vendor: update buildkit to v0.19.0-rc1

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go

@@ -18,6 +18,7 @@ package v1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/utils/ptr"
 )
 
 // IsControlledBy checks if the  object has a controllerRef set to the given owner
@@ -36,10 +37,14 @@ func GetControllerOf(controllee Object) *OwnerReference {
 		return nil
 	}
 	cp := *ref
+	cp.Controller = ptr.To(*ref.Controller)
+	if ref.BlockOwnerDeletion != nil {
+		cp.BlockOwnerDeletion = ptr.To(*ref.BlockOwnerDeletion)
+	}
 	return &cp
 }
 
-// GetControllerOf returns a pointer to the controllerRef if controllee has a controller
+// GetControllerOfNoCopy returns a pointer to the controllerRef if controllee has a controller
 func GetControllerOfNoCopy(controllee Object) *OwnerReference {
 	refs := controllee.GetOwnerReferences()
 	for i := range refs {
@@ -52,14 +57,12 @@ func GetControllerOfNoCopy(controllee Object) *OwnerReference {
 
 // NewControllerRef creates an OwnerReference pointing to the given owner.
 func NewControllerRef(owner Object, gvk schema.GroupVersionKind) *OwnerReference {
-	blockOwnerDeletion := true
-	isController := true
 	return &OwnerReference{
 		APIVersion:         gvk.GroupVersion().String(),
 		Kind:               gvk.Kind,
 		Name:               owner.GetName(),
 		UID:                owner.GetUID(),
-		BlockOwnerDeletion: &blockOwnerDeletion,
-		Controller:         &isController,
+		BlockOwnerDeletion: ptr.To(true),
+		Controller:         ptr.To(true),
 	}
 }

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto

@@ -34,6 +34,7 @@ message APIGroup {
   optional string name = 1;
 
   // versions are the versions supported in this group.
+  // +listType=atomic
   repeated GroupVersionForDiscovery versions = 2;
 
   // preferredVersion is the version preferred by the API server, which
@@ -49,6 +50,7 @@ message APIGroup {
   // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
   // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
   // +optional
+  // +listType=atomic
   repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 4;
 }
 
@@ -56,6 +58,7 @@ message APIGroup {
 // /apis.
 message APIGroupList {
   // groups is a list of APIGroup.
+  // +listType=atomic
   repeated APIGroup groups = 1;
 }
 
@@ -88,9 +91,11 @@ message APIResource {
   optional Verbs verbs = 4;
 
   // shortNames is a list of suggested short names of the resource.
+  // +listType=atomic
   repeated string shortNames = 5;
 
   // categories is a list of the grouped resources this resource belongs to (e.g. 'all')
+  // +listType=atomic
   repeated string categories = 7;
 
   // The hash value of the storage version, the version this resource is
@@ -112,6 +117,7 @@ message APIResourceList {
   optional string groupVersion = 1;
 
   // resources contains the name of the resources and if they are namespaced.
+  // +listType=atomic
   repeated APIResource resources = 2;
 }
 
@@ -122,6 +128,7 @@ message APIResourceList {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 message APIVersions {
   // versions are the api versions that are available.
+  // +listType=atomic
   repeated string versions = 1;
 
   // a map of client CIDR to server address that is serving this group.
@@ -131,6 +138,7 @@ message APIVersions {
   // The server returns only those CIDRs that it thinks that the client can match.
   // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
   // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+  // +listType=atomic
   repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 2;
 }
 
@@ -145,6 +153,7 @@ message ApplyOptions {
   // request. Valid values are:
   // - All: all dry run stages will be processed
   // +optional
+  // +listType=atomic
   repeated string dryRun = 1;
 
   // Force is going to "force" Apply requests. It means user will
@@ -235,6 +244,7 @@ message CreateOptions {
   // request. Valid values are:
   // - All: all dry run stages will be processed
   // +optional
+  // +listType=atomic
   repeated string dryRun = 1;
 
