal=false
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
 // +k8s:openapi-gen=true
 #Quantity: _
 // CanonicalValue allows a quantity amount to be converted to a string.
 #CanonicalValue: _
 // Format lists the three possible formattings of a quantity.
 #Format: string // #enumFormat
 #enumFormat:
 	#DecimalExponent |
 	#BinarySI |
 	#DecimalSI
 #DecimalExponent: #Format & "DecimalExponent"
 #BinarySI:        #Format & "BinarySI"
 #DecimalSI:       #Format & "DecimalSI"
 // splitREString is used to separate a number from its suffix; as such,
 // this is overly permissive, but that's OK-- it will be checked later.
 _#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
 _#int64QuantityExpectedBytes: 18
 // QuantityValue makes it possible to use a Quantity as value for a command
 // line parameter.
 //
 // +protobuf=true
 // +protobuf.embed=string
 // +protobuf.options.marshal=false
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
 #QuantityValue: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
 package resource
 _#suffix: string
 // suffixer can interpret and construct suffixes.
 _#suffixer: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue

@@ -0,0 +1,10 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 // Duration is a wrapper around time.Duration which supports correct
 // marshaling to YAML and JSON. In particular, it marshals into strings, which
 // can be used as map keys in json.
 #Duration: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue

@@ -0,0 +1,48 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 // GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
 // concepts during lookup stages without having partially valid types
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #GroupResource: {
 	group:    string @go(Group) @protobuf(1,bytes,opt)
 	resource: string @go(Resource) @protobuf(2,bytes,opt)
 }
 // GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
 // to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #GroupVersionResource: {
 	group:    string @go(Group) @protobuf(1,bytes,opt)
 	version:  string @go(Version) @protobuf(2,bytes,opt)
 	resource: string @go(Resource) @protobuf(3,bytes,opt)
 }
 // GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
 // concepts during lookup stages without having partially valid types
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #GroupKind: {
 	group: string @go(Group) @protobuf(1,bytes,opt)
 	kind:  string @go(Kind) @protobuf(2,bytes,opt)
 }
 // GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
 // to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #GroupVersionKind: {
 	group:   string @go(Group) @protobuf(1,bytes,opt)
 	version: string @go(Version) @protobuf(2,bytes,opt)
 	kind:    string @go(Kind) @protobuf(3,bytes,opt)
 }
 // GroupVersion contains the "group" and the "version", which uniquely identifies the API.
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #GroupVersion: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue

@@ -0,0 +1,33 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 // TODO: move this, Object, List, and Type to a different package
 #ObjectMetaAccessor: _
 // Object lets you work with object metadata from any of the versioned or
 // internal API objects. Attempting to set or retrieve a field on an object that does
 // not support that field (Name, UID, Namespace on lists) will be a no-op and return
 // a default value.
 #Object: _
 // ListMetaAccessor retrieves the list interface from an object
 #ListMetaAccessor: _
 // Common lets you work with core metadata from any of the versioned or
 // internal API objects. Attempting to set or retrieve a field on an object that does
 // not support that field will be a no-op and return a default value.
 // TODO: move this, and TypeMeta and ListMeta, to a different package
 #Common: _
 // ListInterface lets you work with list metadata from any of the versioned or
 // internal API objects. Attempting to set or retrieve a field on an object that does
 // not support that field will be a no-op and return a default value.
 // TODO: move this, and TypeMeta and ListMeta, to a different package
 #ListInterface: _
 // Type exposes the type and APIVersion of versioned or internal API objects.
 // TODO: move this, and TypeMeta and ListMeta, to a different package
 #Type: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue

@@ -0,0 +1,14 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 #RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00"
 // MicroTime is version of Time with microsecond level precision.
 //
 // +protobuf.options.marshal=false
 // +protobuf.as=Timestamp
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #MicroTime: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue

@@ -0,0 +1,9 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 #GroupName: "meta.k8s.io"
 #WatchEventKind: "WatchEvent"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue

@@ -0,0 +1,14 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 // Time is a wrapper around time.Time which supports correct
 // marshaling to YAML and JSON.  Wrappers are provided for many
 // of the factory methods that the time package offers.
 //
 // +protobuf.options.marshal=false
 // +protobuf.as=Timestamp
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #Time: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue

@@ -0,0 +1,21 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 // Timestamp is a struct that is equivalent to Time, but intended for
 // protobuf marshalling/unmarshalling. It is generated into a serialization
 // that matches Time. Do not use in Go structs.
 #Timestamp: {
 	// Represents seconds of UTC time since Unix epoch
 	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
 	// 9999-12-31T23:59:59Z inclusive.
 	seconds: int64 @go(Seconds) @protobuf(1,varint,opt)
 	// Non-negative fractions of a second at nanosecond resolution. Negative
 	// second values with fractions must still have non-negative nanos values
 	// that count forward in time. Must be from 0 to 999,999,999
 	// inclusive. This field may be limited in precision depending on context.
 	nanos: int32 @go(Nanos) @protobuf(2,varint,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue

