kcl-lang
diff --git a/‎README.md
+2-2 b/‎README.md
+2-2
diff --git a/‎k8s/1.31/README.md
+1 b/‎k8s/1.31/README.md
+1
diff --git a/‎k8s/1.31/api/admissionregistration/v1/audit_annotation.k
+35 b/‎k8s/1.31/api/admissionregistration/v1/audit_annotation.k
+35
diff --git a/‎k8s/1.31/api/admissionregistration/v1/expression_warning.k
+25 b/‎k8s/1.31/api/admissionregistration/v1/expression_warning.k
+25
diff --git a/‎k8s/1.31/api/admissionregistration/v1/match_condition.k
+35 b/‎k8s/1.31/api/admissionregistration/v1/match_condition.k
+35
diff --git a/‎k8s/1.31/api/admissionregistration/v1/match_resources.k
+74 b/‎k8s/1.31/api/admissionregistration/v1/match_resources.k
+74
diff --git a/‎k8s/1.31/api/admissionregistration/v1/mutating_webhook.k
+115 b/‎k8s/1.31/api/admissionregistration/v1/mutating_webhook.k
+115
@@ -147,6 +147,6 @@ For example
 ./scripts/crd_to_kcl.sh github.com/kubernetes-sigs/cluster-api-provider-vsphere
 ```
 
-
 ## License
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkcl-lang%2Fmodules.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkcl-lang%2Fmodules?ref=badge_large)
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkcl-lang%2Fmodules.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkcl-lang%2Fmodules?ref=badge_large)
@@ -0,0 +1 @@
+See [here](https://github.com/kcl-lang/modules/blob/main/k8s/1.31/docs/README.md) for more documents.
@@ -0,0 +1,35 @@
+"""
+This is the audit_annotation module in k8s.api.admissionregistration.v1 package.
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+
+
+schema AuditAnnotation:
+    r"""
+    AuditAnnotation describes how to produce an audit annotation for an API request.
+
+    Attributes
+    ----------
+    key : str, default is Undefined, required
+        key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+        The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".
+
+        If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
+
+        Required.
+    valueExpression : str, default is Undefined, required
+        valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
+
+        If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
+
+        Required.
+    """
+
+
+    key: str
+
+    valueExpression: str
+
+
@@ -0,0 +1,25 @@
+"""
+This is the expression_warning module in k8s.api.admissionregistration.v1 package.
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+
+
+schema ExpressionWarning:
+    r"""
+    ExpressionWarning is a warning information that targets a specific expression.
+
+    Attributes
+    ----------
+    fieldRef : str, default is Undefined, required
+        The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"
+    warning : str, default is Undefined, required
+        The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.
+    """
+
+
+    fieldRef: str
+
+    warning: str
+
+
@@ -0,0 +1,35 @@
+"""
+This is the match_condition module in k8s.api.admissionregistration.v1 package.
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+
+
+schema MatchCondition:
+    r"""
+    MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+
+    Attributes
+    ----------
+    expression : str, default is Undefined, required
+        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+        'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+          See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+        'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+          request resource.
+        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+        Required.
+    name : str, default is Undefined, required
+        Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+        Required.
+    """
+
+
+    expression: str
+
+    name: str
+
+
@@ -0,0 +1,74 @@
+"""
+This is the match_resources module in k8s.api.admissionregistration.v1 package.
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import apimachinery.pkg.apis.meta.v1
+
+
+schema MatchResources:
+    r"""
+    MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+
+    Attributes
+    ----------
+    excludeResourceRules : [NamedRuleWithOperations], default is Undefined, optional
+        ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+    matchPolicy : str, default is Undefined, optional
+        matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+        - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+
+        - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+
+        Defaults to "Equivalent"
+    namespaceSelector : v1.LabelSelector, default is Undefined, optional
+        NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.
+
+        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+          "matchExpressions": [
+            {
+              "key": "runlevel",
+              "operator": "NotIn",
+              "values": [
+                "0",
+                "1"
+              ]
+            }
+          ]
+        }
+
+        If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+          "matchExpressions": [
+            {
+              "key": "environment",
+              "operator": "In",
+              "values": [
+                "prod",
+                "staging"
+              ]
+            }
+          ]
+        }
+
+        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
+
+        Default to the empty LabelSelector, which matches everything.
+    objectSelector : v1.LabelSelector, default is Undefined, optional
+        ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+    resourceRules : [NamedRuleWithOperations], default is Undefined, optional
+        ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.
+    """
+
+
+    excludeResourceRules?: [NamedRuleWithOperations]
+
+    matchPolicy?: str
+
+    namespaceSelector?: v1.LabelSelector
+
+    objectSelector?: v1.LabelSelector
+
+    resourceRules?: [NamedRuleWithOperations]
+
+
@@ -0,0 +1,115 @@
+"""
+This is the mutating_webhook module in k8s.api.admissionregistration.v1 package.
+This file was generated by the KCL auto-gen tool. DO NOT EDIT.
+Editing this file might prove futile when you re-run the KCL auto-gen generate command.
+"""
+import apimachinery.pkg.apis.meta.v1
+
+
+schema MutatingWebhook:
+    r"""
+    MutatingWebhook describes an admission webhook and the resources and operations it applies to.
+
+    Attributes
+    ----------
+    admissionReviewVersions : [str], default is Undefined, required
+        AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
+    clientConfig : WebhookClientConfig, default is Undefined, required
+        ClientConfig defines how to communicate with the hook. Required
+    failurePolicy : str, default is Undefined, optional
+        FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
+    matchConditions : [MatchCondition], default is Undefined, optional
+        MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
+
+        The exact matching logic is (in order):
+          1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+          2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+          3. If any matchCondition evaluates to an error (but none are FALSE):
+             - If failurePolicy=Fail, reject the request
+             - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+    matchPolicy : str, default is Undefined, optional
+        matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+        - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+
+        - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+
+        Defaults to "Equivalent"
+    name : str, default is Undefined, required
+        The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
+    namespaceSelector : v1.LabelSelector, default is Undefined, optional
+        NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
+
+        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+          "matchExpressions": [
+            {
+              "key": "runlevel",
+              "operator": "NotIn",
+              "values": [
+                "0",
+                "1"
+              ]
+            }
+          ]
+        }
+
+        If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+          "matchExpressions": [
+            {
+              "key": "environment",
+              "operator": "In",
+              "values": [
+                "prod",
+                "staging"
+              ]
+            }
+          ]
+        }
+
+        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
+
+        Default to the empty LabelSelector, which matches everything.
+    objectSelector : v1.LabelSelector, default is Undefined, optional
+        ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+    reinvocationPolicy : str, default is Undefined, optional
+        reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
+
+        Never: the webhook will not be called more than once in a single admission evaluation.
+
+        IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+
+        Defaults to "Never".
+    rules : [RuleWithOperations], default is Undefined, optional
+        Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+    sideEffects : str, default is Undefined, required
+        SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
+    timeoutSeconds : int, default is Undefined, optional
+        TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
+    """
+
+
+    admissionReviewVersions: [str]
+
+    clientConfig: WebhookClientConfig
+
+    failurePolicy?: str
+
+    matchConditions?: [MatchCondition]
+
+    matchPolicy?: str
+
+    name: str
+
+    namespaceSelector?: v1.LabelSelector
+
+    objectSelector?: v1.LabelSelector
+
+    reinvocationPolicy?: str
+
+    rules?: [RuleWithOperations]
+
+    sideEffects: str
+
+    timeoutSeconds?: int
+
+
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+See [here](https://github.com/kcl-lang/modules/blob/main/k8s/1.31/docs/README.md) for more documents.`