   // fieldManager is a name associated with the actor or entity
@@ -303,6 +313,7 @@ message DeleteOptions {
   // request. Valid values are:
   // - All: all dry run stages will be processed
   // +optional
+  // +listType=atomic
   repeated string dryRun = 5;
 }
 
@@ -313,6 +324,25 @@ message Duration {
   optional int64 duration = 1;
 }
 
+// FieldSelectorRequirement is a selector that contains values, a key, and an operator that
+// relates the key and values.
+message FieldSelectorRequirement {
+  // key is the field selector key that the requirement applies to.
+  optional string key = 1;
+
+  // operator represents a key's relationship to a set of values.
+  // Valid operators are In, NotIn, Exists, DoesNotExist.
+  // The list of operators may grow in the future.
+  optional string operator = 2;
+
+  // values is an array of string values.
+  // If the operator is In or NotIn, the values array must be non-empty.
+  // If the operator is Exists or DoesNotExist, the values array must be empty.
+  // +optional
+  // +listType=atomic
+  repeated string values = 3;
+}
+
 // FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.
 //
 // Each key is either a '.' representing the field itself, and will always map to an empty set,
@@ -418,6 +448,7 @@ message LabelSelector {
 
   // matchExpressions is a list of label selector requirements. The requirements are ANDed.
   // +optional
+  // +listType=atomic
   repeated LabelSelectorRequirement matchExpressions = 2;
 }
 
@@ -436,6 +467,7 @@ message LabelSelectorRequirement {
   // the values array must be empty. This array is replaced during a strategic
   // merge patch.
   // +optional
+  // +listType=atomic
   repeated string values = 3;
 }
 
@@ -447,7 +479,7 @@ message List {
   optional ListMeta metadata = 1;
 
   // List of objects
-  repeated k8s.io.apimachinery.pkg.runtime.RawExtension items = 2;
+  repeated .k8s.io.apimachinery.pkg.runtime.RawExtension items = 2;
 }
 
 // ListMeta describes metadata that synthetic resources must have, including lists and
@@ -788,6 +820,8 @@ message ObjectMeta {
   // +optional
   // +patchMergeKey=uid
   // +patchStrategy=merge
+  // +listType=map
+  // +listMapKey=uid
   repeated OwnerReference ownerReferences = 13;
 
   // Must be empty before the object is deleted from the registry. Each entry
@@ -805,6 +839,7 @@ message ObjectMeta {
   // are not vulnerable to ordering changes in the list.
   // +optional
   // +patchStrategy=merge
+  // +listType=set
   repeated string finalizers = 14;
 
   // ManagedFields maps workflow-id and version to the set of fields
@@ -816,6 +851,7 @@ message ObjectMeta {
   // workflow used when modifying the object.
   //
   // +optional
+  // +listType=atomic
   repeated ManagedFieldsEntry managedFields = 17;
 }
 
@@ -890,6 +926,7 @@ message PatchOptions {
   // request. Valid values are:
   // - All: all dry run stages will be processed
   // +optional
+  // +listType=atomic
   repeated string dryRun = 1;
 
   // Force is going to "force" Apply requests. It means user will
@@ -943,6 +980,7 @@ message Preconditions {
 // For example: "/healthz", "/apis".
 message RootPaths {
   // paths are the paths available at root.
+  // +listType=atomic
   repeated string paths = 1;
 }
 
@@ -985,6 +1023,7 @@ message Status {
   // is not guaranteed to conform to any schema except that defined by
   // the reason type.
   // +optional
+  // +listType=atomic
   optional StatusDetails details = 5;
 
   // Suggested HTTP return code for this status, 0 if not set.
@@ -1049,6 +1088,7 @@ message StatusDetails {
   // The Causes array includes more details associated with the StatusReason
   // failure. Not all StatusReasons may provide detailed causes.
   // +optional
+  // +listType=atomic
   repeated StatusCause causes = 4;
 