@@ -0,0 +1,1561 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 // Package v1 contains API types that are common to all versions.
 //
 // The package contains two categories of types:
 //   - external (serialized) types that lack their own version (e.g TypeMeta)
 //   - internal (never-serialized) types that are needed by several different
 //     api groups, and so live here, to avoid duplication and/or import loops
 //     (e.g. LabelSelector).
 //
 // In the future, we will probably move these categories of objects into
 // separate packages.
 package v1
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 // TypeMeta describes an individual object in an API response or request
 // with strings representing the type of the object and its API schema version.
 // Structures that are versioned or persisted should inline TypeMeta.
 //
 // +k8s:deepcopy-gen=false
 #TypeMeta: {
 	// Kind is a string value representing the REST resource this object represents.
 	// Servers may infer this from the endpoint the client submits requests to.
 	// Cannot be updated.
 	// In CamelCase.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	kind?: string @go(Kind) @protobuf(1,bytes,opt)
 	// APIVersion defines the versioned schema of this representation of an object.
 	// Servers should convert recognized schemas to the latest internal value, and
 	// may reject unrecognized values.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt)
 }
 // ListMeta describes metadata that synthetic resources must have, including lists and
 // various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
 #ListMeta: {
 	// Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
 	// +optional
 	selfLink?: string @go(SelfLink) @protobuf(1,bytes,opt)
 	// String that identifies the server's internal version of this object that
 	// can be used by clients to determine when objects have changed.
 	// Value must be treated as opaque by clients and passed unmodified back to the server.
 	// Populated by the system.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(2,bytes,opt)
 	// continue may be set if the user set a limit on the number of items returned, and indicates that
 	// the server has more data available. The value is opaque and may be used to issue another request
 	// to the endpoint that served this list to retrieve the next set of available objects. Continuing a
 	// consistent list may not be possible if the server configuration has changed or more than a few
 	// minutes have passed. The resourceVersion field returned when using this continue value will be
 	// identical to the value in the first response, unless you have received this token from an error
 	// message.
 	continue?: string @go(Continue) @protobuf(3,bytes,opt)
 	// remainingItemCount is the number of subsequent items in the list which are not included in this
 	// list response. If the list request contained label or field selectors, then the number of
 	// remaining items is unknown and the field will be left unset and omitted during serialization.
 	// If the list is complete (either because it is not chunking or because this is the last chunk),
 	// then there are no more remaining items and this field will be left unset and omitted during
 	// serialization.
 	// Servers older than v1.15 do not set this field.
 	// The intended use of the remainingItemCount is *estimating* the size of a collection. Clients
 	// should not rely on the remainingItemCount to be set or to be exact.
 	// +optional
 	remainingItemCount?: null | int64 @go(RemainingItemCount,*int64) @protobuf(4,bytes,opt)
 }
 #ObjectNameField: "metadata.name"
 #FinalizerOrphanDependents: "orphan"
 #FinalizerDeleteDependents: "foregroundDeletion"
 // ObjectMeta is metadata that all persisted resources must have, which includes all objects
 // users must create.
 #ObjectMeta: {
 	// Name must be unique within a namespace. Is required when creating resources, although
 	// some resources may allow a client to request the generation of an appropriate name
 	// automatically. Name is primarily intended for creation idempotence and configuration
 	// definition.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// GenerateName is an optional prefix, used by the server, to generate a unique
 	// name ONLY IF the Name field has not been provided.
 	// If this field is used, the name returned to the client will be different
 	// than the name passed. This value will also be combined with a unique suffix.
 	// The provided value has the same validation rules as the Name field,
 	// and may be truncated by the length of the suffix required to make the value
 	// unique on the server.
 	//
 	// If this field is specified and the generated name exists, the server will return a 409.
 	//
 	// Applied only if Name is not specified.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
 	// +optional
 	generateName?: string @go(GenerateName) @protobuf(2,bytes,opt)
 	// Namespace defines the space within which each name must be unique. An empty namespace is
 	// equivalent to the "default" namespace, but "default" is the canonical representation.
 	// Not all objects are required to be scoped to a namespace - the value of this field for
 	// those objects will be empty.
 	//
 	// Must be a DNS_LABEL.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
 	// +optional
 	namespace?: string @go(Namespace) @protobuf(3,bytes,opt)
 	// Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
 	// +optional
 	selfLink?: string @go(SelfLink) @protobuf(4,bytes,opt)
 	// UID is the unique in time and space value for this object. It is typically generated by
 	// the server on successful creation of a resource and is not allowed to change on PUT
 	// operations.
 	//
 	// Populated by the system.
 	// Read-only.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 	// +optional
 	uid?: types.#UID @go(UID) @protobuf(5,bytes,opt,casttype=k8s.io/kubernetes/pkg/types.UID)
 	// An opaque value that represents the internal version of this object that can
 	// be used by clients to determine when objects have changed. May be used for optimistic
 	// concurrency, change detection, and the watch operation on a resource or set of resources.
 	// Clients must treat these values as opaque and passed unmodified back to the server.
 	// They may only be valid for a particular resource or set of resources.
 	//
 	// Populated by the system.
 	// Read-only.
 	// Value must be treated as opaque by clients and .
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt)
 	// A sequence number representing a specific generation of the desired state.
 	// Populated by the system. Read-only.
 	// +optional
 	generation?: int64 @go(Generation) @protobuf(7,varint,opt)
 	// CreationTimestamp is a timestamp representing the server time when this object was
 	// created. It is not guaranteed to be set in happens-before order across separate operations.
 	// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
 	//
 	// Populated by the system.
 	// Read-only.
 	// Null for lists.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	creationTimestamp?: #Time @go(CreationTimestamp) @protobuf(8,bytes,opt)
 	// DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
 	// field is set by the server when a graceful deletion is requested by the user, and is not
 	// directly settable by a client. The resource is expected to be deleted (no longer visible
 	// from resource lists, and not reachable by name) after the time in this field, once the
 	// finalizers list is empty. As long as the finalizers list contains items, deletion is blocked.
 	// Once the deletionTimestamp is set, this value may not be unset or be set further into the
 	// future, although it may be shortened or the resource may be deleted prior to this time.
 	// For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
 	// by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
 	// the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
 	// remove the pod from the API. In the presence of network partitions, this object may still
 	// exist after this timestamp, until an administrator or automated process can determine the
 	// resource is fully terminated.
 	// If not set, graceful deletion of the object has not been requested.
 	//
 	// Populated by the system when a graceful deletion is requested.
 	// Read-only.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	deletionTimestamp?: null | #Time @go(DeletionTimestamp,*Time) @protobuf(9,bytes,opt)
 	// Number of seconds allowed for this object to gracefully terminate before
 	// it will be removed from the system. Only set when deletionTimestamp is also set.
 	// May only be shortened.
 	// Read-only.
 	// +optional
 	deletionGracePeriodSeconds?: null | int64 @go(DeletionGracePeriodSeconds,*int64) @protobuf(10,varint,opt)
 	// Map of string keys and values that can be used to organize and categorize
 	// (scope and select) objects. May match selectors of replication controllers
 	// and services.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 	// +optional
 	labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep)
 	// Annotations is an unstructured key value map stored with a resource that may be
 	// set by external tools to store and retrieve arbitrary metadata. They are not
 	// queryable and should be preserved when modifying objects.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
 	// +optional
 	annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep)
 	// List of objects depended by this object. If ALL objects in the list have
 	// been deleted, this object will be garbage collected. If this object is managed by a controller,
 	// then an entry in this list will point to this controller, with the controller field set to true.
 	// There cannot be more than one managing controller.
 	// +optional
 	// +patchMergeKey=uid
 	// +patchStrategy=merge
 	ownerReferences?: [...#OwnerReference] @go(OwnerReferences,[]OwnerReference) @protobuf(13,bytes,rep)
 	// Must be empty before the object is deleted from the registry. Each entry
 	// is an identifier for the responsible component that will remove the entry
 	// from the list. If the deletionTimestamp of the object is non-nil, entries
 	// in this list can only be removed.
 	// Finalizers may be processed and removed in any order.  Order is NOT enforced
 	// because it introduces significant risk of stuck finalizers.
 	// finalizers is a shared field, any actor with permission can reorder it.
 	// If the finalizer list is processed in order, then this can lead to a situation
 	// in which the component responsible for the first finalizer in the list is
 	// waiting for a signal (field value, external system, or other) produced by a
 	// component responsible for a finalizer later in the list, resulting in a deadlock.
 	// Without enforced ordering finalizers are free to order amongst themselves and
 	// are not vulnerable to ordering changes in the list.
 	// +optional
 	// +patchStrategy=merge
 	finalizers?: [...string] @go(Finalizers,[]string) @protobuf(14,bytes,rep)
 	// ManagedFields maps workflow-id and version to the set of fields
 	// that are managed by that workflow. This is mostly for internal
 	// housekeeping, and users typically shouldn't need to set or
 	// understand this field. A workflow can be the user's name, a
 	// controller's name, or the name of a specific apply path like
 	// "ci-cd". The set of fields is always in the version that the
 	// workflow used when modifying the object.
 	//
 	// +optional
 	managedFields?: [...#ManagedFieldsEntry] @go(ManagedFields,[]ManagedFieldsEntry) @protobuf(17,bytes,rep)
 }
 // NamespaceDefault means the object is in the default namespace which is applied when not specified by clients
 #NamespaceDefault: "default"
 // NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces
 #NamespaceAll: ""
 // NamespaceNone is the argument for a context when there is no namespace.
 #NamespaceNone: ""
 // NamespaceSystem is the system namespace where we place system components.
 #NamespaceSystem: "kube-system"
 // NamespacePublic is the namespace where we place public info (ConfigMaps)
 #NamespacePublic: "kube-public"
 // OwnerReference contains enough information to let you identify an owning
 // object. An owning object must be in the same namespace as the dependent, or
 // be cluster-scoped, so there is no namespace field.
 // +structType=atomic
 #OwnerReference: {
 	// API version of the referent.
 	apiVersion: string @go(APIVersion) @protobuf(5,bytes,opt)
 	// Kind of the referent.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	kind: string @go(Kind) @protobuf(1,bytes,opt)
 	// Name of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 	name: string @go(Name) @protobuf(3,bytes,opt)
 	// UID of the referent.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 	uid: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID)
 	// If true, this reference points to the managing controller.
 	// +optional
 	controller?: null | bool @go(Controller,*bool) @protobuf(6,varint,opt)
 	// If true, AND if the owner has the "foregroundDeletion" finalizer, then
 	// the owner cannot be deleted from the key-value store until this
 	// reference is removed.
 	// See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
 	// for how the garbage collector interacts with this field and enforces the foreground deletion.
 	// Defaults to false.
 	// To set this field, a user needs "delete" permission of the owner,
 	// otherwise 422 (Unprocessable Entity) will be returned.
 	// +optional
 	blockOwnerDeletion?: null | bool @go(BlockOwnerDeletion,*bool) @protobuf(7,varint,opt)
 }
 // ListOptions is the query options to a standard REST list call.
 #ListOptions: {
 	#TypeMeta
 	// A selector to restrict the list of returned objects by their labels.
 	// Defaults to everything.
 	// +optional
 	labelSelector?: string @go(LabelSelector) @protobuf(1,bytes,opt)
 	// A selector to restrict the list of returned objects by their fields.
 	// Defaults to everything.
 	// +optional
 	fieldSelector?: string @go(FieldSelector) @protobuf(2,bytes,opt)
 	// Watch for changes to the described resources and return them as a stream of
 	// add, update, and remove notifications. Specify resourceVersion.
 	// +optional
 	watch?: bool @go(Watch) @protobuf(3,varint,opt)
 	// allowWatchBookmarks requests watch events with type "BOOKMARK".
 	// Servers that do not implement bookmarks may ignore this flag and
 	// bookmarks are sent at the server's discretion. Clients should not
 	// assume bookmarks are returned at any specific interval, nor may they
 	// assume the server will send any BOOKMARK event during a session.
 	// If this is not a watch, this field is ignored.
 	// +optional
 	allowWatchBookmarks?: bool @go(AllowWatchBookmarks) @protobuf(9,varint,opt)
 	// resourceVersion sets a constraint on what resource versions a request may be served from.
 	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
 	// details.
 	//
 	// Defaults to unset
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt)
 	// resourceVersionMatch determines how resourceVersion is applied to list calls.
 	// It is highly recommended that resourceVersionMatch be set for list calls where
 	// resourceVersion is set
 	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
 	// details.
 	//
 	// Defaults to unset
 	// +optional
 	resourceVersionMatch?: #ResourceVersionMatch @go(ResourceVersionMatch) @protobuf(10,bytes,opt,casttype=ResourceVersionMatch)
 	// Timeout for the list/watch call.
 	// This limits the duration of the call, regardless of any activity or inactivity.
 	// +optional
 	timeoutSeconds?: null | int64 @go(TimeoutSeconds,*int64) @protobuf(5,varint,opt)
 	// limit is a maximum number of responses to return for a list call. If more items exist, the
 	// server will set the `continue` field on the list metadata to a value that can be used with the
 	// same initial query to retrieve the next set of results. Setting a limit may return fewer than
 	// the requested amount of items (up to zero items) in the event all requested objects are
 	// filtered out and clients should only use the presence of the continue field to determine whether
 	// more results are available. Servers may choose not to support the limit argument and will return
 	// all of the available results. If limit is specified and the continue field is empty, clients may
 	// assume that no more results are available. This field is not supported if watch is true.
 	//
 	// The server guarantees that the objects returned when using continue will be identical to issuing
 	// a single list call without a limit - that is, no objects created, modified, or deleted after the
 	// first request is issued will be included in any subsequent continued requests. This is sometimes
 	// referred to as a consistent snapshot, and ensures that a client that is using limit to receive
 	// smaller chunks of a very large result can ensure they see all possible objects. If objects are
 	// updated during a chunked list the version of the object that was present at the time the first list
 	// result was calculated is returned.
 	limit?: int64 @go(Limit) @protobuf(7,varint,opt)
 	// The continue option should be set when retrieving more results from the server. Since this value is
 	// server defined, clients may only use the continue value from a previous query result with identical