   // If specified, the time in seconds before the operation should be retried. Some errors may indicate
@@ -1135,6 +1175,7 @@ message UpdateOptions {
   // request. Valid values are:
   // - All: all dry run stages will be processed
   // +optional
+  // +listType=atomic
   repeated string dryRun = 1;
 
   // fieldManager is a name associated with the actor or entity
@@ -1187,6 +1228,6 @@ message WatchEvent {
   //  * If Type is Deleted: the state of the object immediately before deletion.
   //  * If Type is Error: *Status is recommended; other types may make sense
   //    depending on context.
-  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 2;
+  optional .k8s.io.apimachinery.pkg.runtime.RawExtension object = 2;
 }
 

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go

@@ -24,8 +24,10 @@ import (
 
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
+	cbor "k8s.io/apimachinery/pkg/runtime/serializer/cbor/direct"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/types"
+	utiljson "k8s.io/apimachinery/pkg/util/json"
 )
 
 // LabelSelectorAsSelector converts the LabelSelector api type into a struct that implements
@@ -280,13 +282,20 @@ func (f FieldsV1) MarshalJSON() ([]byte, error) {
 	if f.Raw == nil {
 		return []byte("null"), nil
 	}
+	if f.getContentType() == fieldsV1InvalidOrValidCBORObject {
+		var u map[string]interface{}
+		if err := cbor.Unmarshal(f.Raw, &u); err != nil {
+			return nil, fmt.Errorf("metav1.FieldsV1 cbor invalid: %w", err)
+		}
+		return utiljson.Marshal(u)
+	}
 	return f.Raw, nil
 }
 
 // UnmarshalJSON implements json.Unmarshaler
 func (f *FieldsV1) UnmarshalJSON(b []byte) error {
 	if f == nil {
-		return errors.New("metav1.Fields: UnmarshalJSON on nil pointer")
+		return errors.New("metav1.FieldsV1: UnmarshalJSON on nil pointer")
 	}
 	if !bytes.Equal(b, []byte("null")) {
 		f.Raw = append(f.Raw[0:0], b...)
@@ -296,3 +305,75 @@ func (f *FieldsV1) UnmarshalJSON(b []byte) error {
 
 var _ json.Marshaler = FieldsV1{}
 var _ json.Unmarshaler = &FieldsV1{}
+
+func (f FieldsV1) MarshalCBOR() ([]byte, error) {
+	if f.Raw == nil {
+		return cbor.Marshal(nil)
+	}
+	if f.getContentType() == fieldsV1InvalidOrValidJSONObject {
+		var u map[string]interface{}
+		if err := utiljson.Unmarshal(f.Raw, &u); err != nil {
+			return nil, fmt.Errorf("metav1.FieldsV1 json invalid: %w", err)
+		}
+		return cbor.Marshal(u)
+	}
+	return f.Raw, nil
+}
+
+var cborNull = []byte{0xf6}
+
+func (f *FieldsV1) UnmarshalCBOR(b []byte) error {
+	if f == nil {
+		return errors.New("metav1.FieldsV1: UnmarshalCBOR on nil pointer")
+	}
+	if !bytes.Equal(b, cborNull) {
+		f.Raw = append(f.Raw[0:0], b...)
+	}
+	return nil
+}
+
+const (
+	// fieldsV1InvalidOrEmpty indicates that a FieldsV1 either contains no raw bytes or its raw
+	// bytes don't represent an allowable value in any supported encoding.
+	fieldsV1InvalidOrEmpty = iota
+
+	// fieldsV1InvalidOrValidJSONObject indicates that a FieldV1 either contains raw bytes that
+	// are a valid JSON encoding of an allowable value or don't represent an allowable value in
+	// any supported encoding.
+	fieldsV1InvalidOrValidJSONObject
+
+	// fieldsV1InvalidOrValidCBORObject indicates that a FieldV1 either contains raw bytes that
+	// are a valid CBOR encoding of an allowable value or don't represent an allowable value in
+	// any supported encoding.
+	fieldsV1InvalidOrValidCBORObject
+)
+
+// getContentType returns one of fieldsV1InvalidOrEmpty, fieldsV1InvalidOrValidJSONObject,
+// fieldsV1InvalidOrValidCBORObject based on the value of Raw.
+//
+// Raw can be encoded in JSON or CBOR and is only valid if it is empty, null, or an object (map)
+// value. It is invalid if it contains a JSON string, number, boolean, or array. If Raw is nonempty
+// and represents an allowable value, then the initial byte unambiguously distinguishes a
+// JSON-encoded value from a CBOR-encoded value.
+//
+// A valid JSON-encoded value can begin with any of the four JSON whitespace characters, the first
+// character 'n' of null, or '{' (0x09, 0x0a, 0x0d, 0x20, 0x6e, or 0x7b, respectively). A valid
+// CBOR-encoded value can begin with the null simple value, an initial byte with major type "map",
+// or, if a tag-enclosed map, an initial byte with major type "tag" (0xf6, 0xa0...0xbf, or
+// 0xc6...0xdb). The two sets of valid initial bytes don't intersect.
+func (f FieldsV1) getContentType() int {
+	if len(f.Raw) > 0 {
+		p := f.Raw[0]
+		switch p {
+		case 'n', '{', '\t', '\r', '\n', ' ':
+			return fieldsV1InvalidOrValidJSONObject
+		case 0xf6: // null
+			return fieldsV1InvalidOrValidCBORObject
+		default:
+			if p >= 0xa0 && p <= 0xbf /* map */ || p >= 0xc6 && p <= 0xdb /* tag */ {
+				return fieldsV1InvalidOrValidCBORObject
+			}
+		}
+	}
+	return fieldsV1InvalidOrEmpty
+}

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time.go

@@ -19,6 +19,8 @@ package v1
 import (
 	"encoding/json"
 	"time"
+
+	cbor "k8s.io/apimachinery/pkg/runtime/serializer/cbor/direct"
 )
 
 const RFC3339Micro = "2006-01-02T15:04:05.000000Z07:00"
@@ -129,6 +131,25 @@ func (t *MicroTime) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (t *MicroTime) UnmarshalCBOR(b []byte) error {
+	var s *string
+	if err := cbor.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	if s == nil {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	parsed, err := time.Parse(RFC3339Micro, *s)
+	if err != nil {
+		return err
+	}
+
+	t.Time = parsed.Local()
+	return nil
+}
+
 // UnmarshalQueryParameter converts from a URL query parameter value to an object
 func (t *MicroTime) UnmarshalQueryParameter(str string) error {
 	if len(str) == 0 {
@@ -160,6 +181,13 @@ func (t MicroTime) MarshalJSON() ([]byte, error) {
 	return json.Marshal(t.UTC().Format(RFC3339Micro))
 }
 
+func (t MicroTime) MarshalCBOR() ([]byte, error) {
+	if t.IsZero() {
+		return cbor.Marshal(nil)
+	}
+	return cbor.Marshal(t.UTC().Format(RFC3339Micro))
+}
+
 // OpenAPISchemaType is used by the kube-openapi generator when constructing
 // the OpenAPI spec of this type.
 //

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time.go

@@ -19,6 +19,8 @@ package v1
 import (
 	"encoding/json"
 	"time"
+
+	cbor "k8s.io/apimachinery/pkg/runtime/serializer/cbor/direct"
 )
 
 // Time is a wrapper around time.Time which supports correct
@@ -116,6 +118,25 @@ func (t *Time) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (t *Time) UnmarshalCBOR(b []byte) error {
+	var s *string
+	if err := cbor.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	if s == nil {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	parsed, err := time.Parse(time.RFC3339, *s)
+	if err != nil {
+		return err
+	}
+
+	t.Time = parsed.Local()
+	return nil
+}
+
 // UnmarshalQueryParameter converts from a URL query parameter value to an object
 func (t *Time) UnmarshalQueryParameter(str string) error {
 	if len(str) == 0 {
@@ -151,6 +172,14 @@ func (t Time) MarshalJSON() ([]byte, error) {
 	return buf, nil
 }
 