 	// query parameters (except for the value of continue) and the server may reject a continue value it
 	// does not recognize. If the specified continue value is no longer valid whether due to expiration
 	// (generally five to fifteen minutes) or a configuration change on the server, the server will
 	// respond with a 410 ResourceExpired error together with a continue token. If the client needs a
 	// consistent list, it must restart their list without the continue field. Otherwise, the client may
 	// send another list request with the token received with the 410 error, the server will respond with
 	// a list starting from the next key, but from the latest snapshot, which is inconsistent from the
 	// previous list results - objects that are created, modified, or deleted after the first list request
 	// will be included in the response, as long as their keys are after the "next key".
 	//
 	// This field is not supported when watch is true. Clients may start a watch from the last
 	// resourceVersion value returned by the server and not miss any modifications.
 	continue?: string @go(Continue) @protobuf(8,bytes,opt)
 	// `sendInitialEvents=true` may be set together with `watch=true`.
 	// In that case, the watch stream will begin with synthetic events to
 	// produce the current state of objects in the collection. Once all such
 	// events have been sent, a synthetic "Bookmark" event  will be sent.
 	// The bookmark will report the ResourceVersion (RV) corresponding to the
 	// set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation.
 	// Afterwards, the watch stream will proceed as usual, sending watch events
 	// corresponding to changes (subsequent to the RV) to objects watched.
 	//
 	// When `sendInitialEvents` option is set, we require `resourceVersionMatch`
 	// option to also be set. The semantic of the watch request is as following:
 	// - `resourceVersionMatch` = NotOlderThan
 	//   is interpreted as "data at least as new as the provided `resourceVersion`"
 	//   and the bookmark event is send when the state is synced
 	//   to a `resourceVersion` at least as fresh as the one provided by the ListOptions.
 	//   If `resourceVersion` is unset, this is interpreted as "consistent read" and the
 	//   bookmark event is send when the state is synced at least to the moment
 	//   when request started being processed.
 	// - `resourceVersionMatch` set to any other value or unset
 	//   Invalid error is returned.
 	//
 	// Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward
 	// compatibility reasons) and to false otherwise.
 	// +optional
 	sendInitialEvents?: null | bool @go(SendInitialEvents,*bool) @protobuf(11,varint,opt)
 }
 // resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch
 // may only be set if resourceVersion is also set.
 //
 // "NotOlderThan" matches data at least as new as the provided resourceVersion.
 // "Exact" matches data at the exact resourceVersion provided.
 //
 // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
 // details.
 #ResourceVersionMatch: string // #enumResourceVersionMatch
 #enumResourceVersionMatch:
 	#ResourceVersionMatchNotOlderThan |
 	#ResourceVersionMatchExact
 // ResourceVersionMatchNotOlderThan matches data at least as new as the provided
 // resourceVersion.
 #ResourceVersionMatchNotOlderThan: #ResourceVersionMatch & "NotOlderThan"
 // ResourceVersionMatchExact matches data at the exact resourceVersion
 // provided.
 #ResourceVersionMatchExact: #ResourceVersionMatch & "Exact"
 // GetOptions is the standard query options to the standard REST get call.
 #GetOptions: {
 	#TypeMeta
 	// resourceVersion sets a constraint on what resource versions a request may be served from.
 	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
 	// details.
 	//
 	// Defaults to unset
 	// +optional
 	resourceVersion?: string @go(ResourceVersion) @protobuf(1,bytes,opt)
 }
 // DeletionPropagation decides if a deletion will propagate to the dependents of
 // the object, and how the garbage collector will handle the propagation.
 #DeletionPropagation: string // #enumDeletionPropagation
 #enumDeletionPropagation:
 	#DeletePropagationOrphan |
 	#DeletePropagationBackground |
 	#DeletePropagationForeground
 // Orphans the dependents.
 #DeletePropagationOrphan: #DeletionPropagation & "Orphan"
 // Deletes the object from the key-value store, the garbage collector will
 // delete the dependents in the background.
 #DeletePropagationBackground: #DeletionPropagation & "Background"
 // The object exists in the key-value store until the garbage collector
 // deletes all the dependents whose ownerReference.blockOwnerDeletion=true
 // from the key-value store.  API sever will put the "foregroundDeletion"
 // finalizer on the object, and sets its deletionTimestamp.  This policy is
 // cascading, i.e., the dependents will be deleted with Foreground.
 #DeletePropagationForeground: #DeletionPropagation & "Foreground"
 // DryRunAll means to complete all processing stages, but don't
 // persist changes to storage.
 #DryRunAll: "All"
 // DeleteOptions may be provided when deleting an API object.
 #DeleteOptions: {
 	#TypeMeta
 	// The duration in seconds before the object should be deleted. Value must be non-negative integer.
 	// The value zero indicates delete immediately. If this value is nil, the default grace period for the
 	// specified type will be used.
 	// Defaults to a per object value if not specified. zero means delete immediately.
 	// +optional
 	gracePeriodSeconds?: null | int64 @go(GracePeriodSeconds,*int64) @protobuf(1,varint,opt)
 	// Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
 	// returned.
 	// +k8s:conversion-gen=false
 	// +optional
 	preconditions?: null | #Preconditions @go(Preconditions,*Preconditions) @protobuf(2,bytes,opt)
 	// Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
 	// Should the dependent objects be orphaned. If true/false, the "orphan"
 	// finalizer will be added to/removed from the object's finalizers list.
 	// Either this field or PropagationPolicy may be set, but not both.
 	// +optional
 	orphanDependents?: null | bool @go(OrphanDependents,*bool) @protobuf(3,varint,opt)
 	// Whether and how garbage collection will be performed.
 	// Either this field or OrphanDependents may be set, but not both.
 	// The default policy is decided by the existing finalizer set in the
 	// metadata.finalizers and the resource-specific default policy.
 	// Acceptable values are: 'Orphan' - orphan the dependents; 'Background' -
 	// allow the garbage collector to delete the dependents in the background;
 	// 'Foreground' - a cascading policy that deletes all dependents in the
 	// foreground.
 	// +optional
 	propagationPolicy?: null | #DeletionPropagation @go(PropagationPolicy,*DeletionPropagation) @protobuf(4,varint,opt)
 	// When present, indicates that modifications should not be
 	// persisted. An invalid or unrecognized dryRun directive will
 	// result in an error response and no further processing of the
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
 	dryRun?: [...string] @go(DryRun,[]string) @protobuf(5,bytes,rep)
 }
 // FieldValidationIgnore ignores unknown/duplicate fields
 #FieldValidationIgnore: "Ignore"
 // FieldValidationWarn responds with a warning, but successfully serve the request
 #FieldValidationWarn: "Warn"
 // FieldValidationStrict fails the request on unknown/duplicate fields
 #FieldValidationStrict: "Strict"
 // CreateOptions may be provided when creating an API object.
 #CreateOptions: {
 	#TypeMeta
 	// When present, indicates that modifications should not be
 	// persisted. An invalid or unrecognized dryRun directive will
 	// result in an error response and no further processing of the
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
 	dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep)
 	// fieldManager is a name associated with the actor or entity
 	// that is making these changes. The value must be less than or
 	// 128 characters long, and only contain printable characters,
 	// as defined by https://golang.org/pkg/unicode/#IsPrint.
 	// +optional
 	fieldManager?: string @go(FieldManager) @protobuf(3,bytes)
 	// fieldValidation instructs the server on how to handle
 	// objects in the request (POST/PUT/PATCH) containing unknown
 	// or duplicate fields. Valid values are:
 	// - Ignore: This will ignore any unknown fields that are silently
 	// dropped from the object, and will ignore all but the last duplicate
 	// field that the decoder encounters. This is the default behavior
 	// prior to v1.23.
 	// - Warn: This will send a warning via the standard warning response
 	// header for each unknown field that is dropped from the object, and
 	// for each duplicate field that is encountered. The request will
 	// still succeed if there are no other errors, and will only persist
 	// the last of any duplicate fields. This is the default in v1.23+
 	// - Strict: This will fail the request with a BadRequest error if
 	// any unknown fields would be dropped from the object, or if any
 	// duplicate fields are present. The error returned from the server
 	// will contain all unknown and duplicate fields encountered.
 	// +optional
 	fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes)
 }
 // PatchOptions may be provided when patching an API object.
 // PatchOptions is meant to be a superset of UpdateOptions.
 #PatchOptions: {
 	#TypeMeta
 	// When present, indicates that modifications should not be
 	// persisted. An invalid or unrecognized dryRun directive will
 	// result in an error response and no further processing of the
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
 	dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep)
 	// Force is going to "force" Apply requests. It means user will
 	// re-acquire conflicting fields owned by other people. Force
 	// flag must be unset for non-apply patch requests.
 	// +optional
 	force?: null | bool @go(Force,*bool) @protobuf(2,varint,opt)
 	// fieldManager is a name associated with the actor or entity
 	// that is making these changes. The value must be less than or
 	// 128 characters long, and only contain printable characters,
 	// as defined by https://golang.org/pkg/unicode/#IsPrint. This
 	// field is required for apply requests
 	// (application/apply-patch) but optional for non-apply patch
 	// types (JsonPatch, MergePatch, StrategicMergePatch).
 	// +optional
 	fieldManager?: string @go(FieldManager) @protobuf(3,bytes)
 	// fieldValidation instructs the server on how to handle
 	// objects in the request (POST/PUT/PATCH) containing unknown
 	// or duplicate fields. Valid values are:
 	// - Ignore: This will ignore any unknown fields that are silently
 	// dropped from the object, and will ignore all but the last duplicate
 	// field that the decoder encounters. This is the default behavior
 	// prior to v1.23.
 	// - Warn: This will send a warning via the standard warning response
 	// header for each unknown field that is dropped from the object, and
 	// for each duplicate field that is encountered. The request will
 	// still succeed if there are no other errors, and will only persist
 	// the last of any duplicate fields. This is the default in v1.23+
 	// - Strict: This will fail the request with a BadRequest error if
 	// any unknown fields would be dropped from the object, or if any
 	// duplicate fields are present. The error returned from the server
 	// will contain all unknown and duplicate fields encountered.
 	// +optional
 	fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes)
 }
 // ApplyOptions may be provided when applying an API object.
 // FieldManager is required for apply requests.
 // ApplyOptions is equivalent to PatchOptions. It is provided as a convenience with documentation
 // that speaks specifically to how the options fields relate to apply.
 #ApplyOptions: {
 	#TypeMeta
 	// When present, indicates that modifications should not be
 	// persisted. An invalid or unrecognized dryRun directive will
 	// result in an error response and no further processing of the
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
 	dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep)
 	// Force is going to "force" Apply requests. It means user will
 	// re-acquire conflicting fields owned by other people.
 	force: bool @go(Force) @protobuf(2,varint,opt)
 	// fieldManager is a name associated with the actor or entity
 	// that is making these changes. The value must be less than or
 	// 128 characters long, and only contain printable characters,
 	// as defined by https://golang.org/pkg/unicode/#IsPrint. This
 	// field is required.
 	fieldManager: string @go(FieldManager) @protobuf(3,bytes)
 }
 // UpdateOptions may be provided when updating an API object.
 // All fields in UpdateOptions should also be present in PatchOptions.
 #UpdateOptions: {
 	#TypeMeta
 	// When present, indicates that modifications should not be
 	// persisted. An invalid or unrecognized dryRun directive will
 	// result in an error response and no further processing of the
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
 	dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep)
 	// fieldManager is a name associated with the actor or entity
 	// that is making these changes. The value must be less than or
 	// 128 characters long, and only contain printable characters,
 	// as defined by https://golang.org/pkg/unicode/#IsPrint.
 	// +optional
 	fieldManager?: string @go(FieldManager) @protobuf(2,bytes)
 	// fieldValidation instructs the server on how to handle
 	// objects in the request (POST/PUT/PATCH) containing unknown
 	// or duplicate fields. Valid values are:
 	// - Ignore: This will ignore any unknown fields that are silently
 	// dropped from the object, and will ignore all but the last duplicate
 	// field that the decoder encounters. This is the default behavior
 	// prior to v1.23.
 	// - Warn: This will send a warning via the standard warning response
 	// header for each unknown field that is dropped from the object, and
 	// for each duplicate field that is encountered. The request will
 	// still succeed if there are no other errors, and will only persist
 	// the last of any duplicate fields. This is the default in v1.23+
 	// - Strict: This will fail the request with a BadRequest error if
 	// any unknown fields would be dropped from the object, or if any
 	// duplicate fields are present. The error returned from the server
 	// will contain all unknown and duplicate fields encountered.
 	// +optional
 	fieldValidation?: string @go(FieldValidation) @protobuf(3,bytes)
 }
 // Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
 #Preconditions: {
 	// Specifies the target UID.
 	// +optional
 	uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID)
 	// Specifies the target ResourceVersion
 	// +optional
 	resourceVersion?: null | string @go(ResourceVersion,*string) @protobuf(2,bytes,opt)
 }
 // Status is a return value for calls that don't return other objects.
 #Status: {
 	#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// Status of the operation.
 	// One of: "Success" or "Failure".
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 	// +optional
 	status?: string @go(Status) @protobuf(2,bytes,opt)
 	// A human-readable description of the status of this operation.
 	// +optional
 	message?: string @go(Message) @protobuf(3,bytes,opt)
 	// A machine-readable description of why this operation is in the
 	// "Failure" status. If this value is empty there
 	// is no information available. A Reason clarifies an HTTP status
 	// code but does not override it.
 	// +optional
 	reason?: #StatusReason @go(Reason) @protobuf(4,bytes,opt,casttype=StatusReason)
 	// Extended data associated with the reason.  Each reason may define its
 	// own extended details. This field is optional and the data returned
 	// is not guaranteed to conform to any schema except that defined by
 	// the reason type.
 	// +optional
 	details?: null | #StatusDetails @go(Details,*StatusDetails) @protobuf(5,bytes,opt)
 	// Suggested HTTP return code for this status, 0 if not set.
 	// +optional
 	code?: int32 @go(Code) @protobuf(6,varint,opt)
 }
 // StatusDetails is a set of additional properties that MAY be set by the
 // server to provide additional information about a response. The Reason
 // field of a Status object defines what attributes will be set. Clients
 // must ignore fields that do not match the defined type of each attribute,
 // and should assume that any attribute may be empty, invalid, or under
 // defined.
 #StatusDetails: {
 	// The name attribute of the resource associated with the status StatusReason
 	// (when there is a single name which can be described).
 	// +optional
 	name?: string @go(Name) @protobuf(1,bytes,opt)
 	// The group attribute of the resource associated with the status StatusReason.
 	// +optional
 	group?: string @go(Group) @protobuf(2,bytes,opt)
 	// The kind attribute of the resource associated with the status StatusReason.
 	// On some operations may differ from the requested resource Kind.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	kind?: string @go(Kind) @protobuf(3,bytes,opt)
 	// UID of the resource.
 	// (when there is a single resource which can be described).
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
 	// +optional
 	uid?: types.#UID @go(UID) @protobuf(6,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID)
 	// The Causes array includes more details associated with the StatusReason