+func (t Time) MarshalCBOR() ([]byte, error) {
+	if t.IsZero() {
+		return cbor.Marshal(nil)
+	}
+
+	return cbor.Marshal(t.UTC().Format(time.RFC3339))
+}
+
 // ToUnstructured implements the value.UnstructuredConverter interface.
 func (t Time) ToUnstructured() interface{} {
 	if t.IsZero() {

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go

@@ -236,6 +236,8 @@ type ObjectMeta struct {
 	// +optional
 	// +patchMergeKey=uid
 	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=uid
 	OwnerReferences []OwnerReference `json:"ownerReferences,omitempty" patchStrategy:"merge" patchMergeKey:"uid" protobuf:"bytes,13,rep,name=ownerReferences"`
 
 	// Must be empty before the object is deleted from the registry. Each entry
@@ -253,6 +255,7 @@ type ObjectMeta struct {
 	// are not vulnerable to ordering changes in the list.
 	// +optional
 	// +patchStrategy=merge
+	// +listType=set
 	Finalizers []string `json:"finalizers,omitempty" patchStrategy:"merge" protobuf:"bytes,14,rep,name=finalizers"`
 
 	// Tombstone: ClusterName was a legacy field that was always cleared by
@@ -268,6 +271,7 @@ type ObjectMeta struct {
 	// workflow used when modifying the object.
 	//
 	// +optional
+	// +listType=atomic
 	ManagedFields []ManagedFieldsEntry `json:"managedFields,omitempty" protobuf:"bytes,17,rep,name=managedFields"`
 }
 
@@ -428,6 +432,15 @@ type ListOptions struct {
 	SendInitialEvents *bool `json:"sendInitialEvents,omitempty" protobuf:"varint,11,opt,name=sendInitialEvents"`
 }
 
+const (
+	// InitialEventsAnnotationKey the name of the key
+	// under which an annotation marking the end of
+	// a watchlist stream is stored.
+	//
+	// The annotation is added to a "Bookmark" event.
+	InitialEventsAnnotationKey = "k8s.io/initial-events-end"
+)
+
 // resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch
 // may only be set if resourceVersion is also set.
 //
@@ -531,6 +544,7 @@ type DeleteOptions struct {
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
+	// +listType=atomic
 	DryRun []string `json:"dryRun,omitempty" protobuf:"bytes,5,rep,name=dryRun"`
 }
 
@@ -556,6 +570,7 @@ type CreateOptions struct {
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
+	// +listType=atomic
 	DryRun []string `json:"dryRun,omitempty" protobuf:"bytes,1,rep,name=dryRun"`
 	// +k8s:deprecated=includeUninitialized,protobuf=2
 
@@ -600,6 +615,7 @@ type PatchOptions struct {
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
+	// +listType=atomic
 	DryRun []string `json:"dryRun,omitempty" protobuf:"bytes,1,rep,name=dryRun"`
 
 	// Force is going to "force" Apply requests. It means user will
@@ -651,6 +667,7 @@ type ApplyOptions struct {
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
+	// +listType=atomic
 	DryRun []string `json:"dryRun,omitempty" protobuf:"bytes,1,rep,name=dryRun"`
 
 	// Force is going to "force" Apply requests. It means user will
@@ -683,6 +700,7 @@ type UpdateOptions struct {
 	// request. Valid values are:
 	// - All: all dry run stages will be processed
 	// +optional
+	// +listType=atomic
 	DryRun []string `json:"dryRun,omitempty" protobuf:"bytes,1,rep,name=dryRun"`
 
 	// fieldManager is a name associated with the actor or entity
@@ -751,6 +769,7 @@ type Status struct {
 	// is not guaranteed to conform to any schema except that defined by
 	// the reason type.
 	// +optional
+	// +listType=atomic
 	Details *StatusDetails `json:"details,omitempty" protobuf:"bytes,5,opt,name=details"`
 	// Suggested HTTP return code for this status, 0 if not set.
 	// +optional
@@ -784,6 +803,7 @@ type StatusDetails struct {
 	// The Causes array includes more details associated with the StatusReason
 	// failure. Not all StatusReasons may provide detailed causes.
 	// +optional
+	// +listType=atomic
 	Causes []StatusCause `json:"causes,omitempty" protobuf:"bytes,4,rep,name=causes"`
 	// If specified, the time in seconds before the operation should be retried. Some errors may indicate
 	// the client must take an alternate action - for those errors this field may indicate how long to wait
@@ -1047,6 +1067,7 @@ type List struct {
 type APIVersions struct {
 	TypeMeta `json:",inline"`
 	// versions are the api versions that are available.
+	// +listType=atomic
 	Versions []string `json:"versions" protobuf:"bytes,1,rep,name=versions"`
 	// a map of client CIDR to server address that is serving this group.
 	// This is to help clients reach servers in the most network-efficient way possible.
@@ -1055,6 +1076,7 @@ type APIVersions struct {
 	// The server returns only those CIDRs that it thinks that the client can match.
 	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
 	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+	// +listType=atomic
 	ServerAddressByClientCIDRs []ServerAddressByClientCIDR `json:"serverAddressByClientCIDRs" protobuf:"bytes,2,rep,name=serverAddressByClientCIDRs"`
 }
 
@@ -1065,6 +1087,7 @@ type APIVersions struct {
 type APIGroupList struct {
 	TypeMeta `json:",inline"`
 	// groups is a list of APIGroup.
+	// +listType=atomic
 	Groups []APIGroup `json:"groups" protobuf:"bytes,1,rep,name=groups"`
 }
 
@@ -1077,6 +1100,7 @@ type APIGroup struct {
 	// name is the name of the group.
 	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
 	// versions are the versions supported in this group.
+	// +listType=atomic
 	Versions []GroupVersionForDiscovery `json:"versions" protobuf:"bytes,2,rep,name=versions"`
 	// preferredVersion is the version preferred by the API server, which
 	// probably is the storage version.
@@ -1090,6 +1114,7 @@ type APIGroup struct {
 	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
 	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
 	// +optional
+	// +listType=atomic
 	ServerAddressByClientCIDRs []ServerAddressByClientCIDR `json:"serverAddressByClientCIDRs,omitempty" protobuf:"bytes,4,rep,name=serverAddressByClientCIDRs"`
 }
 
@@ -1134,8 +1159,10 @@ type APIResource struct {
 	// update, patch, delete, deletecollection, and proxy)
 	Verbs Verbs `json:"verbs" protobuf:"bytes,4,opt,name=verbs"`
 	// shortNames is a list of suggested short names of the resource.
+	// +listType=atomic
 	ShortNames []string `json:"shortNames,omitempty" protobuf:"bytes,5,rep,name=shortNames"`
 	// categories is a list of the grouped resources this resource belongs to (e.g. 'all')
+	// +listType=atomic
 	Categories []string `json:"categories,omitempty" protobuf:"bytes,7,rep,name=categories"`
 	// The hash value of the storage version, the version this resource is
 	// converted to when written to the data store. Value must be treated
@@ -1168,6 +1195,7 @@ type APIResourceList struct {
 	// groupVersion is the group and version this APIResourceList is for.
 	GroupVersion string `json:"groupVersion" protobuf:"bytes,1,opt,name=groupVersion"`
 	// resources contains the name of the resources and if they are namespaced.
+	// +listType=atomic
 	APIResources []APIResource `json:"resources" protobuf:"bytes,2,rep,name=resources"`
 }
 
@@ -1175,6 +1203,7 @@ type APIResourceList struct {
 // For example: "/healthz", "/apis".
 type RootPaths struct {
 	// paths are the paths available at root.
+	// +listType=atomic
 	Paths []string `json:"paths" protobuf:"bytes,1,rep,name=paths"`
 }
 