 	// failure. Not all StatusReasons may provide detailed causes.
 	// +optional
 	causes?: [...#StatusCause] @go(Causes,[]StatusCause) @protobuf(4,bytes,rep)
 	// If specified, the time in seconds before the operation should be retried. Some errors may indicate
 	// the client must take an alternate action - for those errors this field may indicate how long to wait
 	// before taking the alternate action.
 	// +optional
 	retryAfterSeconds?: int32 @go(RetryAfterSeconds) @protobuf(5,varint,opt)
 }
 #StatusSuccess: "Success"
 #StatusFailure: "Failure"
 // StatusReason is an enumeration of possible failure causes.  Each StatusReason
 // must map to a single HTTP status code, but multiple reasons may map
 // to the same HTTP status code.
 // TODO: move to apiserver
 #StatusReason: string // #enumStatusReason
 #enumStatusReason:
 	#StatusReasonUnknown |
 	#StatusReasonUnauthorized |
 	#StatusReasonForbidden |
 	#StatusReasonNotFound |
 	#StatusReasonAlreadyExists |
 	#StatusReasonConflict |
 	#StatusReasonGone |
 	#StatusReasonInvalid |
 	#StatusReasonServerTimeout |
 	#StatusReasonTimeout |
 	#StatusReasonTooManyRequests |
 	#StatusReasonBadRequest |
 	#StatusReasonMethodNotAllowed |
 	#StatusReasonNotAcceptable |
 	#StatusReasonRequestEntityTooLarge |
 	#StatusReasonUnsupportedMediaType |
 	#StatusReasonInternalError |
 	#StatusReasonExpired |
 	#StatusReasonServiceUnavailable
 // StatusReasonUnknown means the server has declined to indicate a specific reason.
 // The details field may contain other information about this error.
 // Status code 500.
 #StatusReasonUnknown: #StatusReason & ""
 // StatusReasonUnauthorized means the server can be reached and understood the request, but requires
 // the user to present appropriate authorization credentials (identified by the WWW-Authenticate header)
 // in order for the action to be completed. If the user has specified credentials on the request, the
 // server considers them insufficient.
 // Status code 401
 #StatusReasonUnauthorized: #StatusReason & "Unauthorized"
 // StatusReasonForbidden means the server can be reached and understood the request, but refuses
 // to take any further action.  It is the result of the server being configured to deny access for some reason
 // to the requested resource by the client.
 // Details (optional):
 //   "kind" string - the kind attribute of the forbidden resource
 //                   on some operations may differ from the requested
 //                   resource.
 //   "id"   string - the identifier of the forbidden resource
 // Status code 403
 #StatusReasonForbidden: #StatusReason & "Forbidden"
 // StatusReasonNotFound means one or more resources required for this operation
 // could not be found.
 // Details (optional):
 //   "kind" string - the kind attribute of the missing resource
 //                   on some operations may differ from the requested
 //                   resource.
 //   "id"   string - the identifier of the missing resource
 // Status code 404
 #StatusReasonNotFound: #StatusReason & "NotFound"
 // StatusReasonAlreadyExists means the resource you are creating already exists.
 // Details (optional):
 //   "kind" string - the kind attribute of the conflicting resource
 //   "id"   string - the identifier of the conflicting resource
 // Status code 409
 #StatusReasonAlreadyExists: #StatusReason & "AlreadyExists"
 // StatusReasonConflict means the requested operation cannot be completed
 // due to a conflict in the operation. The client may need to alter the
 // request. Each resource may define custom details that indicate the
 // nature of the conflict.
 // Status code 409
 #StatusReasonConflict: #StatusReason & "Conflict"
 // StatusReasonGone means the item is no longer available at the server and no
 // forwarding address is known.
 // Status code 410
 #StatusReasonGone: #StatusReason & "Gone"
 // StatusReasonInvalid means the requested create or update operation cannot be
 // completed due to invalid data provided as part of the request. The client may
 // need to alter the request. When set, the client may use the StatusDetails
 // message field as a summary of the issues encountered.
 // Details (optional):
 //   "kind" string - the kind attribute of the invalid resource
 //   "id"   string - the identifier of the invalid resource
 //   "causes"      - one or more StatusCause entries indicating the data in the
 //                   provided resource that was invalid.  The code, message, and
 //                   field attributes will be set.
 // Status code 422
 #StatusReasonInvalid: #StatusReason & "Invalid"
 // StatusReasonServerTimeout means the server can be reached and understood the request,
 // but cannot complete the action in a reasonable time. The client should retry the request.
 // This is may be due to temporary server load or a transient communication issue with
 // another server. Status code 500 is used because the HTTP spec provides no suitable
 // server-requested client retry and the 5xx class represents actionable errors.
 // Details (optional):
 //   "kind" string - the kind attribute of the resource being acted on.
 //   "id"   string - the operation that is being attempted.
 //   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
 // Status code 500
 #StatusReasonServerTimeout: #StatusReason & "ServerTimeout"
 // StatusReasonTimeout means that the request could not be completed within the given time.
 // Clients can get this response only when they specified a timeout param in the request,
 // or if the server cannot complete the operation within a reasonable amount of time.
 // The request might succeed with an increased value of timeout param. The client *should*
 // wait at least the number of seconds specified by the retryAfterSeconds field.
 // Details (optional):
 //   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
 // Status code 504
 #StatusReasonTimeout: #StatusReason & "Timeout"
 // StatusReasonTooManyRequests means the server experienced too many requests within a
 // given window and that the client must wait to perform the action again. A client may
 // always retry the request that led to this error, although the client should wait at least
 // the number of seconds specified by the retryAfterSeconds field.
 // Details (optional):
 //   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
 // Status code 429
 #StatusReasonTooManyRequests: #StatusReason & "TooManyRequests"
 // StatusReasonBadRequest means that the request itself was invalid, because the request
 // doesn't make any sense, for example deleting a read-only object.  This is different than
 // StatusReasonInvalid above which indicates that the API call could possibly succeed, but the
 // data was invalid.  API calls that return BadRequest can never succeed.
 // Status code 400
 #StatusReasonBadRequest: #StatusReason & "BadRequest"
 // StatusReasonMethodNotAllowed means that the action the client attempted to perform on the
 // resource was not supported by the code - for instance, attempting to delete a resource that
 // can only be created. API calls that return MethodNotAllowed can never succeed.
 // Status code 405
 #StatusReasonMethodNotAllowed: #StatusReason & "MethodNotAllowed"
 // StatusReasonNotAcceptable means that the accept types indicated by the client were not acceptable
 // to the server - for instance, attempting to receive protobuf for a resource that supports only json and yaml.
 // API calls that return NotAcceptable can never succeed.
 // Status code 406
 #StatusReasonNotAcceptable: #StatusReason & "NotAcceptable"
 // StatusReasonRequestEntityTooLarge means that the request entity is too large.
 // Status code 413
 #StatusReasonRequestEntityTooLarge: #StatusReason & "RequestEntityTooLarge"
 // StatusReasonUnsupportedMediaType means that the content type sent by the client is not acceptable
 // to the server - for instance, attempting to send protobuf for a resource that supports only json and yaml.
 // API calls that return UnsupportedMediaType can never succeed.
 // Status code 415
 #StatusReasonUnsupportedMediaType: #StatusReason & "UnsupportedMediaType"
 // StatusReasonInternalError indicates that an internal error occurred, it is unexpected
 // and the outcome of the call is unknown.
 // Details (optional):
 //   "causes" - The original error
 // Status code 500
 #StatusReasonInternalError: #StatusReason & "InternalError"
 // StatusReasonExpired indicates that the request is invalid because the content you are requesting
 // has expired and is no longer available. It is typically associated with watches that can't be
 // serviced.
 // Status code 410 (gone)
 #StatusReasonExpired: #StatusReason & "Expired"
 // StatusReasonServiceUnavailable means that the request itself was valid,
 // but the requested service is unavailable at this time.
 // Retrying the request after some time might succeed.
 // Status code 503
 #StatusReasonServiceUnavailable: #StatusReason & "ServiceUnavailable"
 // StatusCause provides more information about an api.Status failure, including
 // cases when multiple errors are encountered.
 #StatusCause: {
 	// A machine-readable description of the cause of the error. If this value is
 	// empty there is no information available.
 	// +optional
 	reason?: #CauseType @go(Type) @protobuf(1,bytes,opt,casttype=CauseType)
 	// A human-readable description of the cause of the error.  This field may be
 	// presented as-is to a reader.
 	// +optional
 	message?: string @go(Message) @protobuf(2,bytes,opt)
 	// The field of the resource that has caused this error, as named by its JSON
 	// serialization. May include dot and postfix notation for nested attributes.
 	// Arrays are zero-indexed.  Fields may appear more than once in an array of
 	// causes due to fields having multiple errors.
 	// Optional.
 	//
 	// Examples:
 	//   "name" - the field "name" on the current resource
 	//   "items[0].name" - the field "name" on the first array entry in "items"
 	// +optional
 	field?: string @go(Field) @protobuf(3,bytes,opt)
 }
 // CauseType is a machine readable value providing more detail about what
 // occurred in a status response. An operation may have multiple causes for a
 // status (whether Failure or Success).
 #CauseType: string // #enumCauseType
 #enumCauseType:
 	#CauseTypeFieldValueNotFound |
 	#CauseTypeFieldValueRequired |
 	#CauseTypeFieldValueDuplicate |
 	#CauseTypeFieldValueInvalid |
 	#CauseTypeFieldValueNotSupported |
 	#CauseTypeForbidden |
 	#CauseTypeTooLong |
 	#CauseTypeTooMany |
 	#CauseTypeInternal |
 	#CauseTypeTypeInvalid |
 	#CauseTypeUnexpectedServerResponse |
 	#CauseTypeFieldManagerConflict |
 	#CauseTypeResourceVersionTooLarge
 // CauseTypeFieldValueNotFound is used to report failure to find a requested value
 // (e.g. looking up an ID).
 #CauseTypeFieldValueNotFound: #CauseType & "FieldValueNotFound"
 // CauseTypeFieldValueRequired is used to report required values that are not
 // provided (e.g. empty strings, null values, or empty arrays).
 #CauseTypeFieldValueRequired: #CauseType & "FieldValueRequired"
 // CauseTypeFieldValueDuplicate is used to report collisions of values that must be
 // unique (e.g. unique IDs).
 #CauseTypeFieldValueDuplicate: #CauseType & "FieldValueDuplicate"
 // CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex
 // match).
 #CauseTypeFieldValueInvalid: #CauseType & "FieldValueInvalid"
 // CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules)
 // values that can not be handled (e.g. an enumerated string).
 #CauseTypeFieldValueNotSupported: #CauseType & "FieldValueNotSupported"
 // CauseTypeForbidden is used to report valid (as per formatting rules)
 // values which would be accepted under some conditions, but which are not
 // permitted by the current conditions (such as security policy).  See
 // Forbidden().
 #CauseTypeForbidden: #CauseType & "FieldValueForbidden"
 // CauseTypeTooLong is used to report that the given value is too long.
 // This is similar to ErrorTypeInvalid, but the error will not include the
 // too-long value.  See TooLong().
 #CauseTypeTooLong: #CauseType & "FieldValueTooLong"
 // CauseTypeTooMany is used to report "too many". This is used to
 // report that a given list has too many items. This is similar to FieldValueTooLong,
 // but the error indicates quantity instead of length.
 #CauseTypeTooMany: #CauseType & "FieldValueTooMany"
 // CauseTypeInternal is used to report other errors that are not related
 // to user input.  See InternalError().
 #CauseTypeInternal: #CauseType & "InternalError"
 // CauseTypeTypeInvalid is for the value did not match the schema type for that field
 #CauseTypeTypeInvalid: #CauseType & "FieldValueTypeInvalid"
 // CauseTypeUnexpectedServerResponse is used to report when the server responded to the client
 // without the expected return type. The presence of this cause indicates the error may be
 // due to an intervening proxy or the server software malfunctioning.
 #CauseTypeUnexpectedServerResponse: #CauseType & "UnexpectedServerResponse"
 // FieldManagerConflict is used to report when another client claims to manage this field,
 // It should only be returned for a request using server-side apply.
 #CauseTypeFieldManagerConflict: #CauseType & "FieldManagerConflict"
 // CauseTypeResourceVersionTooLarge is used to report that the requested resource version
 // is newer than the data observed by the API server, so the request cannot be served.
 #CauseTypeResourceVersionTooLarge: #CauseType & "ResourceVersionTooLarge"
 // List holds a list of objects, which may not be known by the server.
 #List: {
 	#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// List of objects
 	items: [...runtime.#RawExtension] @go(Items,[]runtime.RawExtension) @protobuf(2,bytes,rep)
 }
 // APIVersions lists the versions that are available, to allow clients to
 // discover the API at /api, which is the root path of the legacy v1 API.
 //
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 #APIVersions: {
 	#TypeMeta
 	// versions are the api versions that are available.
 	versions: [...string] @go(Versions,[]string) @protobuf(1,bytes,rep)
 	// a map of client CIDR to server address that is serving this group.
 	// This is to help clients reach servers in the most network-efficient way possible.
 	// Clients can use the appropriate server address as per the CIDR that they match.
 	// In case of multiple matches, clients should use the longest matching CIDR.
 	// The server returns only those CIDRs that it thinks that the client can match.
 	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
 	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
 	serverAddressByClientCIDRs: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(2,bytes,rep)
 }
 // APIGroupList is a list of APIGroup, to allow clients to discover the API at
 // /apis.
 #APIGroupList: {
 	#TypeMeta
 	// groups is a list of APIGroup.
 	groups: [...#APIGroup] @go(Groups,[]APIGroup) @protobuf(1,bytes,rep)
 }
 // APIGroup contains the name, the supported versions, and the preferred version
 // of a group.
 #APIGroup: {
 	#TypeMeta
 	// name is the name of the group.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// versions are the versions supported in this group.
 	versions: [...#GroupVersionForDiscovery] @go(Versions,[]GroupVersionForDiscovery) @protobuf(2,bytes,rep)
 	// preferredVersion is the version preferred by the API server, which
 	// probably is the storage version.
 	// +optional
 	preferredVersion?: #GroupVersionForDiscovery @go(PreferredVersion) @protobuf(3,bytes,opt)
 	// a map of client CIDR to server address that is serving this group.
 	// This is to help clients reach servers in the most network-efficient way possible.
 	// Clients can use the appropriate server address as per the CIDR that they match.
 	// In case of multiple matches, clients should use the longest matching CIDR.
 	// The server returns only those CIDRs that it thinks that the client can match.
 	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
 	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
 	// +optional
 	serverAddressByClientCIDRs?: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(4,bytes,rep)
 }
 // ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.
 #ServerAddressByClientCIDR: {
 	// The CIDR with which clients can match their IP to figure out the server address that they should use.
 	clientCIDR: string @go(ClientCIDR) @protobuf(1,bytes,opt)
 	// Address of this server, suitable for a client that matches the above CIDR.
 	// This can be a hostname, hostname:port, IP or IP:port.
 	serverAddress: string @go(ServerAddress) @protobuf(2,bytes,opt)
 }
 // GroupVersion contains the "group/version" and "version" string of a version.
 // It is made a struct to keep extensibility.
 #GroupVersionForDiscovery: {
 	// groupVersion specifies the API group and version in the form "group/version"
 	groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt)
 	// version specifies the version in the form of "version". This is to save
 	// the clients the trouble of splitting the GroupVersion.
 	version: string @go(Version) @protobuf(2,bytes,opt)
 }
 // APIResource specifies the name of a resource and whether it is namespaced.
 #APIResource: {
 	// name is the plural name of the resource.
 	name: string @go(Name) @protobuf(1,bytes,opt)
 	// singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely.
 	// The singularName is more correct for reporting status on a single item and both singular and plural are allowed