@@ -1218,6 +1247,7 @@ type LabelSelector struct {
 	MatchLabels map[string]string `json:"matchLabels,omitempty" protobuf:"bytes,1,rep,name=matchLabels"`
 	// matchExpressions is a list of label selector requirements. The requirements are ANDed.
 	// +optional
+	// +listType=atomic
 	MatchExpressions []LabelSelectorRequirement `json:"matchExpressions,omitempty" protobuf:"bytes,2,rep,name=matchExpressions"`
 }
 
@@ -1234,6 +1264,7 @@ type LabelSelectorRequirement struct {
 	// the values array must be empty. This array is replaced during a strategic
 	// merge patch.
 	// +optional
+	// +listType=atomic
 	Values []string `json:"values,omitempty" protobuf:"bytes,3,rep,name=values"`
 }
 
@@ -1247,6 +1278,33 @@ const (
 	LabelSelectorOpDoesNotExist LabelSelectorOperator = "DoesNotExist"
 )
 
+// FieldSelectorRequirement is a selector that contains values, a key, and an operator that
+// relates the key and values.
+type FieldSelectorRequirement struct {
+	// key is the field selector key that the requirement applies to.
+	Key string `json:"key" protobuf:"bytes,1,opt,name=key"`
+	// operator represents a key's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists, DoesNotExist.
+	// The list of operators may grow in the future.
+	Operator FieldSelectorOperator `json:"operator" protobuf:"bytes,2,opt,name=operator,casttype=FieldSelectorOperator"`
+	// values is an array of string values.
+	// If the operator is In or NotIn, the values array must be non-empty.
+	// If the operator is Exists or DoesNotExist, the values array must be empty.
+	// +optional
+	// +listType=atomic
+	Values []string `json:"values,omitempty" protobuf:"bytes,3,rep,name=values"`
+}
+
+// A field selector operator is the set of operators that can be used in a selector requirement.
+type FieldSelectorOperator string
+
+const (
+	FieldSelectorOpIn           FieldSelectorOperator = "In"
+	FieldSelectorOpNotIn        FieldSelectorOperator = "NotIn"
+	FieldSelectorOpExists       FieldSelectorOperator = "Exists"
+	FieldSelectorOpDoesNotExist FieldSelectorOperator = "DoesNotExist"
+)
+
 // ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource
 // that the fieldset applies to.
 type ManagedFieldsEntry struct {
@@ -1335,8 +1393,10 @@ type Table struct {
 
 	// columnDefinitions describes each column in the returned items array. The number of cells per row
 	// will always match the number of column definitions.
+	// +listType=atomic
 	ColumnDefinitions []TableColumnDefinition `json:"columnDefinitions"`
 	// rows is the list of items in the table.
+	// +listType=atomic
 	Rows []TableRow `json:"rows"`
 }
 
@@ -1369,12 +1429,14 @@ type TableRow struct {
 	// cells will be as wide as the column definitions array and may contain strings, numbers (float64 or
 	// int64), booleans, simple maps, lists, or null. See the type field of the column definition for a
 	// more detailed description.
+	// +listType=atomic
 	Cells []interface{} `json:"cells"`
 	// conditions describe additional status of a row that are relevant for a human user. These conditions
 	// apply to the row, not to the object, and will be specific to table output. The only defined
 	// condition type is 'Completed', for a row that indicates a resource that has run to completion and
 	// can be given less visual priority.
 	// +optional
+	// +listType=atomic
 	Conditions []TableRowCondition `json:"conditions,omitempty"`
 	// This field contains the requested additional information about each object based on the includeObject
 	// policy when requesting the Table. If "None", this field is empty, if "Object" this will be the

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go

@@ -135,6 +135,17 @@ func (DeleteOptions) SwaggerDoc() map[string]string {
 	return map_DeleteOptions
 }
 
+var map_FieldSelectorRequirement = map[string]string{
+	"":         "FieldSelectorRequirement is a selector that contains values, a key, and an operator that relates the key and values.",
+	"key":      "key is the field selector key that the requirement applies to.",
+	"operator": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. The list of operators may grow in the future.",
+	"values":   "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
+}
+
+func (FieldSelectorRequirement) SwaggerDoc() map[string]string {
+	return map_FieldSelectorRequirement
+}
+
 var map_FieldsV1 = map[string]string{
 	"": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
 }

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation.go

@@ -32,6 +32,10 @@ import (
 type LabelSelectorValidationOptions struct {
 	// Allow invalid label value in selector
 	AllowInvalidLabelValueInSelector bool
+
+	// Allows an operator that is not interpretable to pass validation.  This is useful for cases where a broader check
+	// can be performed, as in a *SubjectAccessReview
+	AllowUnknownOperatorInRequirement bool
 }
 
 // LabelSelectorHasInvalidLabelValue returns true if the given selector contains an invalid label value in a match expression.
@@ -79,7 +83,9 @@ func ValidateLabelSelectorRequirement(sr metav1.LabelSelectorRequirement, opts L
 			allErrs = append(allErrs, field.Forbidden(fldPath.Child("values"), "may not be specified when `operator` is 'Exists' or 'DoesNotExist'"))
 		}
 	default:
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("operator"), sr.Operator, "not a valid selector operator"))
+		if !opts.AllowUnknownOperatorInRequirement {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("operator"), sr.Operator, "not a valid selector operator"))
+		}
 	}
 	allErrs = append(allErrs, ValidateLabelName(sr.Key, fldPath.Child("key"))...)
 	if !opts.AllowInvalidLabelValueInSelector {
@@ -113,6 +119,39 @@ func ValidateLabels(labels map[string]string, fldPath *field.Path) field.ErrorLi
 	return allErrs
 }
 
+// FieldSelectorValidationOptions is a struct that can be passed to ValidateFieldSelectorRequirement to record the validate options
+type FieldSelectorValidationOptions struct {
+	// Allows an operator that is not interpretable to pass validation.  This is useful for cases where a broader check
+	// can be performed, as in a *SubjectAccessReview
+	AllowUnknownOperatorInRequirement bool
+}
+
+// ValidateLabelSelectorRequirement validates the requirement according to the opts and returns any validation errors.
+func ValidateFieldSelectorRequirement(requirement metav1.FieldSelectorRequirement, opts FieldSelectorValidationOptions, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(requirement.Key) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath.Child("key"), "must be specified"))
+	}
+
+	switch requirement.Operator {
+	case metav1.FieldSelectorOpIn, metav1.FieldSelectorOpNotIn:
+		if len(requirement.Values) == 0 {
+			allErrs = append(allErrs, field.Required(fldPath.Child("values"), "must be specified when `operator` is 'In' or 'NotIn'"))
+		}
+	case metav1.FieldSelectorOpExists, metav1.FieldSelectorOpDoesNotExist:
+		if len(requirement.Values) > 0 {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("values"), "may not be specified when `operator` is 'Exists' or 'DoesNotExist'"))
+		}
+	default:
+		if !opts.AllowUnknownOperatorInRequirement {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("operator"), requirement.Operator, "not a valid selector operator"))
+		}
+	}
+
+	return allErrs
+}
+
 func ValidateDeleteOptions(options *metav1.DeleteOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 	//lint:file-ignore SA1019 Keep validation for deprecated OrphanDependents option until it's being removed

vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go

@@ -327,6 +327,27 @@ func (in *Duration) DeepCopy() *Duration {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FieldSelectorRequirement) DeepCopyInto(out *FieldSelectorRequirement) {
+	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldSelectorRequirement.
+func (in *FieldSelectorRequirement) DeepCopy() *FieldSelectorRequirement {
+	if in == nil {
+		return nil
+	}
+	out := new(FieldSelectorRequirement)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FieldsV1) DeepCopyInto(out *FieldsV1) {
 	*out = *in