 	// from the kubectl CLI interface.
 	singularName: string @go(SingularName) @protobuf(6,bytes,opt)
 	// namespaced indicates if a resource is namespaced or not.
 	namespaced: bool @go(Namespaced) @protobuf(2,varint,opt)
 	// group is the preferred group of the resource.  Empty implies the group of the containing resource list.
 	// For subresources, this may have a different value, for example: Scale".
 	group?: string @go(Group) @protobuf(8,bytes,opt)
 	// version is the preferred version of the resource.  Empty implies the version of the containing resource list
 	// For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
 	version?: string @go(Version) @protobuf(9,bytes,opt)
 	// kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')
 	kind: string @go(Kind) @protobuf(3,bytes,opt)
 	// verbs is a list of supported kube verbs (this includes get, list, watch, create,
 	// update, patch, delete, deletecollection, and proxy)
 	verbs: #Verbs @go(Verbs) @protobuf(4,bytes,opt)
 	// shortNames is a list of suggested short names of the resource.
 	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(5,bytes,rep)
 	// categories is a list of the grouped resources this resource belongs to (e.g. 'all')
 	categories?: [...string] @go(Categories,[]string) @protobuf(7,bytes,rep)
 	// The hash value of the storage version, the version this resource is
 	// converted to when written to the data store. Value must be treated
 	// as opaque by clients. Only equality comparison on the value is valid.
 	// This is an alpha feature and may change or be removed in the future.
 	// The field is populated by the apiserver only if the
 	// StorageVersionHash feature gate is enabled.
 	// This field will remain optional even if it graduates.
 	// +optional
 	storageVersionHash?: string @go(StorageVersionHash) @protobuf(10,bytes,opt)
 }
 // Verbs masks the value so protobuf can generate
 //
 // +protobuf.nullable=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #Verbs: [...string]
 // APIResourceList is a list of APIResource, it is used to expose the name of the
 // resources supported in a specific group and version, and if the resource
 // is namespaced.
 #APIResourceList: {
 	#TypeMeta
 	// groupVersion is the group and version this APIResourceList is for.
 	groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt)
 	// resources contains the name of the resources and if they are namespaced.
 	resources: [...#APIResource] @go(APIResources,[]APIResource) @protobuf(2,bytes,rep)
 }
 // RootPaths lists the paths available at root.
 // For example: "/healthz", "/apis".
 #RootPaths: {
 	// paths are the paths available at root.
 	paths: [...string] @go(Paths,[]string) @protobuf(1,bytes,rep)
 }
 // Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.
 #Patch: {
 }
 // A label selector is a label query over a set of resources. The result of matchLabels and
 // matchExpressions are ANDed. An empty label selector matches all objects. A null
 // label selector matches no objects.
 // +structType=atomic
 #LabelSelector: {
 	// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
 	// map is equivalent to an element of matchExpressions, whose key field is "key", the
 	// operator is "In", and the values array contains only "value". The requirements are ANDed.
 	// +optional
 	matchLabels?: {[string]: string} @go(MatchLabels,map[string]string) @protobuf(1,bytes,rep)
 	// matchExpressions is a list of label selector requirements. The requirements are ANDed.
 	// +optional
 	matchExpressions?: [...#LabelSelectorRequirement] @go(MatchExpressions,[]LabelSelectorRequirement) @protobuf(2,bytes,rep)
 }
 // A label selector requirement is a selector that contains values, a key, and an operator that
 // relates the key and values.
 #LabelSelectorRequirement: {
 	// key is the label key that the selector applies to.
 	key: string @go(Key) @protobuf(1,bytes,opt)
 	// operator represents a key's relationship to a set of values.
 	// Valid operators are In, NotIn, Exists and DoesNotExist.
 	operator: #LabelSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=LabelSelectorOperator)
 	// values is an array of string values. If the operator is In or NotIn,
 	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
 	// the values array must be empty. This array is replaced during a strategic
 	// merge patch.
 	// +optional
 	values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep)
 }
 // A label selector operator is the set of operators that can be used in a selector requirement.
 #LabelSelectorOperator: string // #enumLabelSelectorOperator
 #enumLabelSelectorOperator:
 	#LabelSelectorOpIn |
 	#LabelSelectorOpNotIn |
 	#LabelSelectorOpExists |
 	#LabelSelectorOpDoesNotExist
 #LabelSelectorOpIn:           #LabelSelectorOperator & "In"
 #LabelSelectorOpNotIn:        #LabelSelectorOperator & "NotIn"
 #LabelSelectorOpExists:       #LabelSelectorOperator & "Exists"
 #LabelSelectorOpDoesNotExist: #LabelSelectorOperator & "DoesNotExist"
 // ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource
 // that the fieldset applies to.
 #ManagedFieldsEntry: {
 	// Manager is an identifier of the workflow managing these fields.
 	manager?: string @go(Manager) @protobuf(1,bytes,opt)
 	// Operation is the type of operation which lead to this ManagedFieldsEntry being created.
 	// The only valid values for this field are 'Apply' and 'Update'.
 	operation?: #ManagedFieldsOperationType @go(Operation) @protobuf(2,bytes,opt,casttype=ManagedFieldsOperationType)
 	// APIVersion defines the version of this resource that this field set
 	// applies to. The format is "group/version" just like the top-level
 	// APIVersion field. It is necessary to track the version of a field
 	// set because it cannot be automatically converted.
 	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
 	// Time is the timestamp of when the ManagedFields entry was added. The
 	// timestamp will also be updated if a field is added, the manager
 	// changes any of the owned fields value or removes a field. The
 	// timestamp does not update when a field is removed from the entry
 	// because another manager took it over.
 	// +optional
 	time?: null | #Time @go(Time,*Time) @protobuf(4,bytes,opt)
 	// FieldsType is the discriminator for the different fields format and version.
 	// There is currently only one possible value: "FieldsV1"
 	fieldsType?: string @go(FieldsType) @protobuf(6,bytes,opt)
 	// FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
 	// +optional
 	fieldsV1?: null | #FieldsV1 @go(FieldsV1,*FieldsV1) @protobuf(7,bytes,opt)
 	// Subresource is the name of the subresource used to update that object, or
 	// empty string if the object was updated through the main resource. The
 	// value of this field is used to distinguish between managers, even if they
 	// share the same name. For example, a status update will be distinct from a
 	// regular update using the same manager name.
 	// Note that the APIVersion field is not related to the Subresource field and
 	// it always corresponds to the version of the main resource.
 	subresource?: string @go(Subresource) @protobuf(8,bytes,opt)
 }
 // ManagedFieldsOperationType is the type of operation which lead to a ManagedFieldsEntry being created.
 #ManagedFieldsOperationType: string // #enumManagedFieldsOperationType
 #enumManagedFieldsOperationType:
 	#ManagedFieldsOperationApply |
 	#ManagedFieldsOperationUpdate
 #ManagedFieldsOperationApply:  #ManagedFieldsOperationType & "Apply"
 #ManagedFieldsOperationUpdate: #ManagedFieldsOperationType & "Update"
 // FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.
 //
 // Each key is either a '.' representing the field itself, and will always map to an empty set,
 // or a string representing a sub-field or item. The string will follow one of these four formats:
 // 'f:<name>', where <name> is the name of a field in a struct, or key in a map
 // 'v:<value>', where <value> is the exact json formatted value of a list item
 // 'i:<index>', where <index> is position of a item in a list
 // 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values
 // If a key maps to an empty Fields value, the field that key represents is part of the set.
 //
 // The exact format is defined in sigs.k8s.io/structured-merge-diff
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 #FieldsV1: _
 // Table is a tabular representation of a set of API resources. The server transforms the
 // object into a set of preferred columns for quickly reviewing the objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +protobuf=false
 #Table: {
 	#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: #ListMeta @go(ListMeta)
 	// columnDefinitions describes each column in the returned items array. The number of cells per row
 	// will always match the number of column definitions.
 	columnDefinitions: [...#TableColumnDefinition] @go(ColumnDefinitions,[]TableColumnDefinition)
 	// rows is the list of items in the table.
 	rows: [...#TableRow] @go(Rows,[]TableRow)
 }
 // TableColumnDefinition contains information about a column returned in the Table.
 // +protobuf=false
 #TableColumnDefinition: {
 	// name is a human readable name for the column.
 	name: string @go(Name)
 	// type is an OpenAPI type definition for this column, such as number, integer, string, or
 	// array.
 	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.
 	type: string @go(Type)
 	// format is an optional OpenAPI type modifier for this column. A format modifies the type and
 	// imposes additional rules, like date or time formatting for a string. The 'name' format is applied
 	// to the primary identifier column which has type 'string' to assist in clients identifying column
 	// is the resource name.
 	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.
 	format: string @go(Format)
 	// description is a human readable description of this column.
 	description: string @go(Description)
 	// priority is an integer defining the relative importance of this column compared to others. Lower
 	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
 	// should be given a higher priority.
 	priority: int32 @go(Priority)
 }
 // TableRow is an individual row in a table.
 // +protobuf=false
 #TableRow: {
 	// cells will be as wide as the column definitions array and may contain strings, numbers (float64 or
 	// int64), booleans, simple maps, lists, or null. See the type field of the column definition for a
 	// more detailed description.
 	cells: [...] @go(Cells,[]interface{})
 	// conditions describe additional status of a row that are relevant for a human user. These conditions
 	// apply to the row, not to the object, and will be specific to table output. The only defined
 	// condition type is 'Completed', for a row that indicates a resource that has run to completion and
 	// can be given less visual priority.
 	// +optional
 	conditions?: [...#TableRowCondition] @go(Conditions,[]TableRowCondition)
 	// This field contains the requested additional information about each object based on the includeObject
 	// policy when requesting the Table. If "None", this field is empty, if "Object" this will be the
 	// default serialization of the object for the current API version, and if "Metadata" (the default) will
 	// contain the object metadata. Check the returned kind and apiVersion of the object before parsing.
 	// The media type of the object will always match the enclosing list - if this as a JSON table, these
 	// will be JSON encoded objects.
 	// +optional
 	object?: runtime.#RawExtension @go(Object)
 }
 // TableRowCondition allows a row to be marked with additional information.
 // +protobuf=false
 #TableRowCondition: {
 	// Type of row condition. The only defined value is 'Completed' indicating that the
 	// object this row represents has reached a completed state and may be given less visual
 	// priority than other rows. Clients are not required to honor any conditions but should
 	// be consistent where possible about handling the conditions.
 	type: #RowConditionType @go(Type)
 	// Status of the condition, one of True, False, Unknown.
 	status: #ConditionStatus @go(Status)
 	// (brief) machine readable reason for the condition's last transition.
 	// +optional
 	reason?: string @go(Reason)
 	// Human readable message indicating details about last transition.
 	// +optional
 	message?: string @go(Message)
 }
 #RowConditionType: string // #enumRowConditionType
 #enumRowConditionType:
 	#RowCompleted
 // RowCompleted means the underlying resource has reached completion and may be given less
 // visual priority than other resources.
 #RowCompleted: #RowConditionType & "Completed"
 #ConditionStatus: string // #enumConditionStatus
 #enumConditionStatus:
 	#ConditionTrue |
 	#ConditionFalse |
 	#ConditionUnknown
 #ConditionTrue:    #ConditionStatus & "True"
 #ConditionFalse:   #ConditionStatus & "False"
 #ConditionUnknown: #ConditionStatus & "Unknown"
 // IncludeObjectPolicy controls which portion of the object is returned with a Table.
 #IncludeObjectPolicy: string // #enumIncludeObjectPolicy
 #enumIncludeObjectPolicy:
 	#IncludeNone |
 	#IncludeMetadata |
 	#IncludeObject
 // IncludeNone returns no object.
 #IncludeNone: #IncludeObjectPolicy & "None"
 // IncludeMetadata serializes the object containing only its metadata field.
 #IncludeMetadata: #IncludeObjectPolicy & "Metadata"
 // IncludeObject contains the full object.
 #IncludeObject: #IncludeObjectPolicy & "Object"
 // TableOptions are used when a Table is requested by the caller.
 // +k8s:conversion-gen:explicit-from=net/url.Values
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 #TableOptions: {
 	#TypeMeta
 	// includeObject decides whether to include each object along with its columnar information.
 	// Specifying "None" will return no object, specifying "Object" will return the full object contents, and
 	// specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind
 	// in version v1beta1 of the meta.k8s.io API group.
 	includeObject?: #IncludeObjectPolicy @go(IncludeObject) @protobuf(1,bytes,opt,casttype=IncludeObjectPolicy)
 }
 // PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
 // to get access to a particular ObjectMeta schema without knowing the details of the version.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 #PartialObjectMetadata: {
 	#TypeMeta
 	// Standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
 	metadata?: #ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
 }
 // PartialObjectMetadataList contains a list of objects containing only their metadata
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 #PartialObjectMetadataList: {
 	#TypeMeta
 	// Standard list metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 	// +optional
 	metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
 	// items contains each of the included items.
 	items: [...#PartialObjectMetadata] @go(Items,[]PartialObjectMetadata) @protobuf(2,bytes,rep)
 }
 // Condition contains details for one aspect of the current state of this API Resource.
 // ---
 // This struct is intended for direct use as an array at the field path .status.conditions.  For example,
 //
 //	type FooStatus struct{
 //	    // Represents the observations of a foo's current state.
 //	    // Known .status.conditions.type are: "Available", "Progressing", and "Degraded"
 //	    // +patchMergeKey=type
 //	    // +patchStrategy=merge
 //	    // +listType=map
 //	    // +listMapKey=type
 //	    Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 //
 //	    // other fields
 //	}
 #Condition: {
 	// type of condition in CamelCase or in foo.example.com/CamelCase.
 	// ---
 	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
 	// useful (see .node.status.conditions), the ability to deconflict is important.
 	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
 	// +kubebuilder:validation:MaxLength=316
 	type: string @go(Type) @protobuf(1,bytes,opt)
 	// status of the condition, one of True, False, Unknown.
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Enum=True;False;Unknown
 	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt)
 	// observedGeneration represents the .metadata.generation that the condition was set based upon.
 	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
 	// with respect to the current state of the instance.
 	// +optional
 	// +kubebuilder:validation:Minimum=0
 	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
 	// lastTransitionTime is the last time the condition transitioned from one status to another.
 	// This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Format=date-time
 	lastTransitionTime: #Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
 	// reason contains a programmatic identifier indicating the reason for the condition's last transition.
 	// Producers of specific condition types may define expected values and meanings for this field,
 	// and whether the values are considered a guaranteed API.
 	// The value should be a CamelCase string.
 	// This field may not be empty.
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MaxLength=1024
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
 	reason: string @go(Reason) @protobuf(5,bytes,opt)
 	// message is a human readable message indicating details about the transition.
 	// This may be an empty string.
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MaxLength=32768
 	message: string @go(Message) @protobuf(6,bytes,opt)
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue

@@ -0,0 +1,30 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
 package v1
 import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 )
 // Event represents a single event to a watched resource.
 //
 // +protobuf=true
 // +k8s:deepcopy-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 #WatchEvent: {
 	type: string @go(Type) @protobuf(1,bytes,opt)
 	// Object is:
 	//  * If Type is Added or Modified: the new state of the object.
 	//  * If Type is Deleted: the state of the object immediately before deletion.
 	//  * If Type is Error: *Status is recommended; other types may make sense
 	//    depending on context.
 	object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt)
 }
 // InternalEvent makes watch.Event versioned
 // +protobuf=false
 #InternalEvent: watch.#Event

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue

@@ -0,0 +1,10 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // SimpleAllocator a wrapper around make([]byte)
 // conforms to the MemoryAllocator interface
 #SimpleAllocator: {
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue

@@ -0,0 +1,37 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // codec binds an encoder and decoder.
 _#codec: {
 	Encoder: #Encoder
 	Decoder: #Decoder
 }
 // NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
 #NoopEncoder: {
 	Decoder: #Decoder
 }
 _#noopEncoderIdentifier: #Identifier & "noop"
 // NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
 #NoopDecoder: {
 	Encoder: #Encoder
 }
 _#base64Serializer: {
 	Encoder: #Encoder
 	Decoder: #Decoder
 }
 _#internalGroupVersionerIdentifier: "internal"
 _#disabledGroupVersionerIdentifier: "disabled"
 _#internalGroupVersioner: {
 }
 _#disabledGroupVersioner: {
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 // Package runtime defines conversions between generic types and structs to map query strings
 // to struct objects.
 package runtime

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue

@@ -0,0 +1,9 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // UnstructuredConverter is an interface for converting between interface{}
 // and map[string]interface representation.
 #UnstructuredConverter: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue

@@ -0,0 +1,39 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 // Package runtime includes helper functions for working with API objects
 // that follow the kubernetes API object conventions, which are:
 //
 // 0. Your API objects have a common metadata struct member, TypeMeta.
 //
 // 1. Your code refers to an internal set of API objects.
 //
 // 2. In a separate package, you have an external set of API objects.
 //
 // 3. The external set is considered to be versioned, and no breaking
 // changes are ever made to it (fields may be added but not changed
 // or removed).
 //
 // 4. As your api evolves, you'll make an additional versioned package
 // with every major change.
 //
 // 5. Versioned packages have conversion functions which convert to
 // and from the internal version.
 //
 // 6. You'll continue to support older versions according to your
 // deprecation policy, and you can easily provide a program/library
 // to update old versions into new versions because of 5.
 //
 // 7. All of your serializations and deserializations are handled in a
 // centralized place.
 //
 // Package runtime provides a conversion helper to make 5 easy, and the
 // Encode/Decode/DecodeInto trio to accomplish 7. You can also register
 // additional "codecs" which use a version of your choice. It's
 // recommended that you register your types with runtime in your
 // package's init function.
 //
 // As a bonus, a few common types useful from all api objects and versions
 // are provided in types.go.
 package runtime

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 _#encodable: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue

@@ -0,0 +1,23 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // MultiObjectTyper returns the types of objects across multiple schemes in order.
 #MultiObjectTyper: [...#ObjectTyper]
 _#defaultFramer: {
 }
 // WithVersionEncoder serializes an object and ensures the GVK is set.
 #WithVersionEncoder: {
 	Version:     #GroupVersioner
 	Encoder:     #Encoder
 	ObjectTyper: #ObjectTyper
 }
 // WithoutVersionDecoder clears the group version kind of a deserialized object.
 #WithoutVersionDecoder: {
 	Decoder: #Decoder
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue

@@ -0,0 +1,165 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // APIVersionInternal may be used if you are registering a type that should not
 // be considered stable or serialized - it is a convention only and has no
 // special behavior in this package.
 #APIVersionInternal: "__internal"
 // GroupVersioner refines a set of possible conversion targets into a single option.
 #GroupVersioner: _
 // Identifier represents an identifier.
 // Identitier of two different objects should be equal if and only if for every
 // input the output they produce is exactly the same.
 #Identifier: string // #enumIdentifier
 #enumIdentifier:
 	_#noopEncoderIdentifier
 // Encoder writes objects to a serialized form
 #Encoder: _
 // MemoryAllocator is responsible for allocating memory.
 // By encapsulating memory allocation into its own interface, we can reuse the memory
 // across many operations in places we know it can significantly improve the performance.
 #MemoryAllocator: _
 // EncoderWithAllocator  serializes objects in a way that allows callers to manage any additional memory allocations.
 #EncoderWithAllocator: _
 // Decoder attempts to load an object from data.
 #Decoder: _
 // Serializer is the core interface for transforming objects into a serialized format and back.
 // Implementations may choose to perform conversion of the object, but no assumptions should be made.
 #Serializer: _
 // Codec is a Serializer that deals with the details of versioning objects. It offers the same
 // interface as Serializer, so this is a marker to consumers that care about the version of the objects
 // they receive.
 #Codec: #Serializer
 // ParameterCodec defines methods for serializing and deserializing API objects to url.Values and
 // performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing
 // and the desired version must be specified.
 #ParameterCodec: _
 // Framer is a factory for creating readers and writers that obey a particular framing pattern.
 #Framer: _
 // SerializerInfo contains information about a specific serialization format
 #SerializerInfo: {
 	// MediaType is the value that represents this serializer over the wire.
 	MediaType: string
 	// MediaTypeType is the first part of the MediaType ("application" in "application/json").
 	MediaTypeType: string
 	// MediaTypeSubType is the second part of the MediaType ("json" in "application/json").
 	MediaTypeSubType: string
 	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
 	EncodesAsText: bool
 	// Serializer is the individual object serializer for this media type.
 	Serializer: #Serializer
 	// PrettySerializer, if set, can serialize this object in a form biased towards
 	// readability.
 	PrettySerializer: #Serializer
 	// StrictSerializer, if set, deserializes this object strictly,
 	// erring on unknown fields.
 	StrictSerializer: #Serializer
 	// StreamSerializer, if set, describes the streaming serialization format
 	// for this media type.
 	StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo)
 }
 // StreamSerializerInfo contains information about a specific stream serialization format
 #StreamSerializerInfo: {
 	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
 	EncodesAsText: bool
 	// Serializer is the top level object serializer for this type when streaming
 	Serializer: #Serializer
 	// Framer is the factory for retrieving streams that separate objects on the wire
 	Framer: #Framer
 }
 // NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers
 // for multiple supported media types. This would commonly be accepted by a server component
 // that performs HTTP content negotiation to accept multiple formats.
 #NegotiatedSerializer: _
 // ClientNegotiator handles turning an HTTP content type into the appropriate encoder.
 // Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from
 // a NegotiatedSerializer.
 #ClientNegotiator: _
 // StorageSerializer is an interface used for obtaining encoders, decoders, and serializers
 // that can read and write data at rest. This would commonly be used by client tools that must
 // read files, or server side storage interfaces that persist restful objects.
 #StorageSerializer: _
 // NestedObjectEncoder is an optional interface that objects may implement to be given
 // an opportunity to encode any nested Objects / RawExtensions during serialization.
 #NestedObjectEncoder: _
 // NestedObjectDecoder is an optional interface that objects may implement to be given
 // an opportunity to decode any nested Objects / RawExtensions during serialization.
 // It is possible for DecodeNestedObjects to return a non-nil error but for the decoding
 // to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields).
 // As such it is important for callers of DecodeNestedObjects to check to confirm whether
 // an error is a runtime.StrictDecodingError before short circuiting.
 // Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError
 // is only returned when the rest of decoding has succeeded.
 #NestedObjectDecoder: _
 #ObjectDefaulter: _
 #ObjectVersioner: _
 // ObjectConvertor converts an object to a different version.
 #ObjectConvertor: _
 // ObjectTyper contains methods for extracting the APIVersion and Kind
 // of objects.
 #ObjectTyper: _
 // ObjectCreater contains methods for instantiating an object by kind and version.
 #ObjectCreater: _
 // EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource
 #EquivalentResourceMapper: _
 // EquivalentResourceRegistry provides an EquivalentResourceMapper interface,
 // and allows registering known resource[/subresource] -> kind
 #EquivalentResourceRegistry: _
 // ResourceVersioner provides methods for setting and retrieving
 // the resource version from an API object.
 #ResourceVersioner: _
 // Namer provides methods for retrieving name and namespace of an API object.
 #Namer: _
 // Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are
 // expected to be serialized to the wire, the interface an Object must provide to the Scheme allows
 // serializers to set the kind, version, and group the object is represented as. An Object may choose
 // to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized.
 #Object: _
 // CacheableObject allows an object to cache its different serializations
 // to avoid performing the same serialization multiple times.
 #CacheableObject: _
 // Unstructured objects store values as map[string]interface{}, with only values that can be serialized
 // to JSON allowed.
 #Unstructured: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue

@@ -0,0 +1,12 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // NegotiateError is returned when a ClientNegotiator is unable to locate
 // a serializer for the requested operation.
 #NegotiateError: {
 	ContentType: string
 	Stream:      bool
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue

@@ -0,0 +1,12 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // Splice is the interface that wraps the Splice method.
 //
 // Splice moves data from given slice without copying the underlying data for
 // efficiency purpose. Therefore, the caller should make sure the underlying
 // data is not changed later.
 #Splice: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue

@@ -0,0 +1,14 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // Pair of strings. We keed the name of fields and the doc
 #Pair: {
 	Name: string
 	Doc:  string
 }
 // KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
 #KubeTypes: [...#Pair]

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue

@@ -0,0 +1,97 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 // TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
 // like this:
 //
 //	type MyAwesomeAPIObject struct {
 //	     runtime.TypeMeta    `json:",inline"`
 //	     ... // other fields
 //	}
 //
 // func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
 //
 // TypeMeta is provided here for convenience. You may use it directly from this package or define
 // your own with the same fields.
 //
 // +k8s:deepcopy-gen=false
 // +protobuf=true
 // +k8s:openapi-gen=true
 #TypeMeta: {
 	// +optional
 	apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt)
 	// +optional
 	kind?: string @go(Kind) @protobuf(2,bytes,opt)
 }
 #ContentTypeJSON:     "application/json"
 #ContentTypeYAML:     "application/yaml"
 #ContentTypeProtobuf: "application/vnd.kubernetes.protobuf"
 // RawExtension is used to hold extensions in external versions.
 //
 // To use this, make a field which has RawExtension as its type in your external, versioned
 // struct, and Object in your internal struct. You also need to register your
 // various plugin types.
 //
 // // Internal package:
 //
 //	type MyAPIObject struct {
 //		runtime.TypeMeta `json:",inline"`
 //		MyPlugin runtime.Object `json:"myPlugin"`
 //	}
 //
 //	type PluginA struct {
 //		AOption string `json:"aOption"`
 //	}
 //
 // // External package:
 //
 //	type MyAPIObject struct {
 //		runtime.TypeMeta `json:",inline"`
 //		MyPlugin runtime.RawExtension `json:"myPlugin"`
 //	}
 //
 //	type PluginA struct {
 //		AOption string `json:"aOption"`
 //	}
 //
 // // On the wire, the JSON will look something like this:
 //
 //	{
 //		"kind":"MyAPIObject",
 //		"apiVersion":"v1",
 //		"myPlugin": {
 //			"kind":"PluginA",
 //			"aOption":"foo",
 //		},
 //	}
 //
 // So what happens? Decode first uses json or yaml to unmarshal the serialized data into
 // your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
 // The next step is to copy (using pkg/conversion) into the internal struct. The runtime
 // package's DefaultScheme has conversion functions installed which will unpack the
 // JSON stored in RawExtension, turning it into the correct object type, and storing it
 // in the Object. (TODO: In the case where the object is of an unknown type, a
 // runtime.Unknown object will be created and stored.)
 //
 // +k8s:deepcopy-gen=true
 // +protobuf=true
 // +k8s:openapi-gen=true
 #RawExtension: _
 // Unknown allows api objects with unknown types to be passed-through. This can be used
 // to deal with the API objects from a plug-in. Unknown objects still have functioning
 // TypeMeta features-- kind, version, etc.
 // TODO: Make this object have easy access to field based accessors and settors for
 // metadata and field mutatation.
 //
 // +k8s:deepcopy-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +protobuf=true
 // +k8s:openapi-gen=true
 #Unknown: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue

@@ -0,0 +1,9 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/runtime
 package runtime
 #ProtobufMarshaller: _
 #ProtobufReverseMarshaller: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue

@@ -0,0 +1,6 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 // Package types implements various generic types used throughout kubernetes.
 package types

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue

@@ -0,0 +1,12 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 package types
 #NamespacedName: {
 	Namespace: string
 	Name:      string
 }
 #Separator: 47 // '/'

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue

@@ -0,0 +1,31 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 package types
 // NodeName is a type that holds a api.Node's Name identifier.
 // Being a type captures intent and helps make sure that the node name
 // is not confused with similar concepts (the hostname, the cloud provider id,
 // the cloud provider name etc)
 //
 // To clarify the various types:
 //
 //   - Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
 //     Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
 //
 //   - Hostname is the hostname of the local machine (from uname -n).
 //     However, some components allow the user to pass in a --hostname-override flag,
 //     which will override this in most places. In the absence of anything more meaningful,
 //     kubelet will use Hostname as the Node.Name when it creates the Node.
 //
 // * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
 //
 //	For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
 //	Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
 //	to the cloudprovider how to do this mapping.
 //
 //	For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
 //	PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
 //	we are using a custom DHCP domain it won't be.
 #NodeName: string

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue

@@ -0,0 +1,21 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 package types
 // Similarly to above, these are constants to support HTTP PATCH utilized by
 // both the client and server that didn't make sense for a whole package to be
 // dedicated to.
 #PatchType: string // #enumPatchType
 #enumPatchType:
 	#JSONPatchType |
 	#MergePatchType |
 	#StrategicMergePatchType |
 	#ApplyPatchType
 #JSONPatchType:           #PatchType & "application/json-patch+json"
 #MergePatchType:          #PatchType & "application/merge-patch+json"
 #StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json"
 #ApplyPatchType:          #PatchType & "application/apply-patch+yaml"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue

@@ -0,0 +1,10 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 package types
 // UID is a type that holds unique ID values, including UUIDs.  Because we
 // don't ONLY use UUIDs, this is an alias to string.  Being a type captures
 // intent and helps make sure that UIDs and names do not get conflated.
 #UID: string

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue

@@ -0,0 +1,31 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr
 package intstr
 // IntOrString is a type that can hold an int32 or a string.  When used in
 // JSON or YAML marshalling and unmarshalling, it produces or consumes the
 // inner type.  This allows you to have, for example, a JSON field that can
 // accept a name or number.
 // TODO: Rename to Int32OrString
 //
 // +protobuf=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:openapi-gen=true
 #IntOrString: _
 // Type represents the stored type of IntOrString.
 #Type: int64 // #enumType
 #enumType:
 	#Int |
 	#String
 #values_Type: {
 	Int:    #Int
 	String: #String
 }
 #Int:    #Type & 0
 #String: #Type & 1

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue

@@ -0,0 +1,7 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/watch
 // Package watch contains a generic watchable interface, and a fake for
 // testing code that uses the watch interface.
 package watch

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue

@@ -0,0 +1,10 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/watch
 package watch
 // Recorder records all events that are sent from the watch until it is closed.
 #Recorder: {
 	Interface: #Interface
 }

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue

@@ -0,0 +1,25 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/watch
 package watch
 // FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch
 // channel is full.
 #FullChannelBehavior: int // #enumFullChannelBehavior
 #enumFullChannelBehavior:
 	#WaitIfChannelFull |
 	#DropIfChannelFull
 #values_FullChannelBehavior: {
 	WaitIfChannelFull: #WaitIfChannelFull
 	DropIfChannelFull: #DropIfChannelFull
 }
 #WaitIfChannelFull: #FullChannelBehavior & 0
 #DropIfChannelFull: #FullChannelBehavior & 1
 _#incomingQueueLength: 25
 _#internalRunFunctionMarker: "internal-do-function"

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue

@@ -0,0 +1,12 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/watch
 package watch
 // Decoder allows StreamWatcher to watch any stream for which a Decoder can be written.
 #Decoder: _
 // Reporter hides the details of how an error is turned into a runtime.Object for
 // reporting on a watch stream since this package may not import a higher level report.
 #Reporter: _

added simulation/modules/radicle-node/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue

@@ -0,0 +1,48 @@

 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/watch
 package watch
 import "k8s.io/apimachinery/pkg/runtime"
 // Interface can be implemented by anything that knows how to watch and report changes.
 #Interface: _
 // EventType defines the possible types of events.
 #EventType: string // #enumEventType
 #enumEventType:
 	#Added |
 	#Modified |
 	#Deleted |
 	#Bookmark |
 	#Error
 #Added:    #EventType & "ADDED"
 #Modified: #EventType & "MODIFIED"
 #Deleted:  #EventType & "DELETED"
 #Bookmark: #EventType & "BOOKMARK"
 #Error:    #EventType & "ERROR"
 // Event represents a single event to a watched resource.
 // +k8s:deepcopy-gen=true
 #Event: {
 	Type: #EventType
 	// Object is:
 	//  * If Type is Added or Modified: the new state of the object.
 	//  * If Type is Deleted: the state of the object immediately before deletion.
 	//  * If Type is Bookmark: the object (instance of a type being watched) where
 	//    only ResourceVersion field is set. On successful restart of watch from a
 	//    bookmark resourceVersion, client is guaranteed to not get repeat event
 	//    nor miss any events.
 	//  * If Type is Error: *api.Status is recommended; other types may make sense
 	//    depending on context.
 	Object: runtime.#Object
 }
 // RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
 #RaceFreeFakeWatcher: {
 	Stopped: bool
 }

added simulation/modules/radicle-node/cue.mod/module.cue

@@ -0,0 +1,2 @@

+	`module: "timoni.sh/radicle-node"`
+	`language: version: "v0.15.0"`

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue

@@ -0,0 +1,26 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 // Action holds the list of annotations for controlling
 // Timoni's apply behaviour of Kubernetes resources.
 Action: {
 	// Force annotation for recreating immutable resources such as Kubernetes Jobs.
 	Force: {
 		"action.timoni.sh/force": ActionStatus.Enabled
 	}
 	// One-off annotation for appling resources only if they don't exist on the cluster.
 	Oneoff: {
 		"action.timoni.sh/one-off": ActionStatus.Enabled
 	}
 	// Keep annotation for preventing Timoni's garbage collector from deleting resources.
 	Keep: {
 		"action.timoni.sh/prune": ActionStatus.Disabled
 	}
 }
 ActionStatus: {
 	Enabled:  "enabled"
 	Disabled: "disabled"
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue

@@ -0,0 +1,50 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import (
 	"strings"
 )
 // Image defines the schema for OCI image reference used in Kubernetes PodSpec container image.
 #Image: {
 	// Repository is the address of a container registry repository.
 	// An image repository is made up of slash-separated name components, optionally
 	// prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH.
 	repository!: string
 	// Tag identifies an image in the repository.
 	// A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes.
 	// A tag name may not start with a period or a dash and may contain a maximum of 128 characters.
 	tag!: string & strings.MaxRunes(128)
 	// Digest uniquely and immutably identifies an image in the repository.
 	// Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests.
 	digest!: string
 	// PullPolicy defines the pull policy for the image.
 	// By default, it is set to IfNotPresent.
 	pullPolicy: *"IfNotPresent" | "Always" | "Never"
 	// Reference is the image address computed from repository, tag and digest
 	// in the format [REPOSITORY]:[TAG]@[DIGEST].
 	reference: string
 	if digest != "" && tag != "" {
 		reference: "\(repository):\(tag)@\(digest)"
 	}
 	if digest != "" && tag == "" {
 		reference: "\(repository)@\(digest)"
 	}
 	if digest == "" && tag != "" {
 		reference: "\(repository):\(tag)"
 	}
 	if digest == "" && tag == "" {
 		reference: "\(repository):latest"
 	}
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue

@@ -0,0 +1,47 @@

 // Copyright 2024 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import (
 	"encoding/base64"
 	"strings"
 )
 // ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson.
 // Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets.
 #ImagePullSecret: {
 	// Metadata is the Kubernetes object's metadata generated by Timoni.
 	#Meta!: #Metadata
 	// Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]].
 	#Registry!: string
 	// Username is the username used to authenticate to the container registry.
 	#Username!: string
 	// Password is the password used to authenticate to the container registry.
 	#Password!: string
 	// Optional suffix used to generate the Secret name.
 	#Suffix: *"" | string & strings.MaxRunes(30)
 	let auth = base64.Encode(null, #Username+":"+#Password)
 	apiVersion: "v1"
 	kind:       "Secret"
 	type:       "kubernetes.io/dockerconfigjson"
 	metadata: {
 		name:      #Meta.name + #Suffix
 		namespace: #Meta.namespace
 		labels:    #Meta.labels
 		if #Meta.annotations != _|_ {
 			annotations: #Meta.annotations
 		}
 	}
 	stringData: {
 		".dockerconfigjson": """
 			{"auths": {"\(#Registry)": {"username": "\(#Username)","password": "\(#Password)","auth": "\(auth)"}}}
 			"""
 	}
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue

@@ -0,0 +1,49 @@

 // Copyright 2024 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import (
 	"encoding/json"
 	"strings"
 	"uuid"
 )
 #ConfigMapKind: "ConfigMap"
 #SecretKind:    "Secret"
 // ImmutableConfig is a generator for immutable Kubernetes ConfigMaps and Secrets.
 // The metadata.name of the generated object is suffixed with the hash of the input data.
 #ImmutableConfig: {
 	// Kind of the generated object.
 	#Kind: *#ConfigMapKind | #SecretKind
 	// Metadata of the generated object.
 	#Meta: #Metadata
 	// Optional suffix appended to the generate name.
 	#Suffix: *"" | string
 	// Data of the generated object.
 	#Data: {[string]: string}
 	let hash = strings.Split(uuid.SHA1(uuid.ns.DNS, json.Marshal(#Data)), "-")[0]
 	apiVersion: "v1"
 	kind:       #Kind
 	metadata: {
 		name:      #Meta.name + #Suffix + "-" + hash
 		namespace: #Meta.namespace
 		labels:    #Meta.labels
 		if #Meta.annotations != _|_ {
 			annotations: #Meta.annotations
 		}
 	}
 	immutable: true
 	if kind == #ConfigMapKind {
 		data: #Data
 	}
 	if kind == #SecretKind {
 		stringData: #Data
 	}
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue

@@ -0,0 +1,27 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import "strings"
 // InstanceName defines the schema for the name of a Timoni instance.
 // The instance name is used as a Kubernetes label value and must be 63 characters or less.
 #InstanceName: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63)
 // InstanceNamespace defines the schema for the namespace of a Timoni instance.
 // The instance namespace is used as a Kubernetes label value and must be 63 characters or less.
 #InstanceNamespace: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63)
 // InstanceOwnerReference defines the schema for Kubernetes labels used to denote ownership.
 #InstanceOwnerReference: {
 	#Name:      "instance.timoni.sh/name"
 	#Namespace: "instance.timoni.sh/namespace"
 }
 // InstanceModule defines the schema for the Module of a Timoni instance.
 #InstanceModule: {
 	url:     string & =~"^((oci|file)://.*)$"
 	version: *"latest" | string
 	digest?: string
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue

@@ -0,0 +1,120 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import "strings"
 // Annotations defines the schema for Kubernetes object metadata annotations.
 #Annotations: {[string & strings.MaxRunes(253)]: string}
 // Labels defines the schema for Kubernetes object metadata labels.
 #Labels: {[string & strings.MaxRunes(253)]: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MaxRunes(63)}
 #StdLabelName:      "app.kubernetes.io/name"
 #StdLabelVersion:   "app.kubernetes.io/version"
 #StdLabelPartOf:    "app.kubernetes.io/part-of"
 #StdLabelManagedBy: "app.kubernetes.io/managed-by"
 #StdLabelComponent: "app.kubernetes.io/component"
 #StdLabelInstance:  "app.kubernetes.io/instance"
 // Metadata defines the schema for Kubernetes object metadata.
 #Metadata: {
 	// Version should be in the strict semver format. Is required when creating resources.
 	#Version!: string & strings.MaxRunes(63)
 	// Name must be unique within a namespace. Is required when creating resources.
 	// Name is primarily intended for creation idempotence and configuration definition.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 	name!: #InstanceName
 	// Namespace defines the space within which each name must be unique.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
 	namespace!: #InstanceNamespace
 	// Annotations is an unstructured key value map stored with a resource that may be
 	// set to store and retrieve arbitrary metadata.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
 	annotations?: #Annotations
 	// Map of string keys and values that can be used to organize and categorize (scope and select) objects.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 	labels: #Labels
 	// Standard Kubernetes labels: app name, version and managed-by.
 	labels: {
 		(#StdLabelName):      name
 		(#StdLabelVersion):   #Version
 		(#StdLabelManagedBy): "timoni"
 	}
 	// LabelSelector selects Pods based on the app.kubernetes.io/name label.
 	#LabelSelector: #Labels & {
 		(#StdLabelName): name
 	}
 	// Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions
 	// are met before it fully deletes resources marked for deletion.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/
 	finalizers?: [...string]
 }
 // MetaComponent generates the Kubernetes object metadata for a module namespaced component.
 // The metadata.name is composed of the instance name and the component name.
 // The metadata.labels contain the app.kubernetes.io/component label.
 #MetaComponent: {
 	// Meta is the Kubernetes object's metadata generated by Timoni.
 	#Meta!: #Metadata
 	// Component is the name of the component used
 	// as a suffix for the generate object name.
 	#Component!: string & strings.MaxRunes(30)
 	name:      #Meta.name + "-" + #Component
 	namespace: #Meta.namespace
 	labels: #Meta.labels
 	labels: (#StdLabelComponent): #Component
 	annotations?: #Annotations
 	if #Meta.annotations != _|_ {
 		annotations: #Meta.annotations
 	}
 	// LabelSelector selects Pods based on the app.kubernetes.io/name
 	// and app.kubernetes.io/component labels.
 	#LabelSelector: #Labels & {
 		(#StdLabelComponent): #Component
 		(#StdLabelName):      #Meta.name
 	}
 }
 // MetaClusterComponent generates the Kubernetes object metadata for a module non-namespaced component.
 // The metadata.name is composed of the instance name and the component name.
 // The metadata.namespace is unset.
 // The metadata.labels contain the app.kubernetes.io/component label.
 #MetaClusterComponent: {
 	// Meta is the Kubernetes object's metadata generated by Timoni.
 	#Meta!: #Metadata
 	// Component is the name of the component used
 	// as a suffix for the generate object name.
 	#Component!: string & strings.MaxRunes(30)
 	name: #Meta.name + "-" + #Component
 	labels: #Meta.labels
 	labels: (#StdLabelComponent): #Component
 	annotations?: #Annotations
 	if #Meta.annotations != _|_ {
 		annotations: #Meta.annotations
 	}
 	// LabelSelector selects Pods based on the app.kubernetes.io/name
 	// and app.kubernetes.io/component labels.
 	#LabelSelector: #Labels & {
 		(#StdLabelComponent): #Component
 		(#StdLabelName):      #Meta.name
 	}
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue

@@ -0,0 +1,21 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import "strings"
 // ObjectReference is a reference to a Kubernetes object.
 #ObjectReference: {
 	// Name of the referent.
 	name!: string & strings.MaxRunes(256)
 	// Namespace of the referent.
 	namespace?: string & strings.MaxRunes(256)
 	// API version of the referent.
 	apiVersion?: string & strings.MaxRunes(256)
 	// Kind of the referent.
 	kind?: string & strings.MaxRunes(256)
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue

@@ -0,0 +1,40 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import (
 	"strconv"
 	"strings"
 )
 // CPUQuantity is a string that is validated as a quantity of CPU, such as 100m or 2000m.
 #CPUQuantity: string & =~"^[1-9]\\d*m$"
 // MemoryQuantity is a string that is validated as a quantity of memory, such as 128Mi or 2Gi.
 #MemoryQuantity: string & =~"^[1-9]\\d*(Mi|Gi)$"
 // ResourceRequirement defines the schema for the CPU and Memory resource requirements.
 #ResourceRequirement: {
 	cpu?:    #CPUQuantity
 	memory?: #MemoryQuantity
 }
 // ResourceRequirements defines the schema for the compute resource requirements of a container.
 // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
 #ResourceRequirements: {
 	// Limits describes the maximum amount of compute resources allowed.
 	limits?: #ResourceRequirement
 	// Requests describes the minimum amount of compute resources required.
 	// Requests cannot exceed Limits.
 	requests?: #ResourceRequirement & {
 		if limits != _|_ {
 			if limits.cpu != _|_ {
 				_lc:  strconv.Atoi(strings.Split(limits.cpu, "m")[0])
 				_rc:  strconv.Atoi(strings.Split(requests.cpu, "m")[0])
 				#cpu: int & >=_rc & _lc
 			}
 		}
 	}
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue

@@ -0,0 +1,19 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 // Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc.
 #Selector: {
 	// Name must be unique within a namespace. Is required when creating resources.
 	// Name is primarily intended for creation idempotence and configuration definition.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
 	#Name!: #InstanceName
 	// Map of string keys and values that can be used to organize and categorize (scope and select) objects.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 	labels: #Labels
 	// Standard Kubernetes label: app name.
 	labels: (#StdLabelName): #Name
 }

added simulation/modules/radicle-node/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue

@@ -0,0 +1,29 @@

 // Copyright 2023 Stefan Prodan
 // SPDX-License-Identifier: Apache-2.0
 package v1alpha1
 import (
 	"strconv"
 	"strings"
 )
 // SemVer validates the input version string and extracts the major and minor version numbers.
 // When Minimum is set, the major and minor parts must be greater or equal to the minimum
 // or a validation error is returned.
 #SemVer: {
 	// Input version string in strict semver format.
 	#Version!: string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$"
 	// Minimum is the minimum allowed MAJOR.MINOR version.
 	#Minimum: *"0.0.0" | string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$"
 	let minMajor = strconv.Atoi(strings.Split(#Minimum, ".")[0])
 	let minMinor = strconv.Atoi(strings.Split(#Minimum, ".")[1])
 	major: int & >=minMajor
 	major: strconv.Atoi(strings.Split(#Version, ".")[0])
 	minor: int & >=minMinor
 	minor: strconv.Atoi(strings.Split(#Version, ".")[1])
 }